Re: /sbin/reboot and secmodel

[Elad Efrat <elad%NetBSD.org@localhost>]

Christoph Badura wrote:
> On Tue, Mar 18, 2008 at 01:10:30AM +0200, Elad Efrat wrote:
> > Christoph Badura wrote:
> > > So, assuming that we would want to change our policy of signalling init(8)
> > > to be overridable by different secmodel, why not just implement that?
> > > I.e. change secmodel_bsd44 to return KAUTH_RESULT_DEFER when a process
> > > tries to signal pid 1.
>
> > That's only part of the problem: reboot signals init, but then also
> > signals to (supposedly) all processes on the system with SIGTERM and
> > SIGKILL to have them exit, too. While the reboot program will silently
> > ignore the EPERMs, we'll only be pretending to have reboot working as
> > it should. :)
>
> Same difference.
>
> The point is really that if we want to allow security models to authorize
> actions that would normally forbidden by the "standard" secmodels then the
> secmodels have to return KAUTH_RESULT_DEFER instead of KAUTH_RESULT_DENY
> when they want to signal that they disallow an action by default.

I absolutely agree; and we already did that:

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c#rev1.54
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/secmodel/securelevel/secmodel_securelevel.c#rev1.2

(we're still limited by other things, but they're beyond the scope of
this thread.)

But the thing here is that you don't want to grant the permission to
signal all processes -- unless it's done as a result of rebooting the
machine.

I think there's a general preference to work something out with init,
which sounds good to me.

-e.