Subject: Re: How kauth can make meaningful decisions about passthru ioctls
To: Elad Efrat <elad@NetBSD.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 11/30/2006 06:56:13
On Thu, Nov 30, 2006 at 01:36:58PM +0200, Elad Efrat wrote:
> Thor Lancelot Simon wrote:
>
> > I think bits in a word (READ, WRITE, READCONF, WRITECONF) is the right
> > way (and it lets us add more bits later as we discover they're
> > necessary); what we are trying to model, after all, is device capabilities.
> >
> > I am not sure I have the right set of capabilities outlined above but it
> > seems like a good start.
>
> does it make sense to pass all of the above together in a single
> request?
Sure. We're concerned about what the ioctl being passed-through could
cause the device to do. Think about what amr(4) would have to do if
it didn't know how to parse the sub-commands: it'd have to tell the
listener "it could be any of these: ..." .
We could, I suppose, order the commands from "safest" to "most dangerous"
and require that the question indicate the "most dangerous". But what's
"more dangerous", writing the device data or writing the device
configuration? I think a similar issue exists even for read.
> I would like to avoid bit-fields in kauth(9).
Well, we could waste space and use a structure...
Thor