On Mon, Apr 12, 2010 at 06:49:02PM +0100, Ben Lavery wrote: > If an application was poorly written and caused the kernel to panic in > the g-zone, are you saying that the same application shouldn't be able > to cause a kernel panic in the ng-zone as it wouldn't be able to load > kernel modules, etc in the same way?
First, only a sufficiently privileged global zone user-land application should be able to cause a panic, and then only by taking deliberate action to do so. Merely being buggy is not likely to be sufficient; that is, a NULL dereference bug and the vast litany of typical user-land bugs cannot possibly cause a kernel panic, and when they can we consider that a bug. Second, yes, I'm saying that no application should be able to cause a panic when run from a non-global zone, regardless of whether it's privileged, unless you've granted the zone the privileges and resources necessary to do such things as load kernel modules (which by default non-g-zs don't get). If an application can panic a server when run in a normal non-g-z we consider that a security bug; which isn't to say that there are no such bugs, only that we consider them bugs and fix them. Nico -- _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org