>On Mon, Jul 06, 2009 at 08:18:38PM +0200, Casper.Dik at Sun.COM wrote: >> >> >> >fyi, this is not how zones works. zones starts with the empty set and >> >then adds privs. please see the brand config.xml files for where this >> >is defined. you'll need to upate these files with these new privileges. >> >(and feel free to file an RFE against zones to start with the basic set >> >and then add or remove privs as necessary.) >> >> Ok, that's clearly broken. Doesn't it work correctly for native >> zones? >> > >all brands work the same way wrt privs handling. it's all controlled by >the config.xml file.
Check for "BASIC_TOKEN" in http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libzonecfg/common/libzonecfg.c#4950 and further. So generally will work. Unfortunately, the syntax used to describe "privilege sets": <privilege set="required" name="proc_exec" /> actually only accepts single privileges. For the basic set, we'd really want something like: <privilege set="required" name="basic,!file_link_any,!proc_session,!procinfo" /> The property of the basic set is that you cannot portably enumerate it. Casper
