Kais Belgaied wrote: > >> Solution >> >> a) Allow labeled zones to access global zone X11 server via UNIX >> domain sockets >> >> If Trusted Extensions is enabled, the kernel will permit labeled zones >> to connect to global zone clients if the global zone UNIX domain >> rendezvous file is made available to the zone via a loopback mount. >> > > When you do (b), (a) follows naturally without any extra change. > connect(3SOCKET)'ing to the AF_UNIX > socket named /var/tsol/door/.X11-unix will succeed the moment that > node is visible to the zone. > > Am I missing a change proposed in sockfs or other part of the Solaris > kernel as part of this case? > > Kais.
Yes - currently in the kernel socket I/O code, there is a check that the AF_UNIX socket endpoint is in the same zone as the server peer. The proposal for a) above means that this check will be modified, so that when TX is enabled and the socket zone and server zone do not match, then the server must be in the global zone. -Ric >> b) The X11 server will use a new rendezvous directory when TX is >> enabled. >> >> Normally, the UNIX domain rendezvous files are in the directory >> /tmp/.X11-unix. >> To allow the rendezvous files to be exported to labeled zones, the >> directory >> pathname will be changed to: >> >> /var/tsol/door/.X11-unix. >> >> This directory pathname is chosen because /var/tsol/doors is already >> loopback mounted into every labeled zone, to export the door rendezvous >> files for nscd and the label daemon. To make this change transparent to >> clients, a symbolic link to /tmp/.X11-unix will be created in each zone, >> including the global zone. >> >> This solution will permit labeled zone X11 clients to use any of the >> various DISPLAY environment variables they have been using previously, >> and not require the use of TCP. >> >> >
