PSARC/2009/065 labeled brand zone

6717648 Labeled zones should have their own brand
6713821 lx branded zone warnings printed to console when booting tx

14 files changed, 531 insertions, 31 deletions

diff --git a/usr/src/Targetdirs b/usr/src/Targetdirs
index 5177c5b8a2..80e999ca7f 100644
--- a/usr/src/Targetdirs
+++ b/usr/src/Targetdirs
@@ -264,6 +264,7 @@ ROOT.BIN= \
 	/usr/lib \
 	/usr/lib/abi \
 	/usr/lib/brand \
+	/usr/lib/brand/labeled \
 	/usr/lib/brand/native \
 	/usr/lib/brand/shared \
 	/usr/lib/brand/sn1 \
diff --git a/usr/src/cmd/tsol/zones/SUNWtsoldef.xml b/usr/src/cmd/tsol/zones/SUNWtsoldef.xml
index 30b777b4c9..4083f1c3d5 100644
--- a/usr/src/cmd/tsol/zones/SUNWtsoldef.xml
+++ b/usr/src/cmd/tsol/zones/SUNWtsoldef.xml
@@ -19,16 +19,14 @@
 
     CDDL HEADER END
 
-    Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+    Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
     Use is subject to license terms.
 
-    ident	"%Z%%M%	%I%	%E% SMI"
-
     DO NOT EDIT THIS FILE.  Use zonecfg(1M) instead.
 -->
 
 <!DOCTYPE zone PUBLIC "-//Sun Microsystems Inc//DTD Zones//EN" "file:///usr/share/lib/xml/dtd/zonecfg.dtd.1">
-<zone name="tsoldef" zonepath="" autoboot="true">
+<zone name="tsoldef" zonepath="" autoboot="true" brand="labeled">
   <inherited-pkg-dir directory="/lib"/>
   <inherited-pkg-dir directory="/platform"/>
   <inherited-pkg-dir directory="/sbin"/>
diff --git a/usr/src/cmd/zoneadmd/vplat.c b/usr/src/cmd/zoneadmd/vplat.c
index b8ec982fb5..3ffb7611b8 100644
--- a/usr/src/cmd/zoneadmd/vplat.c
+++ b/usr/src/cmd/zoneadmd/vplat.c
@@ -4240,6 +4240,14 @@ vplat_create(zlog_t *zlogp, zone_mnt_t mount_cmd)
 			goto error;
 		}
 
+		if (!is_system_labeled() &&
+		    (strcmp(attr.ba_brandname, LABELED_BRAND_NAME) == 0)) {
+			brand_close(bh);
+			zerror(zlogp, B_FALSE,
+			    "cannot boot labeled zone on unlabeled system");
+			goto error;
+		}
+
 		/*
 		 * If this brand requires any kernel support, now is the time to
 		 * get it loaded and initialized.
diff --git a/usr/src/cmd/zoneadmd/zoneadmd.c b/usr/src/cmd/zoneadmd/zoneadmd.c
index 240985f427..961726f7f4 100644
--- a/usr/src/cmd/zoneadmd/zoneadmd.c
+++ b/usr/src/cmd/zoneadmd/zoneadmd.c
@@ -106,6 +106,7 @@ char *zone_name;	/* zone which we are managing */
 char brand_name[MAXNAMELEN];
 boolean_t zone_isnative;
 boolean_t zone_iscluster;
+boolean_t zone_islabeled;
 static zoneid_t zone_id;
 dladm_handle_t dld_handle = NULL;
 
@@ -1175,7 +1176,8 @@ server(void *cookie, char *args, size_t alen, door_desc_t *dp,
 		case Z_FORCEMOUNT:
 			if (kernelcall)	/* Invalid; can't happen */
 				abort();
-			if (!zone_isnative && !zone_iscluster) {
+			if (!zone_isnative && !zone_iscluster &&
+			    !zone_islabeled) {
 				/*
 				 * -U mounts the zone without lofs mounting
 				 * zone file systems back into the scratch
@@ -1711,6 +1713,7 @@ main(int argc, char *argv[])
 	}
 	zone_isnative = brand_is_native(bh);
 	zone_iscluster = (strcmp(brand_name, CLUSTER_BRAND_NAME) == 0);
+	zone_islabeled = (strcmp(brand_name, LABELED_BRAND_NAME) == 0);
 
