Subject: Re: Integrating securelevel and kauth(9)
To: None <tech-kern@NetBSD.org>
From: None <firstname.lastname@example.org>
Date: 03/25/2006 17:12:26
On Sat, Mar 25, 2006 at 02:41:33AM -0800, Tom Spindler wrote:
> For those of us coming in late, what's the benefit of the codebase,
> and how does it tie in with systrace, if it does? (I've read TN2127,
> and the benefits are not terribly obvious.)
You simply can't do any kind of discrete permission schemes with
systrace, because it hooks in at the wrong point. E.g. think about a
policy to disallow exec after /dev/kmem has been opened by a process.
This doesn't mean that the centralisation of authentication replaces
systrace. systrace and kauth are mostly orthogonal.