Dan Price wrote:
In my opinion, this fix should apply to regular zones, not just TX. But
I wasn't sure of the impact when I did this. Note that without this fix,
even within a single zone, you can't create a named pipe between two
processes if one is referencing the pathname through a lofs mount and
the other is not.
On Tue 12 Dec 2006 at 10:47AM, Glenn Faden wrote:
Names pipes may be used between zones when Trusted Extensions is
enabled. The policy for data flow between zones is generally more
restrictive when TX is enabled, but in this case it is slightly more
open. The specific policy difference is implemented in the function
Thanks Glenn. Is there any reason not to make this work for all zones,
not just TX ones?
I don't see a security risk here, since explicit administrator
intervention is needed fromt he global zone to set this up. I'm
not sure I follow all the bit about lofs though-- what would be
the set of steps needed to set this up from the global zone,
if this actually worked?
Somebody in the global zone (or zoneadmd) has to make the named pipe
rendezvous appear in the other zone. So two zones can't do this on their
own. That's the restriction that TX requires.
Some of our customers like the fact that the flow of information is
unidirectional. You can't get that with sockets.
OTOH, it all seems a bit hokey. Steffen, what problem are you
trying to solve? Why not just use sockets?
zones-discuss mailing list