Re: pthread_setaffinity_np() permissions

To: Thor Lancelot Simon <tls%panix.com@localhost>
Subject: Re: pthread_setaffinity_np() permissions
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Thu, 03 Nov 2011 10:38:59 +0100

On Wed, 2 Nov 2011 22:36:58 -0400, Thor Lancelot Simon wrote:

On Thu, Nov 03, 2011 at 03:30:54AM +0100, Jean-Yves Migeon wrote:

Should not? I took the same logic as the one allowing usermounts.
It's a matter of policy though.


None of the security sysctls should be changeable at securelevel 1 or

higher. Certainly it should not be possible to grant additionalprivileges

to non-root users.  Is there logic somewhere else preventing it, like
in the relevant kauth listener perhaps?

None, the checks are simply not implemented in secmodel_securelevel(9).I'll have a look this evening.

This has to be done for each variable though depending on their use: inusermount/usersetaffinity cases, it's reasonable to deny additionalrights to non-root users, but turning off these rights should still bepermitted even when securelevel is set to 1+.


--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost

Follow-Ups:
- Re: pthread_setaffinity_np() permissions / secmodel sysctl(7)s
  - From: Jean-Yves Migeon

References:
- pthread_setaffinity_np() permissions
  - From: Sad Clouds
- Re: pthread_setaffinity_np() permissions
  - From: Jean-Yves Migeon
- Re: pthread_setaffinity_np() permissions
  - From: Thor Lancelot Simon
- Re: pthread_setaffinity_np() permissions
  - From: Jean-Yves Migeon
- Re: pthread_setaffinity_np() permissions
  - From: Thor Lancelot Simon

Prev by Date: Re: pthread_setaffinity_np() permissions
Next by Date: Re: pthread_setaffinity_np() permissions
Previous by Thread: Re: pthread_setaffinity_np() permissions
Next by Thread: Re: pthread_setaffinity_np() permissions / secmodel sysctl(7)s
Indexes:

Home | Main Index | Thread Index | Old Index