Hello Darren,
Wednesday, April 1, 2009, 4:39:29 PM, you wrote:
DJM> Robert Milkowski wrote:
>>>> But right now I'm more asking about why L can't be allowed to grow (when E
>>>> is a full set or when new L' is a subset of E set of calling process)
>>>> rather then implementing anything.
>>
>> DJM> If L could grow it wouldn't be L it would be P. The reason L can only
>> DJM> be reduced is fundamental to how the privilege system works and what
>> DJM> makes it safe - particularly for zones.
>>
>> DJM> Please give a very specific example of what it is you are trying to do.
>>
>> You have a zone with a default limitpriv set and you want to give a
>> user with a zone ability to use snoop. He would need net_rawaccess.
>> How can I do it *without* zone restart?
>>
>> Or you want to enable dtrace inside a zone without zone restart...
DJM> You won't like the answer but it is fix it before you deploy the zone.
DJM> It really is the only way to do this properly.
I know that it is that way right now.
Still I don't understand why process with ALL privileges running in a
global zone can't change another process L set via exposed API. There
isn't additional risk as such a process could do in in principle via
"/dev/kmem" anyway.
I understand the flaw in another approach where new L would need to be
a subset of E set of a calling process - that in principle would allow
several processes to conspire in order to escalate another process.
--
Best regards,
Robert Milkowski
http://milek.blogspot.com
