Re: /sbin/reboot and secmodel

["Matthew Mondor" <mm_lists%pulsar-zone.net@localhost>]

On Tuesday, 18 Mar 2008 1:15:15
Daniel Carosone <dan%geek.com.au@localhost> wrote:

> .. at which point a more suitable new privileged process is
> developedto handle the specialised responsibilities involved,
> including asneeded new specialised privileges assigned to a
> dedicated user thatruns this process.  This is still unix, surely?

For this particular case I also think that moving the code to init
would be a good idea.  Init could indeed fork daemons as needed under
the the required credentials for various similar tasks, which it could
delegate RPC-like requests to.

Under such a model it would even be possible for init to only spawn
such privilege-separated processes on-demand (a-la inetd but running
already loaded code, and optionally leaving it running afterwards if
the operation is expected to occur frequently).

Could such a system, if made modular enough, be useful in a number of
other cases?  Also, should a userland<->userland communication
facility be used, or a kernel->init facility only (requireing syscalls
to trigger such, perhaps via a special kqueue filter or ioctl-like
manner)?

If userland to userland, I fail to see how the secmodel module could
deny the request cleanly, although it would be possible for init to do
it (and potentially use an access(2)-like syscall if it needs to query
the secmodel).  If reboot(8) had to use a special syscall to reboot
then it would be possible to do this safely, provided that syscall
internally signals/queries init...
-- 
Matthew Mondor