i believe that this is the bug you're looking for:
6436336 5.10:named pipe in chroot cage blocks as cannot create
http://bugs.opensolaris.org/view_bug.do?bug_id=6436336
ed
On Tue, Dec 12, 2006 at 10:47:04AM -0800, Glenn Faden wrote:
> Names pipes may be used between zones when Trusted Extensions is enabled. The
> policy for data flow between zones is generally more restrictive when TX is
> enabled, but in this case it is slightly more open. The specific policy
> difference is implemented in the function tsol_fifo_access().
>
> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/fs/fifofs/fifovnops.c#166
>
> This policy is also depends a few other assumptions, such as that lofs mount
> are established between zones when they are booted. One of the problems in
> the standard implementation is that the fifofs logic doesn't follow lofs
> mounts to find the real vnode. So the connection logic doesn't find a match
> since the pathnames are in different file systems. The following code in
> fifovp() was needed to record the proper vnode.
>
> 405 / * In Trusted Extensions cross-zone named pipes
> 406 * are supported subject to the MAC policy. Since
> 407 * cross-zone access is done using lofs mounts,
> 408 * it is necessary to use the real vnode so that
> 409 * matching ends of the fifo can find each other.
> 410 */
> 411 if (is_system_labeled()) {
> 412 vnode_t *rvp;
> 413
> 414 if (VOP_REALVP(vp, &rvp) == 0)
> 415 vp = rvp;
> 416 }
>
>
> This message posted from opensolaris.org
> _______________________________________________
> zones-discuss mailing list
> zones-discuss@opensolaris.org
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
