Subject: Re: How kauth can make meaningful decisions about passthru ioctls
To: Elad Efrat <elad@NetBSD.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 11/30/2006 06:56:13
On Thu, Nov 30, 2006 at 01:36:58PM +0200, Elad Efrat wrote:
> Thor Lancelot Simon wrote:
> 
> > I think bits in a word (READ, WRITE, READCONF, WRITECONF) is the right
> > way (and it lets us add more bits later as we discover they're
> > necessary); what we are trying to model, after all, is device capabilities.
> > 
> > I am not sure I have the right set of capabilities outlined above but it
> > seems like a good start.
> 
> does it make sense to pass all of the above together in a single
> request?

Sure.  We're concerned about what the ioctl being passed-through could
cause the device to do.  Think about what amr(4) would have to do if
it didn't know how to parse the sub-commands: it'd have to tell the
listener "it could be any of these: ..." .

We could, I suppose, order the commands from "safest" to "most dangerous"
and require that the question indicate the "most dangerous".  But what's
"more dangerous", writing the device data or writing the device
configuration?  I think a similar issue exists even for read.

> I would like to avoid bit-fields in kauth(9).

Well, we could waste space and use a structure...

Thor