Subject: Re: Getting rid of /dev/veriexec
To: <>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 12/02/2005 18:57:55
der Mouse wrote:

> Perhaps not - but there certainly is for *not* having the veriexec
> device in a chroot.

Just as there's a real world use for having a root process inside a
chroot cage? :)

Let me explain you why this is incredibly esoteric.

For Veriexec to actually *DO* something, it is required that it runs
in strict level >=1. (note that's Veriexec strict level, settable via
kern.veriexec.strict)

Even if you *ARE* root (no need to find the Korean host that runs a
root process inside a chroot, exploit it, and get local root inside
a chroot), you can't do anything to the Veriexec data (read: add
new tables/entries and/or delete entries).

You can't also decrease the strict level because it is a raise-only
variable.

So even if you *DO* have /dev/veriexec inside a chroot, and you *DO*
have root privileges, there's *ABSOLUTELY NOTHING* you can do, with
regard to Veriexec, that you can't do now.

-e.

-- 
Elad Efrat