Re: KAUTH_SYSTEM_UNENCRYPTED_SWAP

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> I think everybody believes that regardless of securelevel, root
> should be able to enable encrypted swap.  But probably almost
> everyone thinks regular users should not be allowed to enable it.

(Throughout the following, I'm using "root" as shorthand for "a user
without suitable privilege".  I think that, like most Unices, NetBSD
makes privilege more all-or-nothing of a thing than would be ideal, but
that is a completely separate issue, probably coloured by my having
gone through much of my larval phase under VMS.)

I think that - ideally - regular users should be able to enable
encrypted swap _for their own pages_.

This is not done for reasons unrelated to the abstract correctness of
the idea - mostly, I suspect, that it involves a significant increase
in administrative overhead at runtime (tracking ownership of every page
in a way visible to the swap code).  Furthermore, "the" owner of a page
may be unclear in a few circumstances.

These obstacles could be overcome, in principle.  Is it worth it?  In
my opinion, for NetBSD, it is not.  But it's because the gain is not
worth the implementation effort, not because it's something that would
conceptually be a Bad Thing.

I do feel that it would be excessive for non-root user X to be able to
enable encrypted swap for user Y's pages.  I've been unable to justify
this feeling, though; that is, I've been unable to come up with a thing
which that would break but which I think ought to work.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B