Subject: Re: Getting rid of /dev/veriexec
From: Elad Efrat <elad@NetBSD.org>
Date: 12/02/2005 18:57:55
der Mouse wrote:
> Perhaps not - but there certainly is for *not* having the veriexec
> device in a chroot.
Just as there's a real world use for having a root process inside a
chroot cage? :)
Let me explain you why this is incredibly esoteric.
For Veriexec to actually *DO* something, it is required that it runs
in strict level >=1. (note that's Veriexec strict level, settable via
Even if you *ARE* root (no need to find the Korean host that runs a
root process inside a chroot, exploit it, and get local root inside
a chroot), you can't do anything to the Veriexec data (read: add
new tables/entries and/or delete entries).
You can't also decrease the strict level because it is a raise-only
So even if you *DO* have /dev/veriexec inside a chroot, and you *DO*
have root privileges, there's *ABSOLUTELY NOTHING* you can do, with
regard to Veriexec, that you can't do now.