Subject: Re: kauth, securelevel, and "run levels"
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 03/25/2006 19:41:10
On Sat, Mar 25, 2006 at 01:07:22PM -0500, Steven M. Bellovin wrote:
> On Sat, 25 Mar 2006 12:37:07 -0500, Thor Lancelot Simon
> <firstname.lastname@example.org> wrote:
> > As Kirk said to me years ago, the idea was to
> > provide a simple, even provably-correct, means of dramatically limiting
> > the extent of any system compromise
> I'd like to retain the focus on "simple, even provably-correct". Any
> new scheme should be high assurance.
Help to verify that (a) the actual implementation of the kauth framework
is correct. It is pretty much self contained and shouldn't be a problem
to get the high assurance you want. After that, (b) check that all the
checks are *semantically* correct where they occur. This part is
actually a review of the old implementation *as well* The imporant part
here is that instead of having code "to bail out based on the value of
a global variable", the code now explictly documents what is checked
for. This part was at the very least a lot harder befor.