Re: RFC: New security model secmodel_securechroot(9)

To: tech-kern%NetBSD.org@localhost
Subject: Re: RFC: New security model secmodel_securechroot(9)
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Sat, 23 Jul 2011 22:56:03 +0200

On Sat, Jul 23, 2011 at 10:16:28PM +0300, Aleksey Cheusov wrote:
>  >>  >>      ·   Processor-set manipulation is not allowed.
>  >> 
>  >> > Please cross reference what you mean here (cpuctl(8), I take?)
>  >> No. schedctl(8).
>  >> CPU manipulations using cpuctl(8) is also not allowed.
> 
> > Please make sure that it is clear that you mean the global scheduler
> > settings and not the pthread affinity flags.
> 
> Could you please list all functions you'd like to see allowed
> (with argument if necessary)?

I think _sched_setparam, _sched_setaffinity and possible are the syscalls
involved. Same restrictions as ptrace if using with a different PID, no
real time priority inside chroot.

Joerg

References:
- RFC: New security model secmodel_securechroot(9)
  - From: Aleksey Cheusov
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Joerg Sonnenberger
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Aleksey Cheusov
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Joerg Sonnenberger
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Aleksey Cheusov

Prev by Date: Re: RFC: New security model secmodel_securechroot(9)
Next by Date: re: "strict" weak aliases
Previous by Thread: Re: RFC: New security model secmodel_securechroot(9)
Next by Thread: Re: RFC: New security model secmodel_securechroot(9)
Indexes:

Home | Main Index | Thread Index | Old Index