--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 10, 2007 at 12:27:45PM +0900, YAMAMOTO Takashi wrote:
> > YAMAMOTO Takashi wrote:
> > > i don't understand the comment.  can you explain?
> >=20
> > sure. let's say you run a system with veriexec strict level 1. it won't
> > deny raw disk access, even to mounts it monitors, so you can just open
> > the disk for read/write. then, when strict level is raised, we
> > supposedly have to block raw disk access, but an attacker might already
> > have a descriptor.
> >=20
> > so what I suggested is to keep track of "number of raw disk users" and
> > just make veriexec not cache the evaluation result if this number is
> > > 0.
>=20
> assuming you want to have it in spec_open/close,
> where to store diskuser_t * can be a problem.

Couldn't we store it in struct disk? We then have the device specific open=
=20
and close routines call a common wrapper that handles the count issues.

Take care,

Bill

--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iD8DBQFFpSNFWz+3JHUci9cRAnAbAKCREKM84l/ckXOd5T+V94NPfgaiXACeLHPQ
2M2kI1ffc7FxwXgGVNJ1eYA=
=xOzg
-----END PGP SIGNATURE-----

--SLDf9lqlvOQaIe6s--