Subject: Re: veriexec (Re: CVS commit: src)
To: YAMAMOTO Takashi <>
From: Brett Lymn <>
List: tech-kern
Date: 10/01/2006 20:28:18
On Sat, Sep 30, 2006 at 09:20:42PM +0900, YAMAMOTO Takashi wrote:
> my questions was, why do you want to distinguish them?

The original intention of indirect vs direct (and, this has not
changed) was that the indirect flag could be applied to a shell
interpreter.  If an executable is marked indirect then it cannot be
invoked directly from a shell but it may be used as a shell
interpreter for a script.  The thinking behind this is that you could,
for example, install perl on the machine and allow veriexec verified
perl scripts to run (since they have #!/usr/pkg/bin/perl as their
first line) _but_ deny someone running perl from the command line and
feeding their own perl script into it.  Hence, you could have a
powerful shell interpreter available for scripting but deny people the
ability to abuse the interpreter for unchecked code.

Brett Lymn