Robert Milkowski wrote:
But right now I'm more asking about why L can't be allowed to grow (when E is a
full set or when new L' is a subset of E set of calling process) rather then
implementing anything.
DJM> If L could grow it wouldn't be L it would be P. The reason L can only
DJM> be reduced is fundamental to how the privilege system works and what
DJM> makes it safe - particularly for zones.
DJM> Please give a very specific example of what it is you are trying to do.
You have a zone with a default limitpriv set and you want to give a
user with a zone ability to use snoop. He would need net_rawaccess.
How can I do it *without* zone restart?
Or you want to enable dtrace inside a zone without zone restart...
You won't like the answer but it is fix it before you deploy the zone.
It really is the only way to do this properly.
Or in the snoop case use an exclusive stack ip instance.
--
Darren J Moffat
_______________________________________________
opensolaris-code mailing list
opensolaris-code@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
