Hello Casper, Wednesday, April 1, 2009, 7:59:02 PM, you wrote:
>>Hello Darren, >> >>Wednesday, April 1, 2009, 2:47:31 PM, you wrote: >> >>DJM> Robert Milkowski wrote: >>>> It would also require adjustment of setppriv() at >>>> http://src.opensolaris.org/source/xref/onnv/o CDSC> nnv-gate/usr/src/uts/common/syscall/ppriv.c#57 >>>> >>>> and perhaps somewhere else. >>>> >>>> But right now I'm more asking about why L can't be allowed to grow (when E >>>> is a full set or whe CDSC> n new L' is a subset of E set of calling process) rather then implementing anything. >> >>DJM> If L could grow it wouldn't be L it would be P. The reason L can only >>DJM> be reduced is fundamental to how the privilege system works and what >>DJM> makes it safe - particularly for zones. >> >>DJM> Please give a very specific example of what it is you are trying to do. >> >>You have a zone with a default limitpriv set and you want to give a >>user with a zone ability to use snoop. He would need net_rawaccess. >>How can I do it *without* zone restart? >> >>Or you want to enable dtrace inside a zone without zone restart... CDSC> And he needs the device and possibly also a "exclusive IP stack". Well, presenting new device without reboot to a zone is easy. One net_rawacces is present one can use snoop in a zone even with shared-IP ones. -- Best regards, Robert Milkowski http://milek.blogspot.com