tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Secmodel_bsd44: default to "defer", not "deny"?



Hi,

At the moment, secmodel_bsd44's default return value, unless the
operation is allowed, is "deny". This works okay as long as we don't
try to do interesting things. :)

I'm thinking about changing the default to "defer": if the operation
isn't allowed, don't block it, but rather say "let someone else decide".
By default, since there will be nobody else to decide, it will end up
being a "deny".

The rationale behind the "deny" was that if other kernel code listening
on some scopes decides to allow everything, we don't lose with our defer
policy -- the secmodel can't be weakened.

Now I'm thinking, though, that this might not be necessary. To get code
in the kernel (conventionally) you'd have to either write to /dev/kmem
or load a module. If you can do that, you have the permissions and
ability to do plenty other stuff, too, so kauth should not try to
supposedly protect itself in such situations.

What do others think?

Thanks,

-e.


Home | Main Index | Thread Index | Old Index