re: secmodel_securelevel(9) and machdep.svs.enabled

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: re: secmodel_securelevel(9) and machdep.svs.enabled
From: matthew green <mrg%eterna.com.au@localhost>
Date: Thu, 26 Apr 2018 06:28:01 +1000

Maxime Villard writes:
> Le 25/04/2018 à 19:47, Alexander Nasonov a écrit :
> > Alexander Nasonov wrote:
> >> Alexander Nasonov wrote:
> >>> When securelevel is set, should be lock 1->0 change for
> >>> machdep.svs.enabled (and possibly for other sysctls related
> >>> to recent security mitigations)?
> >>
> >> Can I commit the attached patch? (doc update will follow)
> > 
> > If I don't hear any objections, I will commit the patch soon and
> > I will request a pullup to netbsd-8.

it's the right idea to me.

> > Alex
> 
> Yes, it's fine. I've never taken care of securelevel, but your change
> can't be incorrect. Perhaps I would use just KAUTH_MACHDEP_SVS instead
> of KAUTH_MACHDEP_SVS_DISABLE, in case another operation gets added in
> the future, but that doesn't matter.

i considered this idea -- plain SVS would have to not include
ENABLE, which doesn't seem right.  perhaps another generic
name that implies !enable would work.


.mrg.

References:
- Re: secmodel_securelevel(9) and machdep.svs.enabled
  - From: Maxime Villard

Prev by Date: Re: secmodel_securelevel(9) and machdep.svs.enabled
Next by Date: Re: secmodel_securelevel(9) and machdep.svs.enabled
Previous by Thread: Re: secmodel_securelevel(9) and machdep.svs.enabled
Next by Thread: Re: secmodel_securelevel(9) and machdep.svs.enabled
Indexes:

Home | Main Index | Thread Index | Old Index