YAMAMOTO Takashi wrote:

> does it mean that an introduction of a new scope will automatically
> make existing secmodels insecure?

If we add a new scope, and have no listeners attached to it, and issue
authorization requests on that scope, then these requests will be
allowed.

> i'm not sure if it's a good idea.

Right now it's not an issue. We need this for when, for example, we
want to allow shipping an LKM of the security model and have it
loaded during boot or something.

It'll probably make sense to have an #ifdef DIAGNOSTIC surrounding
a panic() call there to make sure we don't have any such gaps (calling
an authorization wrapper for a scope with zero listeners) -- although
that's *not* the way to handle this, and should be better handled by,
well, NetBSD developers who decide to add new scopes.

-e.

-- 
Elad Efrat