Subject: Re: The reason for securelevel
To: Elad Efrat <>
From: None <>
List: tech-security
Date: 01/26/2006 15:00:34
On Thu, 26 Jan 2006, Elad Efrat wrote:
> der Mouse wrote:
>> If we want to continue to support reading kern.securelevel, the read
>> routine for it would have to take the minimum of all the relevant
>> variables.  I don't see that as a big deal.
> that's exactly the bit i'm still trying to figure out -- it's obvious
> that we keep it for keeping things as they are, and it's obvious we
> get rid of it for having only the per-setting knobs.
> however, if we choose to implement the hybrid scheme i described, how
> should kern.securelevel be represented? can it?

What's wrong with keeping the current securelevel integer, but turning it 
into a module scope variable so it can't be evaluated outside of the 
sysctl code?