 	/* Get state change brand hooks. */
 	if (brand_callback_init(bh, zone_name) == -1) {
diff --git a/usr/src/cmd/zoneadmd/zoneadmd.h b/usr/src/cmd/zoneadmd/zoneadmd.h
index 181f3c3c1b..c244852968 100644
--- a/usr/src/cmd/zoneadmd/zoneadmd.h
+++ b/usr/src/cmd/zoneadmd/zoneadmd.h
@@ -57,6 +57,7 @@ extern "C" {
 #define	EXEC_LEN	(strlen(EXEC_PREFIX))
 
 #define	CLUSTER_BRAND_NAME	"cluster"
+#define	LABELED_BRAND_NAME	"labeled"
 
 /* 0755 is the default directory mode. */
 #define	DEFAULT_DIR_MODE \
diff --git a/usr/src/lib/brand/Makefile b/usr/src/lib/brand/Makefile
index 6c265d50fb..67b7597cd7 100644
--- a/usr/src/lib/brand/Makefile
+++ b/usr/src/lib/brand/Makefile
@@ -19,11 +19,9 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # lib/brand/Makefile
 #
 # include global definitions
@@ -36,7 +34,7 @@ include ../../Makefile.master
 i386_SUBDIRS= lx
 i386_MSGSUBDIRS= lx
 
-SUBDIRS= sn1 native $($(MACH)_SUBDIRS)
+SUBDIRS= sn1 labeled native $($(MACH)_SUBDIRS)
 MSGSUBDIRS= $($(MACH)_MSGSUBDIRS)
 
