Subject: Re: kauth machdep actions (Re: CVS commit: src)
To: None <elad@NetBSD.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-kern
Date: 12/23/2006 16:57:32
> >> and would that mean that there's code that appears to be handled in
> >> the secmodel, but really isn't?
> >
> > i'm not sure what you mean here.
>
> I mean that when someone builds a kernel on alpha, and looks at the
> secmodel code, he sees 'case' for KAUTH_MACHDEP_IOPL, but he has to
> go dig around other code (sys/arch/*/?) to find out if it's dead code
> or not. (perhaps that's a moot point because there's the man-page, but
> I still don't like the idea of implicit secmodel code.)
if you want to ensure if an kauth scope, action, or request is
actually used or not by the rest of your kernel, you always need to
dig around the rest of code. machdep scope is not special in this regard.
> > why each ports check root and securelevel differently (which is what
> > we are talking about, right?) seems unknown and unmaintainable.
> > i don't see much point to keep it as-is.
>
> this was exactly my concern. it seems nobody knows the reason for these
> semantics. however, I'd like us to be 100% sure when we're changing them
> (after all, these *are* security semantics) of why they were put there
> in the first place.
making checks stricter won't open a new hole. :)
> the real question is: do we want to assume that similar requests on
> different hardware platforms have the same implication and will be
> handled the same, security-wise?
i guess they are not so similar if they need to be handled differently.
> do you mind if we give others some time to voice in? (smb? tls?)
no problem, of course. it isn't urgent at all.
YAMAMOTO Takashi