On Sat, Jan 07, 2006 at 12:41:52PM +0100, Pavel Cahyna wrote:
> On Sat, Jan 07, 2006 at 12:20:56PM +0100, Manuel Bouyer wrote:
> > On Sat, Jan 07, 2006 at 12:16:14PM +0100, Pavel Cahyna wrote:
> > > On Sat, Jan 07, 2006 at 11:54:55AM +0100, Manuel Bouyer wrote:
> > > > int
> > > > i386_iopl(l, args, retval)
> > > > {
> > > > [...]
> > > > 	if (securelevel > 1)
> > > > 		return EPERM;
> > > > 
> > > > Of course what I said relies on the kernel starting at securelevel 1, which
> > > > I said in a previous mail.
> > > 
> > > How does it help, if there is "securelevel > 1" and not 
> > > "securelevel >= 1" ?
> > 
> > Hum right. So let say we patch the kernel :)
> 
> And that we don't forget to patch i386_set_ioperm() too :)

Yes. In fast I'd probably just disable the iopl syscalls completely.

> 
> > > Also, how do you start the kernel at securelevel 1?
> > 
> > gdb --write /usr/pkg/etc/xen/kernels/netbsd-XENU
> > set securelevel=1
> > quit
> 
> How would you fsck / then?

You can do it from domain0 before starting the domU (this requires that
/ be on a xbd, but it's not a big deal). Or you can setup things so that
/ is always mounted read-only. If I had to run such a setup I'd probably go
the second way (so that not only the kernel, but also the binaries used
to start the system multiuser is under dom0's control).

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--