tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

Christoph Badura wrote:
On Tue, Mar 18, 2008 at 01:10:30AM +0200, Elad Efrat wrote:
Christoph Badura wrote:
So, assuming that we would want to change our policy of signalling init(8)
to be overridable by different secmodel, why not just implement that?
I.e. change secmodel_bsd44 to return KAUTH_RESULT_DEFER when a process
tries to signal pid 1.

That's only part of the problem: reboot signals init, but then also
signals to (supposedly) all processes on the system with SIGTERM and
SIGKILL to have them exit, too. While the reboot program will silently
ignore the EPERMs, we'll only be pretending to have reboot working as
it should. :)

Same difference.

The point is really that if we want to allow security models to authorize
actions that would normally forbidden by the "standard" secmodels then the
secmodels have to return KAUTH_RESULT_DEFER instead of KAUTH_RESULT_DENY
when they want to signal that they disallow an action by default.

I absolutely agree; and we already did that:

(we're still limited by other things, but they're beyond the scope of
this thread.)

But the thing here is that you don't want to grant the permission to
signal all processes -- unless it's done as a result of rebooting the

I think there's a general preference to work something out with init,
which sounds good to me.


Home | Main Index | Thread Index | Old Index