The policy for doors is that the label of the client and server must be equal, or the server must be running in the global zone. FYI, this is the same policy for UNIX domain sockets in OpenSolaris (for both TX and non-TX configurations).
--Glenn Mike John wrote: > I've been trying to establish whether it is possible in TX for a > process running in labelled zone to access a door server which is > running in another labelled zone, given some dominance relationship > between the labels of the two zones. > > If I recall correctly, a door server needs read-write access to the > rendezvous point and a door client needs read access. Assuming this is > correct... > > If the label of zone A dominates the label of zone B, it should not be > possible for a door server in A to open a rendezvous point > (read-write) which is accessible for read by a door client in B: a > file system object which is writeable in A and readable in B enables a > write-down. > > If the label of zone B dominates the label of zone A, a door server in > A having read-write access to the rendezvous point and a door client > in B having read access to the rendezvous point seems OK as far as the > file system objects are concerned, however there is the potential for > write-down simply by the door client sending data to the door server. > > Could someone confirm/deny my understanding? Is there a way that a > labelled zone door server can work given some additional privilege, or > is this fundamentally disallowed? > > (BTW, I realise that this is all possible if the door server runs in > the global zone. I'm trying to get maximum containment of a trusted > function.) > > Thanks > > Mike > > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org
