James Carlson wrote: > Glenn Faden writes: >> Whenever possible we should avoid creating devices in non-global zones. >> Unfortunately, it is possible to panic the kernel from a non-global zone >> if a root process has access to the raw device while it is >> simultaneously mounted as a file system. If you scribble over the >> mounted filesystem you can cause a panic. It is critical to our security >> story to assert that a root process in a non-global zone cannot crash >> the kernel or other zones. > > If the inserted device has no recognizable file system on it, or if > the one we recognize cannot be mounted, then we create a device node > in the zone. If it can be mounted, then only the mount point is > inserted in the zone for security reasons. > > But how can this be a complete answer? If the user inserts either a > blank medium or a device with an intentionally damaged file system, he > gets a device node. He can then mount it, scribble on it, and torch > the system.
If a mounted filesystem can torch the system, that's a bug in the filesystem code and that needs to be fixed. > Did I miss something? > >> Again, that is not the subject of this case. This is about supporting >> device allocation in zones by Sun Ray software. If device allocation in >> standard Solaris is actually important to customers, we could extend the >> functionality in standard Solaris. However, I think that would done >> differently; probably based on HAL and the GNOME Removeable Drives and >> Media application. > > It'd be nice if this corner of the world weren't baroque. The only > thing that keeps my hand away from the derail lever is the lack of Sun > Ray engagement in the ARC; I have little expectation that a full > review would be productive. Huh, that's an interesting statement, James. What does Sun Ray have to do with this specific case and with how TX handles device allocation? We're one of the consumers of these interfaces (and in the process of our work I've found deficiencies that the TX team have addressed, hence this case), but any multi-user, multi-desktop environment would have run into these same issues - think Xterms with USB ports, multi-headed systems with a separate user on each head and with each head having dedicated USB ports, that type of device usage model. I'm also not so sure what you mean by "baroque" - are you referring to the HAL and GNOME bits? Could you clarify your statement please? thanks, mike
