tpd, TPD - Trusted Path Domain
On immutable zones, certain processes are marked as part of the Trusted Path Domain (TPD). These processes are allowed to perform all restricted options from that processes perspective. The zone looks like an ordinary read-write global or non-global zone.
In order to prevent non-TPD process from interfering with TPD processes, TPD processes cannot be trussed by non-TPD processes. TPD-processes terminals and fifos are marked specifically and they cannot be opened by non-TPD processes.
The protected TPD processes are not allowed to open to read files, terminals, or fifos not protected by the mwac(5) policy. These files can be changed by the untrusted super-user. The content of those files, terminals or fifos cannot be trusted, unless the O_TPDUNSAFE flag is set during open(2) or when the processes is marked as PRIV_TPD_UNSAFE using setpflags(2).