> Date: Fri, 15 Aug 2008 07:53:13 -0700 (PDT)
> From: Gary Winiger <gww at eng.sun.com>
> >> >> This customer would also like to do the same thing with doors.
> > >
> > > Maybe naively, I thought they already could with doors.
> > > I thought if you could see the door file, you could place
> > > a door_call to the server that created the file.
> >
> > I believe you can but they do need UNIX domain sockets too for some of
> > the apps.
>
> Indeed and my comments are that I seen no architectural or
> security difference between Unix domain and door rendezvious,
> so why is Unix domain being restricted?
The door mechanism has a similar restriction for TX as is being
proposed for Unix domain. From
usr/src/uts/common/fs/doorfs/door_vnops.c:door_open():
* MAC policy for doors. Restrict cross-zone open()s so that only
* door servers in the global zone can have clients from other zones.
* For other zones, client must be within the same zone as server.
-JZ
