Subject: Re: Integrating securelevel and kauth(9)
To: None <tech-kern@netbsd.org>
From: Christos Zoulas <christos@astron.com>
List: tech-kern
Date: 03/24/2006 18:42:53
In article <442432CB.1030806@NetBSD.org>, Elad Efrat  <elad@NetBSD.org> wrote:
>Hello,
>
>Outlined in this mail is my proposal for integrating the traditional BSD
>securelevel with the kauth(9) interface.
>
>

Thank you Elad for taking the time to compose this message. It is very
well written and I think it addresses most of the issues.

So under the proposal the old "securelevel" variable will map into a
list of "capabilities" something like:

old			new
--------------------------------------------------------------------------
securelevel == -1 	mask with all the capabilities allowed 
securelevel == 0	mask with some capabilities allowed
securelevel == 1	mask with fewer capabilities allowed
securelecel == 2	mask with no capabilities allowed

If we assume that we are currently running at securelevel 1, and
we add or remove a capability, we'll be in a situation where the
securelevel variable will still be 1 but this will not match
the original level 1 mask.

What does it mean to change the securelevel after that? Do we even
allow it? Do we have a setting for securelevel that means "custom"?
I think if we need a "custom" securelevel value then we'll need to
involve a third variable to indicate this so that LKM's still work.

Also let's say we are at securelevel -1, and change the mask manually
to deny device access. The securelevel will still be -1, but LKM's will
still think that device access is allowed.

How does going from multi-user to single user and back affect the mask?

christos