On Thu, Nov 09, 2006 at 03:09:50PM +0900, YAMAMOTO Takashi wrote:
> > Does the other part of the proposed change look OK to you?  I realize I
> > will need to update it since the raw i/o requests have moved to device
> > scope.
> 
> i'm not sure what problem you are trying to fix with the change.

The proliferation of scopes and requests makes it very hard to understand
the authorization semantics of any particular privileged operation.  For
example, I wanted to see whether the bug where i386_iopl() was permitted
if securelevel <= 1 instead of < 1 had already been fixed.  It is very
hard for me to concieve of a plausible security model where one would
want to treat this operation differently from a raw memory write, so I
assumed I could look at the raw memory write handler in the 4.4 security
model -- but in fact that is not so; there is an additional (and in my
opinion redundant, and thus obfuscatory) machdep request _specifically_
for this operation.

> if some requests are the same in the POV of securelevel,
> the listeners which implement securelevel should treat them so.

If no requests are the same from the point of view of the kauth
framework, actually understanding what any listener does is hopeless.
But some requests clearly _are_ the same -- so why do we not treat this
request, in particular, the same as a memory write?

Thor