On Sat, Mar 25, 2006 at 02:41:33AM -0800, Tom Spindler wrote:
> For those of us coming in late, what's the benefit of the codebase,
> and how does it tie in with systrace, if it does? (I've read TN2127,
> and the benefits are not terribly obvious.)

You simply can't do any kind of discrete permission schemes with
systrace, because it hooks in at the wrong point. E.g. think about a
policy to disallow exec after /dev/kmem has been opened by a process.

This doesn't mean that the centralisation of authentication replaces
systrace. systrace and kauth are mostly orthogonal.

Joerg