On Thu, 11 Feb 2010 12:18:34 -0800 Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote:
> On Thu, Feb 11, 2010 at 10:50:20AM -0800, Michael Hunter wrote: > > On Thu, 11 Feb 2010 10:24:22 -0800 > > Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote: > > > > > On Thu, Feb 11, 2010 at 06:16:31PM +0000, Alan Maguire wrote: > > > > On 11/02/2010 18:06, Renee Danson Sommerfeld wrote: > > > > >I have a webrev available with the fix for > > > > > > > > > >http://defect.opensolaris.org/bz/show_bug.cgi?id=14521 > > > > > > > > > >webrev is > > > > > > > > > >http://jurassic.sfbay/~okie/webrev.14521/ > > > > > > > > > >I've verified that keys can be created in a global zone with this > > > > >fix; Michael is verifying that nwamd can still start up in a non- > > > > >global zone now (but the priv I've added does show up in the list > > > > >of privileges available in a zone, so we expect it to be fine). > > > > > > > > > looks fine. Do we also need PRIV_SYS_DL_CONFIG > > > > (for setting macaddr/linkprops) in non-global zones, > > > > or is that priv not available there? > > > > > > It looks like sys_dl_config is not available in a non-global zone, > > > based on the list Michael generated in a zone he had configured. > > > Michael, I assume that was an exclusive-stack zone where you got > > > the priv list, right? > > > > yes and I checked again. Those privs are not available. > > > > > > > > We should check the linkprop setting. Michael, since you have the > > > zone config, could you give that a try? > > > > Yes, I tried to set a mac addr and it failed. > > > > OTOH if somebody created the zone and added sys_dl_config to the limit > > set then we could get it. What you could do is check the zone set and > > see if it exists and if it does add it to our privset. What we should > > do is build our requested set and then priv_intersect() it with > > the (all) zone set. Thats way more clean then the global check and deals > > with however the user decides to configure the zone. > > I agree; and I think it makes for a less risky change than the > original fix for 14305. > > I've put the privs that were removed by the 14305 fix back in, > and then used priv_intersect() to set make the effective set > all of our desired list that are available in our zone. I've > verified that this works in a global zone (though I still need > to do some more targeted priv testing); Michael, could you give > this a shot in your zone? Works fine. > > Updated webrev: > > http://jurassic.eng/~okie/webrev.14521/ You can the setting of the global boolean at the beginning of the function. Michael > > -renee
