Re: /sbin/reboot and secmodel

To: tech-kern%NetBSD.org@localhost
Subject: Re: /sbin/reboot and secmodel
From: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Date: Mon, 17 Mar 2008 16:31:51 -0400 (EDT)

> [...], and then have the kernel signal [init]

> Internal communication can e.g. be done via a named pipe:
> prw-------   1 root     root           0 Feb 14 16:51 /etc/initpipe

I'd much rather not.  If it's a named pipe, it's accessible to
userland.  I'd rather see the kernel create an ordinary, unnamed, pipe
and give one end of it to init as fd 0 on startup or some such, then
stash the other end somewhere internal as a trusted channel to init.
If we're willing to assume AF_LOCAL sockets are available we could make
it an AF_LOCAL socketpair and use it bidirectionally.

Of course, this assumes that we decide we want to put those smarts in
the kernel in the first place; I'm not convinced that's a good design.
(I'm not convinced it's a bad design, either, but I'm trying to make
sure I don't slide into either stance unjustifiedly.)

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse%rodents.montreal.qc.ca@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: /sbin/reboot and secmodel
  - From: Matthew Mondor
- Re: /sbin/reboot and secmodel
  - From: Hubert Feyrer

Prev by Date: Re: /sbin/reboot and secmodel
Next by Date: ld core dumps when modload already builtin feature
Previous by Thread: Re: /sbin/reboot and secmodel
Next by Thread: Re: /sbin/reboot and secmodel
Indexes:

Home | Main Index | Thread Index | Old Index