Subject: Re: The reason for securelevel
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Michael Richardson <email@example.com>
Date: 01/26/2006 15:04:16
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "der" == der Mouse <mouse@Rodents.Montreal.QC.CA> writes:
der> Rather, I read it as having knobs for x, y, and z in the
der> kernel; additionally, kern.securelevel, a set-only variable,
der> would, when set, raise the knobs for x, y, and z. There would
der> be no single kernel variable corresponding to kern.securelevel;
der> it would not exist in any form that could be checked against.
der> If we want to continue to support reading kern.securelevel, the
der> read routine for it would have to take the minimum of all the
der> relevant variables. I don't see that as a big deal.
You can maintain the variable as such. It won't tell the whole truth,
but it will tell that for certain that if it has value FOO, that
features that are <FOO are not enabled.
der> Of course, I could be misunderstanding.
I think you are bang on.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] firstname.lastname@example.org http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----