 all :=		TARGET= all
diff --git a/usr/src/lib/brand/labeled/Makefile b/usr/src/lib/brand/labeled/Makefile
new file mode 100644
index 0000000000..228b0bb2ae
--- /dev/null
+++ b/usr/src/lib/brand/labeled/Makefile
@@ -0,0 +1,43 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+BRAND=		labeled
+PROGS=		pkgcreatezone
+XMLDOCS=	config.xml platform.xml
+
+all:	$(PROGS)
+
+include ../Makefile.brand
+
+lint:
+
+clean:
+	-$(RM) $(PROGS)
+
+install: $(PROGS) $(ROOTPROGS) $(ROOTXMLDOCS)
+
+clobber: clean
+	-$(RM) $(ROOTPROGS) $(ROOTXMLDOCS)
diff --git a/usr/src/lib/brand/labeled/config.xml b/usr/src/lib/brand/labeled/config.xml
new file mode 100644
index 0000000000..c660b9b244
--- /dev/null
+++ b/usr/src/lib/brand/labeled/config.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0"?>
+
+<!--
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ Use is subject to license terms.
+
+ DO NOT EDIT THIS FILE.
+-->
+
+<!DOCTYPE brand PUBLIC "-//Sun Microsystems Inc//DTD Brands//EN"
+    "file:///usr/share/lib/xml/dtd/brand.dtd.1">
+
+<brand name="labeled">
+	<modname></modname>
+
+	<initname>/sbin/init</initname>
+	<login_cmd>/usr/bin/login -z %Z -f %u</login_cmd>
+	<user_cmd>/usr/bin/getent passwd %u</user_cmd>
+
+	<!-- We may not be able to do the create in pkg(1) proper. -->
+	<install>/usr/lib/brand/labeled/pkgcreatezone -z %z -R %R %*</install>
+	<installopts>a:h</installopts>
+	<boot></boot>
+	<halt></halt>
+	<verify_cfg></verify_cfg>
+	<verify_adm></verify_adm>
+	<postclone></postclone>
+	<postinstall></postinstall>
+
+	<privilege set="default" name="contract_event" />
+	<privilege set="default" name="contract_identity" />
+	<privilege set="default" name="contract_observer" />
+	<privilege set="default" name="file_chown" />
+	<privilege set="default" name="file_chown_self" />
+	<privilege set="default" name="file_dac_execute" />
+	<privilege set="default" name="file_dac_read" />
+	<privilege set="default" name="file_dac_search" />
+	<privilege set="default" name="file_dac_write" />
+	<privilege set="default" name="file_owner" />
+	<privilege set="default" name="file_setid" />
+	<privilege set="default" name="ipc_dac_read" />
+	<privilege set="default" name="ipc_dac_write" />
+	<privilege set="default" name="ipc_owner" />
+	<privilege set="default" name="net_bindmlp" />
+	<privilege set="default" name="net_icmpaccess" />
+	<privilege set="default" name="net_privaddr" />
+	<privilege set="default" name="net_rawaccess" ip-type="exclusive" />
+	<privilege set="default" name="proc_chroot" />
+	<privilege set="default" name="sys_audit" />
+	<privilege set="default" name="proc_audit" />
+	<privilege set="default" name="proc_lock_memory" />
+	<privilege set="default" name="proc_owner" />
+	<privilege set="default" name="proc_setid" />
+	<privilege set="default" name="proc_taskid" />
+	<privilege set="default" name="sys_acct" />
+	<privilege set="default" name="sys_admin" />
+	<privilege set="default" name="sys_ip_config" ip-type="exclusive" />
+	<privilege set="default" name="sys_mount" />
+	<privilege set="default" name="sys_nfs" />
+	<privilege set="default" name="sys_resource" />
+
+	<privilege set="prohibited" name="dtrace_kernel" />
+	<privilege set="prohibited" name="proc_zone" />
+	<privilege set="prohibited" name="sys_config" />
+	<privilege set="prohibited" name="sys_devices" />
+	<privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
+	<privilege set="prohibited" name="sys_linkdir" />
+	<privilege set="prohibited" name="sys_net_config" />
+	<privilege set="prohibited" name="sys_res_config" />
+	<privilege set="prohibited" name="sys_suser_compat" />
+	<privilege set="prohibited" name="xvm_control" />
+	<privilege set="prohibited" name="virt_manage" />
+
+	<privilege set="required" name="proc_exec" />
+	<privilege set="required" name="proc_fork" />
+	<privilege set="required" name="sys_ip_config" ip-type="exclusive" />
+	<privilege set="required" name="sys_mount" />
+</brand>
diff --git a/usr/src/lib/brand/labeled/pkgcreatezone.sh b/usr/src/lib/brand/labeled/pkgcreatezone.sh
new file mode 100644
index 0000000000..845224859f
--- /dev/null
+++ b/usr/src/lib/brand/labeled/pkgcreatezone.sh
@@ -0,0 +1,223 @@
+#!/bin/ksh -p
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+ZONE_SUBPROC_OK=0
+ZONE_SUBPROC_USAGE=253
+ZONE_SUBPROC_NOTCOMPLETE=254
+ZONE_SUBPROC_FATAL=255
+
+f_img=$(gettext "failed to create image")
+f_pkg=$(gettext "failed to install package")
+f_interrupted=$(gettext "Installation cancelled due to interrupt.")
+
+m_image=$(gettext     "      Image: Preparing at %s ...")
+m_catalog=$(gettext   "    Catalog: Retrieving from %s ...")
+m_core=$(gettext      " Installing: (output follows)\n")
+m_smf=$(gettext	      "Postinstall: Copying SMF seed repository ...")
+m_brokenness=$(gettext "Postinstall: Working around http://defect.opensolaris.org/bz/show_bug.cgi?id=681")
+m_mannote=$(gettext   "       Note: Man pages can be obtained by installing SUNWman")
+m_complete=$(gettext  "       Done: Installation completed in %s seconds.")
+m_postnote=$(gettext  " Next Steps: Boot the zone, then log into the zone console")
+
+m_done=$(gettext      " done.")
+
+
+fail_incomplete() {
+	print -u2 "$1"
+	exit $ZONE_SUBPROC_NOTCOMPLETE
+}
+
+fail_fatal() {
+	print -u2 "$1"
+	exit $ZONE_SUBPROC_FATAL
+}
+
+
+fail_usage() {
+	print "Usage: $0 [-h] [-a <authority>]"
+	exit $ZONE_SUBPROC_USAGE
+}
+
+trap_cleanup() {
+	print "$f_interrupted"
+	exit $int_code
+}
+
+int_code=$ZONE_SUBPROC_NOTCOMPLETE
+
+trap trap_cleanup INT
+
+zonename=""
+zonepath=""
+
+#
+# If there's a preferred authority set for the system, set that as our
+# default.  Otherwise use opensolaris.org.
+#
+authority="opensolaris.org=http://pkg.opensolaris.org"
+if [[ -x /usr/bin/pkg ]]; then
+	sysauth=`LC_ALL=C /usr/bin/pkg authority | grep preferred | awk '{printf "%s=%s", $1, $3}'`
+	if [[ $? -eq 0 && -n "$sysauth" ]]; then
+		authority=$sysauth
+	fi
+fi
+
+# Setup i18n output
+TEXTDOMAIN="SUNW_OST_OSCMD"
+export TEXTDOMAIN
+
+
+while getopts "a:z:R:h" opt; do
+	case $opt in
+		h)	fail_usage ;;
+		R)	zonepath="$OPTARG" ;;
+		z)	zonename="$OPTARG" ;;
+		a)	authority="$OPTARG" ;;
+		*)	fail_usage ;;
+	esac
+done
+shift $((OPTIND-1))
+
+if [[ -z $zonepath || -z $zonename ]]; then
+	print -u2 "Brand error: No zone path or name"
+	exit $ZONE_SUBPROC_USAGE
+fi
+
+#
+# Temporary pre-Opensolaris hack:
+# If we don't appear to be on Opensolaris, fallback to old way of
+# zone install.
+#
+if [[ ! -x /usr/bin/pkg ]]; then
+	/usr/lib/brand/native/sw_support install $zonename $zonepath
+	exit $?
+fi
+
+zoneroot=$zonepath/root
+
+printf "\n$m_image" $zoneroot
+pkg image-create -z -F -a "$authority" $zoneroot || fail_fatal $f_img
+printf "$m_done\n"
+
+PKG_IMAGE="$zoneroot"
+export PKG_IMAGE
+
+printf "$m_catalog" `echo $authority | cut -d= -f 2`
+pkg refresh > /dev/null 2>&1 || fail_fatal "$f_refresh"
+if [[ $? -ne 0 ]]; then
+	print "Failed to retrieve catalog"
+	exit 1
+fi
+printf "$m_done\n"
+
+printf "$m_core\n"
+pkg install -q SUNWcsd || fail_incomplete "$f_pkg"
+
+pkglist=""
+pkglist="$pkglist SUNWcnetr SUNWesu SUNWadmr SUNWadmap SUNWbzip SUNWgzip"
+
+#
+# Workaround: in our test repo, SUNWipkg has no dependencies
+# so we must supply it python.
+#
+pkglist="$pkglist SUNWPython SUNWipkg"
+
+#
+# Get some diagnostic tools, truss, dtrace, etc.
+#
+pkglist="$pkglist SUNWtoo SUNWdtrc SUNWrcmdc SUNWbip"
+
+#
+# Get at least one sensible shell, and vi
+#
+pkglist="$pkglist SUNWbash SUNWvim"
+
+#
+# Get ssh and sshd.
+#
+pkglist="$pkglist SUNWsshcu SUNWssh SUNWsshd"
+
+#
+# Get some name services.
+#
+pkglist="$pkglist SUNWnis SUNWlldap"
+
+#
+# Get nfs client and autofs; it's a pain not to have them.
+#
+pkglist="$pkglist SUNWnfsc SUNWatfs"
+
+#
+# Get opengl initialization
+#
+pkglist="$pkglist SUNWxwplr"
+#
+# Get D-Bus
+#
+pkglist="$pkglist SUNWdbus"
+
+
+#
+# Get man(1) but not the man pages
+#
+pkglist="$pkglist SUNWdoc"
