Jason Thorpe wrote:

> As you said before, there is really no change to veriexec here except 
> for "sysctl entry point vs device entry point".  Since both choices  are
> basically non-optimal, I don't see any real benefit to changing 
> veriexec at this time, since you're just trading one ugly solution  for
> another.

While there is no change to the end-user here, I *still* think that
sysctl is a more logical place to have these hooks in.

The change is intended to unify the userland access to Veriexec-related
settings, and like Nathan said -- a matter of taste.

Because the diff reuses the code from sys/dev/verified_exec.c only in
sys/kern/kern_verifiedexec.c, how would it hurt to do this move, even
for the sake of having to maintain one less file?

In time, when sysctl (or part of it) uses a different interface, we'll
have to do the move anyway; why not unify it now, then?

-e.

-- 
Elad Efrat