Hello Casper,

Wednesday, April 1, 2009, 7:59:02 PM, you wrote:

>>Hello Darren,
>>
>>Wednesday, April 1, 2009, 2:47:31 PM, you wrote:
>>
>>DJM> Robert Milkowski wrote:
>>>> It would also require adjustment of setppriv() at 
>>>> http://src.opensolaris.org/source/xref/onnv/o
CDSC> nnv-gate/usr/src/uts/common/syscall/ppriv.c#57
>>>> 
>>>> and perhaps somewhere else.
>>>> 
>>>> But right now I'm more asking about why L can't be allowed to grow (when E 
>>>> is a full set or whe
CDSC> n new L' is a subset of E set of calling process) rather then 
implementing anything.
>>
>>DJM> If L could grow it wouldn't be L it would be P.  The reason L can only
>>DJM> be reduced is fundamental to how the privilege system works and what 
>>DJM> makes it safe - particularly for zones.
>>
>>DJM> Please give a very specific example of what it is you are trying to do.
>>
>>You have a zone with a default limitpriv set and you want to give a
>>user with a zone ability to use snoop. He would need net_rawaccess.
>>How can I do it *without* zone restart?
>>
>>Or you want to enable dtrace inside a zone without zone restart...


CDSC> And he needs the device and possibly also a "exclusive IP stack".


Well, presenting new device without reboot to a zone is easy.
One net_rawacces is present one can use snoop in a zone even with
shared-IP ones.


-- 
Best regards,
 Robert Milkowski
                                       http://milek.blogspot.com


Reply via email to