Subject: Re: Integrating securelevel and kauth(9)
To: Garrett D'Amore <garrett_damore@tadpole.com>
From: None <jonathan@dsg.stanford.edu>
List: tech-kern
Date: 03/24/2006 19:09:24
In message <442493F7.90100@tadpole.com>"Garrett D'Amore" writes
>jonathan@dsg.stanford.edu wrote:

[...]

>> (Repeated calls for not just a a devfs, but for devfs plus removal of
>> static in-filesystem special-device inodes, and their associated,
>> newfs/mknod-time, *statically auditable* perimsisions (e.g., for use
>> inside chroot() areas or "jails"), is one such case).
>>   
>
>These are all good points.  But they overlook a major consideration.
>
>Most sites (and I've worked with a number of them over the years) that
>care about this kind of thing are not going to jump on whatever
>new-fangled thing we come up with, or even the latest version of the
>operating system, *precisely* because they want the newness to wear off.
>
>These kinds of sites will keep running NetBSD 1.5 until the far-off
>future, and then, only after much debate and testing, consider upgrading
>to 2.0 or 3.0.

Tee, hee. Garrett, you really are new here, aren't you?  There are
several participants on this list who, in point of fact, *do* build
hardened systems based on NetBSD-2.0 or newer.  Personally, I think
Thor and I are a better gauge for the kind of

	``people [sic] who care about this kind of thing'',

(at least in a NetBSD context) than you are.


>It does make sense to consider whether a change like kauth will create a
>barrier to adoption, and what the impact of that barrier is.  In this
>particular, case I see no reason why we should want folks to adopt e.g.
>NetBSD 4.0 if they aren't willing to also adopt kauth.  (I.e. I don't
>think there is some feature or platform support in the proposed 4.0 that
>is *so* compelling that we want *everyone* to adopt to the point that we
>should abandon the idea of including Elad's kauth work.)

Hah. I'd say a NetBSD release that actually worked well on Opteron
systems would be a good start.  I know of several people who want
that, who see absolutely no reason to buy into Elad's work; and who
absolutely *will not* adopt NetBSD-4.0, if it weakens the existing
securelevel semantics in ways which (for example) Thor and I find
objectionable.

If i can put i this way: Elad seems to find it important to offer
finer-grained *EN*ablement of specific actions. Whereas in contrast,
Thor and I find it essential to globally *DIS*able certain actions
(irrespective of which process issues them); and secondarily, to have
a hierarchy of such disablement.

If what you want is a totally-ordered, monotonically-nondecreasing,
hierarchy of *disabling* specific actions, that really doesn't fit
with an independent set of individual bits --- where, by definition,
any one bit in t the collection of bits is *NOT* ordered vis-a-vis the
others.

Just for myself, I could live with a world where individual its could
be cleared from 1 to 0, but can never, ever never reset from 0 back to
1 (except perhaps from the OS console in single-user mode). 
I believe *that* is why Thor proposed "run-levels" with a mask per
run-level (the run-levels being, presumably, monotonically increasing).

But I'm not seeing such machinery anywhere in Elad's proposal.
Am I repeatedly missing it?