On Fri, 25 Aug 2006, Elad Efrat wrote:

> Travis H. wrote:
>
>> I'd like to see MAC ported to NetBSD, but in the meantime it appears that 
>> Elad is diligently working on a more granular securelevel and integration 
>> with kauth, which accomplishes much of the same thing; IIUC basically 
>> securelevel is designed to prevent persistent changes to the critical files 
>> that control initial boot, so that a reboot can get you into a trusted 
>> state.
>
> Actually, the work is more than just for securelevel -- it's separating the 
> interface ("can proc X do Y?") from the implementation ("is proc X root?"). 
> We will be dispatching requests with full context, and allow modules to plug 
> and "listen" to these requests.
>
> How each module processes the information is internal to it; it can check 
> the uid, the securelevel, or -- like I said -- dispatch the request further 
> to a userland daemon that can compare against a policy or forward the 
> request to a central authorization server.

Some risk comes with the ability to offload decisions to user space -- among 
other things, that the access control decision may not be performed atomically 
with respect to the security properties of the subject and object, as kernel 
locks tend not to be something that can be held over a user space up-call. 
Whether this is actually a problem depends entirely on the nature of the 
policy -- for some sorts of security policies, it is a show-stopper, but for 
others it is an acceptable trade-off as long as done intentionally.

Robert N M Watson
Computer Laboratory
University of Cambridge