+
+# Do the install
+pkg install $pkglist || fail_incomplete "$f_pkg"
+
+
+# This was formerly done in SUNWcsr/postinstall
+printf "$m_smf"
+ln -s ns_files.xml $zoneroot/var/svc/profile/name_service.xml
+ln -s generic_limited_net.xml $zoneroot/var/svc/profile/generic.xml
+ln -s inetd_generic.xml $zoneroot/var/svc/profile/inetd_services.xml
+ln -s platform_none.xml $zoneroot/var/svc/profile/platform.xml
+
+# This was formerly done in i.manifest
+cp $zoneroot/lib/svc/seed/nonglobal.db $zoneroot/etc/svc/repository.db
+printf "$m_done\n"
+
+
+printf "$m_brokenness\n"
+#
+# Remove "jack" user.
+#
+sed '/^jack:.*Default\ User.*$/D' $zoneroot/etc/passwd \
+        > $zoneroot/etc/passwd.new && \
+    mv -f $zoneroot/etc/passwd.new $zoneroot/etc/passwd
+
+
+#
+# Set root from a role back to... not a role.  Grr.
+#
+sed 's/^root::::type=role;/root::::/' $zoneroot/etc/user_attr \
+	> $zoneroot/etc/user_attr.new && \
+    mv -f $zoneroot/etc/user_attr.new $zoneroot/etc/user_attr
+
+printf "$m_complete\n\n" ${SECONDS}
+printf "$m_postnote\n"
+
+exit $ZONE_SUBPROC_OK
diff --git a/usr/src/lib/brand/labeled/platform.xml b/usr/src/lib/brand/labeled/platform.xml
new file mode 100644
index 0000000000..9d94f33def
--- /dev/null
+++ b/usr/src/lib/brand/labeled/platform.xml
@@ -0,0 +1,136 @@
+<?xml version="1.0"?>
+
+<!--
+ CDDL HEADER START
+
+ The contents of this file are subject to the terms of the
+ Common Development and Distribution License (the "License").
+ You may not use this file except in compliance with the License.
+
+ You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ or http://www.opensolaris.org/os/licensing.
+ See the License for the specific language governing permissions
+ and limitations under the License.
+
+ When distributing Covered Code, include this CDDL HEADER in each
+ file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ If applicable, add the following below this CDDL HEADER, with the
+ fields enclosed by brackets "[]" replaced with your own identifying
+ information: Portions Copyright [yyyy] [name of copyright owner]
+
+ CDDL HEADER END
+
+ Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ Use is subject to license terms.
+
+ DO NOT EDIT THIS FILE.
+-->
+
+<!DOCTYPE platform PUBLIC "-//Sun Microsystems Inc//Zones Platform//EN"
+    "file:///usr/share/lib/xml/dtd/zone_platform.dtd.1">
+
+<platform name="labeled" allow-exclusive-ip="true">
+
+	<!-- Global filesystems to mount when booting the zone -->
+	<global_mount special="/dev" directory="/dev" type="dev"
+	    opt="attrdir=%R/dev"/>
+	<!-- GNOME configuration files required in each zone -->
+	<global_mount special="/etc/gconf" directory="/etc/gconf" type="lofs"/>
+	<global_mount special="/etc/gnome-vfs-2.0" directory="/etc/gnome-vfs-2.0" type="lofs"/>
+	<global_mount special="/etc/gnome-vfs-mime-magic" directory="/etc/gnome-vfs-mime-magic" type="lofs"/>
+	<global_mount special="/etc/gtk-2.0" directory="/etc/gtk-2.0" type="lofs"/>
+	<global_mount special="/etc/fonts" directory="/etc/fonts" type="lofs"/>
+	<global_mount special="/etc/pango" directory="/etc/pango" type="lofs"/>
+
+	<!-- Local filesystems to mount when booting the zone -->
+	<mount special="/proc" directory="/proc" type="proc" />
+	<mount special="ctfs" directory="/system/contract" type="ctfs" />
+	<mount special="mnttab" directory="/etc/mnttab" type="mntfs" />
+	<mount special="objfs" directory="/system/object" type="objfs" />
+	<mount special="swap" directory="/etc/svc/volatile" type="tmpfs" />
+
+	<!-- Devices to create under /dev -->
+	<device match="arp" />
+	<device match="conslog" />
+	<device match="cpu/self/cpuid" />
+	<device match="crypto" />
+	<device match="cryptoadm" />
+	<device match="dsk" />
+	<device match="dtrace/*" />
+	<device match="dtrace/provider/*" />
+	<device match="fd" />
+	<device match="ipnet" />
+	<device match="kstat" />
+	<device match="lo0" />
+	<device match="log" />
+	<device match="logindmux" />
