Hi Philip, Philip Kirk - Solaris Sustaining wrote On 09/26/06 06:37,: > Hi Steffen, > > Sorry for the delay in responding but I was on holiday. > > Steffen Weiberle wrote: > >> Kool. Snooping on loopback works. > > > Yes. It's kind of neat and eye opening. When I first started looking at > this I was amazed at how much stuff was going on that I wasn't aware of. > >> "limitpriv: default,net_rawaccess", but could not snoop in the > > >non-global zone. Guess thats gotta wait a bit. > > Um I'm fairly sure I've run snoop on the lo0 device in a non-global zone > successfully in the past and didn't have to do anything with privileges. > What error do you get? The only thing about this at the moment is that > in the non-global zone you see all local traffic right now.
With or without trying to extend privileges into the zone, I get "snoop: No network interface devices found" error. On le0 or lo0:x. > >> Thought it was in the zones/least privilege part. I'm just curious > > >which privileges are already delegatable to a zone. > > The only privilege related part that we're doing for this is to > introduce a new finer grain privilege that just allows read access. You > won't have to grant net_rawaccess and give away much more privilege > than is needed. Thanks! Steffen > > Thanks for installing these bits. > > Phil
