Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Elad Efrat (eladNetBSD.org)
Date: Sun Feb 24 2008 - 13:34:27 CST
At the moment, secmodel_bsd44's default return value, unless the
operation is allowed, is "deny". This works okay as long as we don't
try to do interesting things. :)
I'm thinking about changing the default to "defer": if the operation
isn't allowed, don't block it, but rather say "let someone else decide".
By default, since there will be nobody else to decide, it will end up
being a "deny".
The rationale behind the "deny" was that if other kernel code listening
on some scopes decides to allow everything, we don't lose with our defer
policy -- the secmodel can't be weakened.
Now I'm thinking, though, that this might not be necessary. To get code
in the kernel (conventionally) you'd have to either write to /dev/kmem
or load a module. If you can do that, you have the permissions and
ability to do plenty other stuff, too, so kauth should not try to
supposedly protect itself in such situations.
What do others think?