i believe that this is the bug you're looking for:
        6436336 5.10:named pipe in chroot cage blocks as cannot create
        http://bugs.opensolaris.org/view_bug.do?bug_id=6436336

ed

On Tue, Dec 12, 2006 at 10:47:04AM -0800, Glenn Faden wrote:
> Names pipes may be used between zones when Trusted Extensions is enabled. The 
> policy for data flow between zones is generally more restrictive when TX is 
> enabled, but in this case it is slightly more open. The specific policy 
> difference is implemented in the function tsol_fifo_access().
>
> http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/fs/fifofs/fifovnops.c#166
>
> This policy is also depends a few other assumptions, such as that lofs mount 
> are established between zones when they are booted. One of the problems in 
> the standard implementation is that the fifofs logic doesn't follow lofs 
> mounts to find the real vnode. So the connection logic doesn't find a match 
> since the pathnames are in different file systems. The following code in 
> fifovp() was needed to record the proper vnode.
>
>     405            / * In Trusted Extensions cross-zone named pipes
>     406        * are supported subject to the MAC policy. Since
>     407        * cross-zone access is done using lofs mounts,
>     408        * it is necessary to use the real vnode so that
>     409        * matching ends of the fifo can find each other.
>     410        */
>     411       if (is_system_labeled()) {
>     412               vnode_t *rvp;
>     413
>     414               if (VOP_REALVP(vp, &rvp) == 0)
>     415                       vp = rvp;
>     416       }
>
>
> This message posted from opensolaris.org
> _______________________________________________
> zones-discuss mailing list
> zones-discuss@opensolaris.org
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to