SYSTEM ARCHITECTURE COUNCIL
Platform Software ARC
---------------------------------
PSARC Regular Meeting time: Wednesdays 10:00-1:00pm in MPK17-3507.
12-02-2009 MEETING MINUTES
============================================================================
Send CORRECTIONS, additions, deletions to psarc-coord at sun.com.
Minutes are archived in sac.Eng:/sac/export/sac/Minutes/PSARC.
Co-Chair(s):
Sebastien Roy: Yes
Tim Marsland: no
ATTENDEES - Members: (6 active members)
Kais Belgaied: Yes
Mark Carlson: Yes
Richard Matthews: Yes
Darren Moffat: no (on sabbatical)
Garrett D'Amore: Yes
Bill Sommerfeld: no (on sabbatical)
Gary Winiger: no (on sabbatical)
Glenn Skinner: Out (external)
STAFF -
Asa Romberger (PM): Yes
ATTENDEES - Interns:
Frank Che no
James Falkner: no (on sabbatical)
Daniel Hain: no
Michael Haines: no
Alan Hargreaves: no
Phil Harman: no
Wyllys Ingersoll: no
Darren Reed: no
Dean Roehrich no
Ienup Sung: no
Phi Tran no
Brian Utterback: no
James Walker Yes
Suhasini Peddada Yes
Calum Mackay Out
Mark Martin no (external)
Don Cragun Yes (external)
Guests:
-- GUESTS --
Rao Shoaib
Anders Persson
Not all names are captured. Please send email to Asa.Romberger at Sun.com, if
you attended the meeting and your name is missing from the list.
---------------------------------------------------------------------------
MEETING SUMMARY:
================
AGENDA
12/02/2009
10:00-10:10 Open ARC Business (use open dial in above)
10:10-10:55 Socket Filter Framework (2009/590)
Submitter: anders.persson at sun.com
Owner: Sebastien Roy
Status: Inception
Exposure: open
---------------------------------------------------------------------------
Case Anchors: <br>
<A HREF="#case1">Socket Filter Framework (2009/590)</A> <br>
===========================================================================
Fast Tracks:
============
Fast-tracks:
Case (Timeout) Exposure Title
2009/558 (12/07/09) open gnome keyboard switcher re-integration
approved
2009/560 (12/07/09) open LiveCD session improvement
approved
2009/576 (12/03/09) open pam_krb5 PKINIT support
extend to 12/9
2009/625 (11/20/09) open pfiles offset
approved
2009/634 (11/25/09) open COMSTAR SRPT Port Provider Management
approved
2009/640 (11/30/09) open /etc/audio_numbers
withdrawn
2009/645 (12/02/09) open Keyboard layout emulation engine for iBus
extend to 12/4
2009/646 (12/06/09) open bd - generic block device driver
approved
2009/647 (12/06/09) open DDRdrive X1 driver
let it run
2009/648 (12/06/09) open sdcard conversion to bd, EOF blk2scsa
approved
2009/653 (12/07/09) open VRRP disabled by default
waiting needs spec
2009/656 (12/07/09) open DKIOCREADONLY
let it run
Next Meeting:
=============
12/09/2009
No meeting
-----------------------------------------------------------------------------------------------
IAM
======
Name: Socket Filter Framework
Submitter: anders.persson at sun.com
Owner: Sebastien Roy
Exposure: open
SUMMARY
=======
This is a project to implement a socket filter framework, which
makes it possible for modules to intercept requests and
notifications
passed between the socket and protocol layers. The Solaris SSL
kernel
proxy (PSARC/2005/625) will be converted to use the framework.
ISSUES
======
PSARC/2009/590 Socket Filter Framework
Inception review issues:
DJM-1 What filters will be provided with the initial integration
DJM-2 Will it be possible to build a filter that can easily
control all off host networking on a per user basis ?
eg any user in a given group or with a given uid can't
access the network but can do local socket stuff ?
In other words can this case provide a solution to 6215035 ?
DJM-3 Even we have exlusive stack networking the fact that
filters can only be managed from the global zone seems
very surprising to me as someone who doesn't understand
the internals of this part of networking. As such I think
this will be very surprising to admins, who I expect will
want to be able to provide different filtering per zone.
Would it be possible for soconfig(1M) to allow specifying
which zones the filters apply to ?
DJM-4 Is it possible to give a non global zone sufficient privilege
so that it can mange filters ?
DJM-5 What privileges are required to setup a filter programatically ?
DJM-6 What RBAC rights profile will soconfig(1M) be in and what
privileges will it run with ?
THE NEXT STEP
=============
Issues to be resolved off-line with Garrett and Sebastien
