Print this page
13992 VNIC in Zone loses access to properties
@@ -20,10 +20,11 @@
*/
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2015, Joyent Inc.
* Copyright (c) 2017, Joyent, Inc.
+ * Copyright 2025 MNX Cloud, Inc.
*/
/*
* Data-Link Driver
*/
@@ -622,10 +623,38 @@
magp->dig_count = mac_addr_factory_num(mh) + 1;
return (err);
}
/*
+ * Sometimes DLDIOC_GETMACPROP (and in the future, possibly DLDIOC_SETMACPROP)
+ * may be allowed to be accessed by the zone that is assigned the datalink
+ * device, as opposed to the zone that created the device.
+ */
+static boolean_t
+dld_macprop_assigned_zone_exception(zoneid_t zoneid, dls_dl_handle_t dlh,
+ dld_ioc_macprop_t *kprop, boolean_t set)
+{
+ /*
+ * No exceptions for setting! No exceptions unless the zoneid is
+ * the assigned zone.
+ */
+ if (set || zoneid != dls_devnet_getzid(dlh))
+ return (B_FALSE);
+
+ /*
+ * The current list of read-only exceptions are enumerated below.
+ */
+ switch (kprop->pr_num) {
+ case MAC_PROP_MTU:
+ case MAC_PROP_STATUS:
+ return (B_TRUE);
+ default:
+ return (B_FALSE);
+ }
+}
+
+/*
* DLDIOC_SET/GETMACPROP
*/
static int
drv_ioc_prop_common(dld_ioc_macprop_t *prop, intptr_t arg, boolean_t set,
cred_t *cred, int mode)
@@ -677,14 +706,19 @@
goto done;
if ((err = dls_link_hold(dls_devnet_mac(dlh), &dlp)) != 0)
goto done;
/*
- * Don't allow a process to get or set properties of a link if that
- * link doesn't belong to that zone.
+ * In general, don't allow a process to get or set properties of a
+ * link if that link doesn't belong to that zone.
+ *
+ * There are exceptions however, if the dlh's *assigned* zone (as
+ * determined by dls_devnet_getzid()) is the one calling here. See
+ * the local function dld_macprop_assigned_zone_exception() above.
*/
- if (zoneid != dls_devnet_getownerzid(dlh)) {
+ if (zoneid != dls_devnet_getownerzid(dlh) &&
+ !dld_macprop_assigned_zone_exception(zoneid, dlh, kprop, set)) {
err = ENOENT;
goto done;
}
if (!mac_prop_check_size(kprop->pr_num, kprop->pr_valsize,