On Thu, 11 Feb 2010 13:17:42 -0800 Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote:
> On Thu, Feb 11, 2010 at 12:50:14PM -0800, Michael Hunter wrote: > > On Thu, 11 Feb 2010 12:18:34 -0800 > > Renee Danson Sommerfeld <renee.sommerfeld at sun.com> wrote: > > > > > On Thu, Feb 11, 2010 at 10:50:20AM -0800, Michael Hunter wrote: > > > > On Thu, 11 Feb 2010 10:24:22 -0800 > [...] > > > > > > > > OTOH if somebody created the zone and added sys_dl_config to the limit > > > > set then we could get it. What you could do is check the zone set and > > > > see if it exists and if it does add it to our privset. What we should > > > > do is build our requested set and then priv_intersect() it with > > > > the (all) zone set. Thats way more clean then the global check and > > > > deals > > > > with however the user decides to configure the zone. > > > > > > I agree; and I think it makes for a less risky change than the > > > original fix for 14305. > > > > > > I've put the privs that were removed by the 14305 fix back in, > > > and then used priv_intersect() to set make the effective set > > > all of our desired list that are available in our zone. I've > > > verified that this works in a global zone (though I still need > > > to do some more targeted priv testing); Michael, could you give > > > this a shot in your zone? > > > > Works fine. > > Thanks! > > > > Updated webrev: > > > > > > http://jurassic.eng/~okie/webrev.14521/ > > > > You can the setting of the global boolean at the beginning of the > > function. > > Yep, I'm glad you caught that. Wevrev updated. Not as much as I wish I'd thought of this the first time around. Looks good. Michael > > -renee
