re: kern/45235: GENERIC can not have options MODULAR on sane archs

[matthew green <mrg%eterna.com.au@localhost>]

> The following reply was made to PR kern/45235; it has been noted by GNATS.
> 
> From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: tsutsui%ceres.dti.ne.jp@localhost
> Subject: Re: kern/45235: GENERIC can not have options MODULAR on sane archs
> Date: Wed, 10 Aug 2011 18:44:24 +0900
> 
>  >  - Create a security model where module auto loading is controlled 
> differently
>  >    (how?)
>  
>  We can allow autoload (not by modload) even if securelevel > 0
>  but I don't have any security considerations...
>  ---
>  Izumi Tsutsui
>  
>  Index: sys/secmodel/securelevel/secmodel_securelevel.c
>  ===================================================================
>  RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v
>  retrieving revision 1.20
>  diff -u -p -r1.20 secmodel_securelevel.c
>  --- sys/secmodel/securelevel/secmodel_securelevel.c  7 Oct 2009 01:06:57 
> -0000       1.20
>  +++ sys/secmodel/securelevel/secmodel_securelevel.c  10 Aug 2011 09:42:08 
> -0000
>  @@ -254,7 +254,7 @@ secmodel_securelevel_system_cb(kauth_cre
>               break;
>   
>       case KAUTH_SYSTEM_MODULE:
>  -            if (securelevel > 0)
>  +            if ((uintptr_t)arg2 == 0 && securelevel > 0)
>                       result = KAUTH_RESULT_DENY;
>               break;

please don't change the securelevel secmodel this way.  it could
be an additional overlay to relax this check, but without
significant setup, allowing this is hardly any different to
allowing full access.

the overlay should continue to reject this at securelevel > 1,
as well, IMO.


.mrg.