+	<device match="nsmb" />
+	<device match="net/*" />
+	<device match="null" />
+	<device match="openprom" arch="sparc" />
+	<device match="poll" />
+	<device match="pool" />
+	<device match="ptmx" />
+	<device match="pts/*" />
+	<device match="random" />
+	<device match="rdsk" />
+	<device match="rmt" />
+	<device match="sad/user" />
+	<device match="svvslo0" />
+	<device match="svvslo1" />
+	<device match="svvslo2" />
+	<device match="svvslo3" />
+	<device match="swap" />
+	<device match="sysevent" />
+	<device match="tcp" />
+	<device match="tcp6" />
+	<device match="term" />
+	<device match="ticlts" />
+	<device match="ticots" />
+	<device match="ticotsord" />
+	<device match="tty" />
+	<device match="udp" />
+	<device match="udp6" />
+	<device match="urandom" />
+	<device match="zero" />
+	<device match="zfs" />
+
+	<!-- Devices to create in exclusive IP zone only -->
+	<device match="icmp" ip-type="exclusive" />
+	<device match="icmp6" ip-type="exclusive" />
+	<device match="ip" ip-type="exclusive" />
+	<device match="ip6" ip-type="exclusive" />
+	<device match="ipauth" ip-type="exclusive" />
+	<device match="ipf" ip-type="exclusive" />
+	<device match="ipl" ip-type="exclusive" />
+	<device match="iplookup" ip-type="exclusive" />
+	<device match="ipnat" ip-type="exclusive" />
+	<device match="ipscan" ip-type="exclusive" />
+	<device match="ipsecah" ip-type="exclusive" />
+	<device match="ipsecesp" ip-type="exclusive" />
+	<device match="ipstate" ip-type="exclusive" />
+	<device match="ipsync" ip-type="exclusive" />
+	<device match="keysock" ip-type="exclusive" />
+	<device match="rawip" ip-type="exclusive" />
+	<device match="rawip6" ip-type="exclusive" />
+	<device match="rts" ip-type="exclusive" />
+	<device match="sad/admin" ip-type="exclusive" />
+	<device match="sctp" ip-type="exclusive" />
+	<device match="sctp6" ip-type="exclusive" />
+	<device match="spdsock" ip-type="exclusive" />
+
+	<!-- Renamed devices to create under /dev -->
+	<device match="zcons/%z/zoneconsole" name="zconsole" />
+
+	<!-- Symlinks to create under /dev -->
+	<symlink source="console" target="zconsole" />
+	<symlink source="dtremote" target="/dev/null" />
+	<symlink source="msglog" target="zconsole" />
+	<symlink source="stderr" target="./fd/2" />
+	<symlink source="stdin" target="./fd/0" />
+	<symlink source="stdout" target="./fd/1" />
+	<symlink source="syscon" target="zconsole" />
+	<symlink source="sysmsg" target="zconsole" />
+	<symlink source="systty" target="zconsole" />
+
+</platform>
diff --git a/usr/src/pkgdefs/SUNWtsu/prototype_com b/usr/src/pkgdefs/SUNWtsu/prototype_com
index 7bde144efa..55842d62c9 100644
--- a/usr/src/pkgdefs/SUNWtsu/prototype_com
+++ b/usr/src/pkgdefs/SUNWtsu/prototype_com
@@ -19,11 +19,9 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # This required package information file contains a list of package contents.
 # The 'pkgmk' command uses this file to identify the contents of a package
 # and their location on the development machine when building the package.
@@ -90,6 +88,14 @@ f none usr/demo/tsol/runinzone.ksh 555 root bin
 f none usr/demo/tsol/runwlabel.ksh 555 root bin
 f none usr/demo/tsol/waitforzone.ksh 555 root bin
 #
+# Labeled Brand files
+#
+d none usr/lib/brand 755 root bin
+d none usr/lib/brand/labeled 755 root sys
+f none usr/lib/brand/labeled/config.xml 444 root bin
+f none usr/lib/brand/labeled/platform.xml 444 root bin
+f none usr/lib/brand/labeled/pkgcreatezone 755 root bin
+#
 # Share and unshare scripts for zone exports
 #
 d none usr/lib/zones 755 root bin
diff --git a/usr/src/uts/common/os/brand.c b/usr/src/uts/common/os/brand.c
index 414e8e8558..b2bc8cc7d0 100644
--- a/usr/src/uts/common/os/brand.c
+++ b/usr/src/uts/common/os/brand.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <sys/kmem.h>
 #include <sys/errno.h>
 #include <sys/systm.h>
@@ -90,12 +88,6 @@ brand_register(brand_t *brand)
 	if (brand == NULL)
 		return (EINVAL);
 
