On Thu, Feb 11, 2010 at 10:50:20AM -0800, Michael Hunter wrote: > On Thu, 11 Feb 2010 10:24:22 -0800 > Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote: > > > On Thu, Feb 11, 2010 at 06:16:31PM +0000, Alan Maguire wrote: > > > On 11/02/2010 18:06, Renee Danson Sommerfeld wrote: > > > >I have a webrev available with the fix for > > > > > > > >http://defect.opensolaris.org/bz/show_bug.cgi?id=14521 > > > > > > > >webrev is > > > > > > > >http://jurassic.sfbay/~okie/webrev.14521/ > > > > > > > >I've verified that keys can be created in a global zone with this > > > >fix; Michael is verifying that nwamd can still start up in a non- > > > >global zone now (but the priv I've added does show up in the list > > > >of privileges available in a zone, so we expect it to be fine). > > > > > > > looks fine. Do we also need PRIV_SYS_DL_CONFIG > > > (for setting macaddr/linkprops) in non-global zones, > > > or is that priv not available there? > > > > It looks like sys_dl_config is not available in a non-global zone, > > based on the list Michael generated in a zone he had configured. > > Michael, I assume that was an exclusive-stack zone where you got > > the priv list, right? > > yes and I checked again. Those privs are not available. > > > > > We should check the linkprop setting. Michael, since you have the > > zone config, could you give that a try? > > Yes, I tried to set a mac addr and it failed. > > OTOH if somebody created the zone and added sys_dl_config to the limit > set then we could get it. What you could do is check the zone set and > see if it exists and if it does add it to our privset. What we should > do is build our requested set and then priv_intersect() it with > the (all) zone set. Thats way more clean then the global check and deals > with however the user decides to configure the zone.
I agree; and I think it makes for a less risky change than the original fix for 14305. I've put the privs that were removed by the 14305 fix back in, and then used priv_intersect() to set make the effective set all of our desired list that are available in our zone. I've verified that this works in a global zone (though I still need to do some more targeted priv testing); Michael, could you give this a shot in your zone? Updated webrev: http://jurassic.eng/~okie/webrev.14521/ -renee
