I don't know about doors. BUT -- did you read how to share nfs from labeled zones in TX? And how to get updatehome(1M) to work? In the administrators' procedures? (It might be different between OpenSolaris and S10 but I would think reading the s10 docs on docs.sun.com would be enlightening at least.)
I'm guessing that if this can work AT ALL it requires the directory involved on the server side would have to be mountable by the client. >Date: Fri, 08 Jan 2010 14:52:50 +0000 >From: Mike John <mike.john at metanate.com> >Subject: Door servers in Trusted Extensions >To: security-discuss at opensolaris.org >Delivered-to: security-discuss at opensolaris.org >X-Original-To: security-discuss at opensolaris.org >X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.1 >X-SpamPal: PASS >X-Antispam: No, score=3.2/5.0, scanned in 0.069sec at (localhost [127.0.0.1]) by smf-spamd v1.3.1 - http://smfs.sf.net/ >List-Unsubscribe: <http://mail.opensolaris.org/mailman/options/security-discuss>, <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> > >I've been trying to establish whether it is possible in TX for a process >running in labelled zone to access a door server which is running in >another labelled zone, given some dominance relationship between the >labels of the two zones. > >If I recall correctly, a door server needs read-write access to the >rendezvous point and a door client needs read access. Assuming this is >correct... > >If the label of zone A dominates the label of zone B, it should not be >possible for a door server in A to open a rendezvous point (read-write) >which is accessible for read by a door client in B: a file system object >which is writeable in A and readable in B enables a write-down. > >If the label of zone B dominates the label of zone A, a door server in A >having read-write access to the rendezvous point and a door client in B >having read access to the rendezvous point seems OK as far as the file >system objects are concerned, however there is the potential for >write-down simply by the door client sending data to the door server. > >Could someone confirm/deny my understanding? Is there a way that a >labelled zone door server can work given some additional privilege, or >is this fundamentally disallowed? > >(BTW, I realise that this is all possible if the door server runs in the >global zone. I'm trying to get maximum containment of a trusted function.) > >Thanks > >Mike > >_______________________________________________ >security-discuss mailing list >security-discuss at opensolaris.org @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Jan Parcel, Sustaining, Trusted OE Internal Trusted Support Pages: http://trusted.sfbay
