On Thu, Aug 07, 2008 at 02:14:52PM -0700, Alan Coopersmith wrote: > Ric Aleshire wrote: > > Yes - currently in the kernel socket I/O code, there is a check that the > > AF_UNIX socket endpoint is in the same > > zone as the server peer. The proposal for a) above means that this > > check will be modified, so that when TX is > > enabled and the socket zone and server zone do not match, then the > > server must be in the global zone. > > Which raises the interesting question of whether that check should really > be for TX, or if this should be something that can be set on for any machine > with Zones, and which TX just happens to always set. It would seem things > like running X clients in Etude or BrandZ zones could also benefit from this.
I agree, though being careful to use untrusted cookies, of course. The problem this case is trying to solve affects non-TX zones uses too.
