On Mon, Apr 12, 2010 at 06:49:02PM +0100, Ben Lavery wrote:
> If an application was poorly written and caused the kernel to panic in
> the g-zone, are you saying that the same application shouldn't be able
> to cause a kernel panic in the ng-zone as it wouldn't be able to load
> kernel modules, etc in the same way?
First, only a sufficiently privileged global zone user-land application
should be able to cause a panic, and then only by taking deliberate
action to do so. Merely being buggy is not likely to be sufficient;
that is, a NULL dereference bug and the vast litany of typical user-land
bugs cannot possibly cause a kernel panic, and when they can we consider
that a bug.
Second, yes, I'm saying that no application should be able to cause a
panic when run from a non-global zone, regardless of whether it's
privileged, unless you've granted the zone the privileges and resources
necessary to do such things as load kernel modules (which by default
non-g-zs don't get). If an application can panic a server when run in a
normal non-g-z we consider that a security bug; which isn't to say that
there are no such bugs, only that we consider them bugs and fix them.
zones-discuss mailing list