Subject: Re: Integrating securelevel and kauth(9)
To: Christos Zoulas <>
From: David Laight <>
List: tech-security
Date: 03/24/2006 19:08:02
On Fri, Mar 24, 2006 at 06:42:53PM +0000, Christos Zoulas wrote:
> So under the proposal the old "securelevel" variable will map into a
> list of "capabilities" something like:
> old			new
> --------------------------------------------------------------------------
> securelevel == -1 	mask with all the capabilities allowed 
> securelevel == 0	mask with some capabilities allowed
> securelevel == 1	mask with fewer capabilities allowed
> securelecel == 2	mask with no capabilities allowed
> If we assume that we are currently running at securelevel 1, and
> we add or remove a capability, we'll be in a situation where the
> securelevel variable will still be 1 but this will not match
> the original level 1 mask.
> What does it mean to change the securelevel after that? Do we even
> allow it? Do we have a setting for securelevel that means "custom"?
> I think if we need a "custom" securelevel value then we'll need to
> involve a third variable to indicate this so that LKM's still work.

For compatibility with old LKM (and driver code) I'd suggest that
we'd have the constants MASK_0, MASK_1 and MASK_2 (MASK_-1 is zero).
Whenever the new mask is changed we could do:
	if (mask & MASK_2)
		securelevel = 2;
	else if (mask & MASK_1)
		securelevel = 1;
	else if (mask & MASK_0)
		securelevel = 0;
	else securelevel = -1;
Then code that checks (securelevel > n) will still error out whenever
is should - although a check of the mask itself might allow the request.


David Laight: