On Mon, 11 Sep 2006, Elad Efrat wrote:
> YAMAMOTO Takashi wrote:
> > to avoid making existing code insecure when introducing new scopes.
> 
> Let's say we introduced a new scope. Can you think of any situation
> where we would dispatch authorization requests on this scope without
> also adding some listeners? usually, the very requests we add to kauth.h
> are the ones checked in the listener.

Sure, you add listeners to the "standard" security model[s], but that
doesn't help people using non-standard security models (unless there's
some magic that I didn't understand).  If I have a non-standard security
model (say loaded as an LKM), and boot a new kernel that tries to use
a new scope that my security model has never heard of, I want it to
fail closed, not to fail open.  If the kauth framework says "a security
model is loaded, but there are no listeners for this scope, so I'll just
permit everything in this scope", then the system fails open.

--apb (Alan Barrett)