Added dtrace_user and dtrace_proc permissions for oxz_ zones

This allows dtrace inside the zone.
oxidecomputer · Dec 29, 2023 · 02afb95 · 02afb95
1 parent 709493b
commit 02afb95
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/sled-agent/src/services.rs b/sled-agent/src/services.rs
@@ -1260,11 +1260,14 @@ impl ServiceManager {
     // Check the services intended to run in the zone to determine whether any
     // additional privileges need to be enabled for the zone.
     fn privs_needed(zone_args: &ZoneArgs<'_>) -> Vec<String> {
-        let mut needed = Vec::new();
+        let mut needed = vec![
+            "default".to_string(),
+            "dtrace_user".to_string(),
+            "dtrace_proc".to_string(),
+        ];
         for svc_details in zone_args.sled_local_services() {
             match svc_details {
                 SwitchService::Tfport { .. } => {
-                    needed.push("default".to_string());
                     needed.push("sys_dl_config".to_string());
                 }
                 _ => (),
@@ -1275,7 +1278,6 @@ impl ServiceManager {
             match omicron_zone_type {
                 OmicronZoneType::BoundaryNtp { .. }
                 | OmicronZoneType::InternalNtp { .. } => {
-                    needed.push("default".to_string());
                     needed.push("sys_time".to_string());
                     needed.push("proc_priocntl".to_string());
                 }