tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: secmodel_register(9) API



On Tue, 29 Nov 2011 11:13:01 +0000 (UTC), yamt%mwd.biglobe.ne.jp@localhost 
wrote:
Reviews before merge welcome. If nobody raises his voice, I'll proceed
to commit it at the end of the week.

i hesitate to complicate kauth related locking rules, given that it's
already broken. have you checked if it's safe for these listeners sleep?
(rw_enter can sleep.)

I would say yes; the current patch uses secmodel_eval(9) for "curtain" mode, and its only applicable to kauth(9) listeners for:
- socket "cansee" KAUTH_REQ_NETWORK_SOCKET_CANSEE
- process KAUTH_REQ_PROCESS_CANSEE_{ARGS,ENTRY,OPENFILES}.

All these listeners should have process context, so may sleep.

Perhaps I can put pserialize(9) to good use there. Updates to secmodel(9) are not expected to happen that much often... You want me to have a look? That would make it lock-free even from softints.

i thought the purpose of these secmodels are localize the knowledge of
suser, securelevel, etc.  secmodel_eval seems contradict.

Exactly, that's the point. See below.

if anyone outside of the securelevel secmodel really needs to query
securelevel, doesn't it mean the variable just ought to be exported
in a normal way?

"normal way" is quite difficult to define in the context of modules dynamic loading.

Consider user_set_cpu_affinity: if the sysctl cannot be set any more when securelevel is above or below a threshold, checking for the securelevel variable means that this sysctl has a strong dependency on securelevel (or else, it won't be able to get the variable). So if you want to still provide this sysctl but without having securelevel loaded, you are screwed: it's part of this module.

There are orthogonal requirements there: secmodels define a security policy, but there are situations where one would like to allow certain operations (different from default policy), but without putting a strong requirement on a specific secmodel(9). having to load securelevel just to provide this sysctl is non sense.

Same goes for suser (which controls rights for superuser): curtain/usermounts are not really a suser policy, rather an extension from it. Hence the secmodel_extensions stuff.

--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost


Home | Main Index | Thread Index | Old Index