Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP

[Greg Troxel <gdt%lexort.com@localhost>]

Alexander Nasonov <alnsn%yandex.ru@localhost> writes:

> Greg Troxel wrote:
>> Kamil Rytarowski <n54%gmx.com@localhost> writes:
>> 
>> > Is it possible to avoid negation in the name?
>> >
>> > KAUTH_SYSTEM_ENABLE_SWAP_ENCRYPTION
>> 
>> I think the point is to have one permission to enable it, which is
>> perhaps just regular root, and another to disable it if securelevel is
>> elevated.
>> 
>> So perhaps there should be two names, one to enable, one to disable.
>
> Kauth is about security rather than speed or convenience. Disabling
> encryption may improve speed but it definitely degrades your security
> level. So, you can enable vm.swap_encrypt at any level but you can't
> disable it if you care about security.

I understand that.  But there's still a question of "should there be a
KAUTH name for enabling as well as disabling", separate from "what
should the rules be".

I think everybody believes that regardless of securelevel, root should
be able to enable encrypted swap.  But probably almost everyone thinks
regular users should not be allowed to enable it.

I realize we have a lot of "root can", and that extending kauth to make
everything separate is almost certainly too much.  But when disabling is
a big deal, I think it makes sense to add names for both enabling and
disabling, to make that intent clearer in the sources.

But, I don't think this is that important, and a comment would do.