re: CVS commit: src/sys/kern

To: coypu%SDF.ORG@localhost
Subject: re: CVS commit: src/sys/kern
From: matthew green <mrg%eterna.com.au@localhost>
Date: Thu, 29 Dec 2016 07:27:15 +1100

coypu%SDF.ORG@localhost writes:
> On Wed, Dec 28, 2016 at 12:05:58AM +0000, Roy Marples wrote:
> > Can you please explain how the security model was broken?
> > 
> 
> intention with securelevel is to do less things kernel-side
> if it is raised (which, I hope, reduces our attack surface).
> 
> I don't think it's worth adding this complexity for better
> npfctl warnings (it's just a warning and doesn't change its
> behaviour).
> 
> If you want, I can modify npfctl not to warn for the EPERM
> case. I'm not sure whether that is better.

change npfctl to check if the module is builtin or already
loaded?

if (modctl(MODCTL_EXISTS, 0) != -1 || errno != EPERM) {
	modctl_load_t m;
	// setup m
	if (modctl(MODCTL_LOAD, &m) == -1) {
		// complain here only
	}
}


.mrg.

References:
- Re: CVS commit: src/sys/kern
  - From: coypu

Prev by Date: Re: CVS commit: src/sys/kern
Next by Date: Re: CVS commit: src/sys/kern
Previous by Thread: Re: CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index