-	if (is_system_labeled()) {
-		cmn_err(CE_WARN,
-		    "Branded zones are not allowed on labeled systems.");
-		return (EINVAL);
-	}
-
 	if (brand->b_version != SUPPORTED_BRAND_VERSION) {
 		if (brand->b_version < SUPPORTED_BRAND_VERSION) {
 			cmn_err(CE_WARN,
diff --git a/usr/src/uts/common/os/zone.c b/usr/src/uts/common/os/zone.c
index af2cd869e0..6b4ba04b7b 100644
--- a/usr/src/uts/common/os/zone.c
+++ b/usr/src/uts/common/os/zone.c
@@ -2132,13 +2132,6 @@ zone_set_brand(zone_t *zone, const char *brand)
 		return (EINVAL);
 	}
 
-	if (is_system_labeled() &&
-	    strncmp(attrp->ba_brandname, NATIVE_BRAND_NAME, MAXNAMELEN) != 0) {
-		mutex_exit(&zone_status_lock);
-		brand_unregister_zone(bp);
-		return (EPERM);
-	}
-
 	/* set up the brand specific data */
 	zone->zone_brand = bp;
 	ZBROP(zone)->b_init_brand_data(zone);
diff --git a/usr/src/uts/common/sys/brand.h b/usr/src/uts/common/sys/brand.h
index 4553cf7725..d9f2b63ba5 100644
--- a/usr/src/uts/common/sys/brand.h
+++ b/usr/src/uts/common/sys/brand.h
@@ -19,15 +19,13 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #ifndef _SYS_BRAND_H
 #define	_SYS_BRAND_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef	__cplusplus
 extern "C" {
 #endif
@@ -63,6 +61,9 @@ struct brand_attr {
 /* What we call the native brand. */
 #define	NATIVE_BRAND_NAME	"native"
 
+/* What we call the labeled brand. */
+#define	LABELED_BRAND_NAME	"labeled"
+
 #ifdef	_KERNEL
 
 /* Root for branded zone's native binaries */