tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: secmodel_register(9) API
On Tue, 29 Nov 2011 11:13:01 +0000 (UTC), yamt%mwd.biglobe.ne.jp@localhost
wrote:
Reviews before merge welcome. If nobody raises his voice, I'll
proceed
to commit it at the end of the week.
i hesitate to complicate kauth related locking rules, given that it's
already broken. have you checked if it's safe for these listeners
sleep?
(rw_enter can sleep.)
I would say yes; the current patch uses secmodel_eval(9) for "curtain"
mode, and its only applicable to kauth(9) listeners for:
- socket "cansee" KAUTH_REQ_NETWORK_SOCKET_CANSEE
- process KAUTH_REQ_PROCESS_CANSEE_{ARGS,ENTRY,OPENFILES}.
All these listeners should have process context, so may sleep.
Perhaps I can put pserialize(9) to good use there. Updates to
secmodel(9) are not expected to happen that much often... You want me to
have a look? That would make it lock-free even from softints.
i thought the purpose of these secmodels are localize the knowledge
of
suser, securelevel, etc. secmodel_eval seems contradict.
Exactly, that's the point. See below.
if anyone outside of the securelevel secmodel really needs to query
securelevel, doesn't it mean the variable just ought to be exported
in a normal way?
"normal way" is quite difficult to define in the context of modules
dynamic loading.
Consider user_set_cpu_affinity: if the sysctl cannot be set any more
when securelevel is above or below a threshold, checking for the
securelevel variable means that this sysctl has a strong dependency on
securelevel (or else, it won't be able to get the variable). So if you
want to still provide this sysctl but without having securelevel loaded,
you are screwed: it's part of this module.
There are orthogonal requirements there: secmodels define a security
policy, but there are situations where one would like to allow certain
operations (different from default policy), but without putting a strong
requirement on a specific secmodel(9). having to load securelevel just
to provide this sysctl is non sense.
Same goes for suser (which controls rights for superuser):
curtain/usermounts are not really a suser policy, rather an extension
from it. Hence the secmodel_extensions stuff.
--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost
Home |
Main Index |
Thread Index |
Old Index