> > Maybe I don't understand this reply. Let me try again. I don't
> > see why there should be any check for Unix domain rendezvous.
> > I don't see where rendezvous even between non-global zones
> > is fundimentally different than IP network end points.
> > In particular, if something in the GZ wanted to make itself
> > available in local zones, it would be up to the GZ admin
> > to correctly set up the visibility of the rendezvous files,
> > just as is true for door rendezvous. Similarly for non-global
> > zones to see into each other's file spaces that would have to
> > be set up by the GZ admin. So, I'm missing why any checks
> > are needed.
> > What don't I understand about the zones policy and this proposal?
> >
> > Gary..
> >
>
> You're saying that for Trusted Extensions or not, you suggest allowing
> all cross-zone Unix domain
> sockets, not just those exported from GZ?
Yes, if the rendezvous is visible, why can't it communicate?
What did the zones and networking teams have to say?
> In TX at least, I don't know
> of any good usage case
> for this, and would potentially allow GZ admin to violate MAC, without
> any kernel policy here.
For sure, the TX admin wouldn't normally configure a system to
create a MAC voilation. But of course, they could if configured
things that way, (presuming I understand correctly) just like
net_mac_aware would do for IP sockets.
Gary..
> In exporting from GZ, data by definition is admin_low thus properly
> accessible by any zone.
One can quibble about that. If X11 is communicating with all
labels, it's proper label would be admin_high and it would be
trusted to not violate MAC. VIZ, net_reply_equal from ealier
versions of Solaris with labels.
