tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Secmodel_bsd44: default to "defer", not "deny"?

Bill Stouder-Studenmund wrote:

A default answer of "defer" is more-correct that what happens now. Making this change strikes me as the right thing to do. It also will serve as a good example for future module-authors.

Also, the fact that root was able to load modules at boot doesn't mean that root can load modules (and thus kmem is writable) later. :-) Isn't that the reason we talked about securelevel and capabilities and the inability to re-enable "capabilities" that we disable towards the end of boot?


I'll wait a couple of days and change it.



Home | Main Index | Thread Index | Old Index