Subject: Re: Integrating securelevel and kauth(9)
To: Christos Zoulas <christos@astron.com>
From: David Laight <david@l8s.co.uk>
List: tech-security
Date: 03/24/2006 19:08:02
On Fri, Mar 24, 2006 at 06:42:53PM +0000, Christos Zoulas wrote:
>
> So under the proposal the old "securelevel" variable will map into a
> list of "capabilities" something like:
>
> old new
> --------------------------------------------------------------------------
> securelevel == -1 mask with all the capabilities allowed
> securelevel == 0 mask with some capabilities allowed
> securelevel == 1 mask with fewer capabilities allowed
> securelecel == 2 mask with no capabilities allowed
>
> If we assume that we are currently running at securelevel 1, and
> we add or remove a capability, we'll be in a situation where the
> securelevel variable will still be 1 but this will not match
> the original level 1 mask.
>
> What does it mean to change the securelevel after that? Do we even
> allow it? Do we have a setting for securelevel that means "custom"?
> I think if we need a "custom" securelevel value then we'll need to
> involve a third variable to indicate this so that LKM's still work.
For compatibility with old LKM (and driver code) I'd suggest that
we'd have the constants MASK_0, MASK_1 and MASK_2 (MASK_-1 is zero).
Whenever the new mask is changed we could do:
if (mask & MASK_2)
securelevel = 2;
else if (mask & MASK_1)
securelevel = 1;
else if (mask & MASK_0)
securelevel = 0;
else securelevel = -1;
Then code that checks (securelevel > n) will still error out whenever
is should - although a check of the mask itself might allow the request.
David
--
David Laight: david@l8s.co.uk