Jeff Victor wrote:
> Zones marked "set ip-type=exclusive" automatically get the privilege
> sys_ip_config added to the default limit set. If I have customized a
> zone's limit set, and *then* mark it exclusive-IP, will the
> sys_ip_config priv be added to the customized list, or will the list
> be replaced with the default set plus sys_ip_config?
>
Setting the exclusive ip-type just adds net_rawaccess and sys_ip_config
to the 'default' set.
If you have customized the zone's limit set by adding privileges to the
'default' set, then setting
ip-stack=exclusive later will just add net_rawaccess and sys_ip_config
to the new 'L' set.
If you have reduced the 'default', then set ip-stack=exclusive, the zone
fails to verify and boot:
# zoneadm -z z-b2 boot
required privilege "sys_ip_config" is missing from the zone's privilege set
zoneadm: zone z-b2 failed to verify
Now, it you try to manually add "sys_ip_config" from zonecfg, then
you'll see the following failure:
# zoneadm -z z-b2 boot
privilege "sys_ip_config" is not permitted within the zone's privilege set
zoneadm: zone z-b2 failed to verify
Please go ahead and file bug.
Thanks,
Kais.
