CR 6507344 TX zones should not hard code DOI to 1

2 files changed, 10 insertions, 4 deletions

diff --git a/usr/src/lib/libtsnet/common/tsol_sgetzcent.c b/usr/src/lib/libtsnet/common/tsol_sgetzcent.c
index 657c3be47c..cfbc70ba34 100644
--- a/usr/src/lib/libtsnet/common/tsol_sgetzcent.c
+++ b/usr/src/lib/libtsnet/common/tsol_sgetzcent.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * From	"tsol_tndb_parser.c	7.24	01/09/05 SMI; TSOL 2.x"
@@ -222,8 +222,8 @@ tsol_sgetzcent(const char *instr, int *errp, char **errstrp)
 	}
 	instr = nextf + 1;
 
-	/* Not in the entry, but should be */
-	zc->zc_doi = 1;
+	/* The kernel will apply the system doi to the zone label later */
+	zc->zc_doi = 0;
 
 	/* Field three: get match flag */
 	errno = 0;
diff --git a/usr/src/uts/common/os/zone.c b/usr/src/uts/common/os/zone.c
index 50048453c1..968cb3b12d 100644
--- a/usr/src/uts/common/os/zone.c
+++ b/usr/src/uts/common/os/zone.c
@@ -3408,7 +3408,13 @@ zone_create(const char *zone_name, const char *zone_root,
 	 */
 	zone->zone_match = match;
 	if (is_system_labeled() && !(zone->zone_flags & ZF_IS_SCRATCH)) {
-		error = zone_set_label(zone, label, doi);
+		/* Fail if requested to set doi to anything but system's doi */
+		if (doi != 0 && doi != default_doi) {
+			zone_free(zone);
+			return (set_errno(EINVAL));
+		}
+		/* Always apply system's doi to the zone */
+		error = zone_set_label(zone, label, default_doi);
 		if (error != 0) {
 			zone_free(zone);
 			return (set_errno(error));