re: CVS commit: src/sys/kern

To: christos%astron.com@localhost (Christos Zoulas), maxv%netbsd.org@localhost
Subject: re: CVS commit: src/sys/kern
From: matthew green <mrg%eterna.com.au@localhost>
Date: Tue, 04 Dec 2018 10:20:24 +1100

i just had an idea about a relatively simple hack to allow
kvm tools to work sanely in kaslr space, even if they're not
fully converted yet.

a secmodel overlay that has a way to allow a uid/gid combo
to retrieve the addresses, not just root, and then have that
combo set to */kvm.  then, kvm tools don't drop gid kvm until
after doing sysctl.

this would restrict the sysctls to gid kvm.

we still would have to audit the tools to ensure they do not
expose these addresses directly (ie, printf), but only use
them internally, but until functional parity is achieved it
would allow both security and usability today.

just an idea..


.mrg.

Follow-Ups:
- re: CVS commit: src/sys/kern
  - From: Christos Zoulas

Prev by Date: Re: unsafe file permissions on /usr/bin/login
Next by Date: re: CVS commit: src/sys/kern
Previous by Thread: Re: CVS commit: src/sys/kern
Next by Thread: re: CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index