Subject: Re: Getting rid of /dev/veriexec
To: None <>
From: None <>
List: tech-kern
Date: 12/02/2005 16:27:31
On Fri, Dec 02, 2005 at 03:04:31PM +0200, Elad Efrat wrote:
> 1. An admin can chown a device to give a user a special role -- true,
>    but Veriexec does an explicit suser() (and there's no, at the moment,
>    intention to change that). This should be addressed by capabilities,
>    if any.

I don't agree with Nathan on the use of sysctl, but removing the device
as entry point is IMO a very bad thing for Veriexec. Consider the need
for the device a security feature for Veriexec, but a bug e.g. for ps /
netstat etc.