tech-security: raw disk/memory access & veriexec strict levels [was: Re: CVS commit:

Subject: raw disk/memory access & veriexec strict levels [was: Re: CVS commit:
To: None <tech-security@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 08/14/2006 16:51:26

commenting on my changes:

Christos Zoulas wrote:

> [...]
> veriexec.diff adds some raw device access policies: if raw disk is
> opened at strict level 1, all fingerprints on this disk will be
> invalidated as a safety measure. level 2 will not allow opening disk
> for raw writing if we monitor it, and prevent raw writes to memory.
> level 3 will not allow opening any disk for raw writing.

should be noted, btw, that this is kinda bogus and still veriexec relies
on securelevel preventing the same things. these are mostly "policy
place-holders" for when (and if) we move on to kauth(9) listeners and
veriexec gets its own say on a larger scale.

right now the above (raw memory/disk access) can still be done using
devices that allow it if the securelevel permits...

-e.

-- 
Elad Efrat