[...] > Therefore, mounts within a non-global zone are > restricted to a > given allowed list of filesystems, as described > in Section 5 and > Section 6. This applies to all mounts not just > lofi ones. > 5. New vfs flag VSW_ZMOUNT > > The default list of allowed filesystems is based > upon a new vfsdef_t > flag VSW_ZMOUNT. If set, then the filesytem may be > mounted within a > zone, regardless of the fs-allowed value. > This flag is Consolidation Private. > Today, this flag is set for pseudo filesystems > such as proc, network > filesystems such as NFS, plus the hsfs filesystem. > Future work may > enable other filesystems by default. > Currently, a non-global zone can create a ZFS > volume, but it is not > visible inside the zone's /dev. This case doesn't > attempt to fix > this, although future work may enable it. [...]
This seems to imply the possibility that a physical CD-ROM (at least; perhaps even CD reader/writer) device could be assigned to a non-global zone with reasonable safety. Has that been considered/examined/documented? (Indeed, if there exists a control to only allow "safe" filesystems to be mounted within a non-global zone, it seems to allow the possibility of _any_ block (and corresponding character) device to be assigned to a non-global zone with reasonable safety.) (a counter-argument occurs to me that device ioctls like USCSICMD could still cause mischief...) -- This message posted from opensolaris.org _______________________________________________ opensolaris-arc mailing list [email protected]
