Secmodel_bsd44: default to "defer", not "deny"?

To: tech-security%netbsd.org@localhost
Subject: Secmodel_bsd44: default to "defer", not "deny"?
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Sun, 24 Feb 2008 21:34:27 +0200

Hi,

At the moment, secmodel_bsd44's default return value, unless the
operation is allowed, is "deny". This works okay as long as we don't
try to do interesting things. :)

I'm thinking about changing the default to "defer": if the operation
isn't allowed, don't block it, but rather say "let someone else decide".
By default, since there will be nobody else to decide, it will end up
being a "deny".

The rationale behind the "deny" was that if other kernel code listening
on some scopes decides to allow everything, we don't lose with our defer
policy -- the secmodel can't be weakened.

Now I'm thinking, though, that this might not be necessary. To get code
in the kernel (conventionally) you'd have to either write to /dev/kmem
or load a module. If you can do that, you have the permissions and
ability to do plenty other stuff, too, so kauth should not try to
supposedly protect itself in such situations.

What do others think?

Thanks,

-e.

Follow-Ups:
- Re: Secmodel_bsd44: default to "defer", not "deny"?
  - From: Joerg Sonnenberger
- Re: Secmodel_bsd44: default to "defer", not "deny"?
  - From: Bill Stouder-Studenmund

Prev by Date: getting wedge information (esp. size) in kenrel ?
Next by Date: Re: Unifying /dev/{mem,kmem,zero,null} implementations
Previous by Thread: getting wedge information (esp. size) in kenrel ?
Next by Thread: Re: Secmodel_bsd44: default to "defer", not "deny"?
Indexes:

Home | Main Index | Thread Index | Old Index