tech-kern: Re: CVS commit: src/sys/secmodel/bsd44

Subject: Re: CVS commit: src/sys/secmodel/bsd44
To: None <tls@rek.tjls.com>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-kern
Date: 10/29/2006 02:14:34

> On Sun, Oct 29, 2006 at 01:42:15AM +0900, YAMAMOTO Takashi wrote:
> > > > 
> > > > i'm not sure what you are talking about.
> > > > are you talking about how bsd44 listener should interact with these requests? 
> > 
> > for bsd44 securelevel listener, i think something like this is enough.
> > 
> > 	case passthru:
> > 		if (securelevel < 1) {
> > 			return allow;
> > 		} else {
> > 			return deny;
> > 		}
> > 
> > alternatively you can probably iterate devices on the bus,
> > but i don't think it's worth to do.
> 
> I don't think you can iterate devices on the bus because, on some
> buses, the devices can directly access one another.

why you can't iterate devices if devices can directlly access on another?

> and in some cases the passthrough ioctls can be abused to allow
> access to RAM, I think.

it's what the above pseudo code is intended to prevent.

YAMAMOTO Takashi