From owner-cvs-all  Thu Oct 25 10:10:30 2001
Delivered-To: cvs-all@freebsd.org
Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by hub.freebsd.org (Postfix) with ESMTP id A3ADF37B41E
	for <cvs-all@FreeBSD.org>; Thu, 25 Oct 2001 10:09:58 -0700 (PDT)
Received: (qmail 66172 invoked from network); 25 Oct 2001 17:09:48 -0000
Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender <jhb@FreeBSD.org>)
          by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <rwatson@FreeBSD.org>; 25 Oct 2001 17:09:48 -0000
Message-ID: <XFMail.011025021911.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <Pine.NEB.3.96L.1011025090834.58424C-100000@fledge.watson.org>
Date: Thu, 25 Oct 2001 02:19:11 -0700 (PDT)
From: John Baldwin <jhb@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.org>
Subject: RE: cvs commit: src/sys/sys socketvar.h
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On 25-Oct-01 Robert Watson wrote:
> 
> On Wed, 24 Oct 2001, John Baldwin wrote:
> 
>> 
>> On 25-Oct-01 Robert Watson wrote:
>> > rwatson     2001/10/24 19:03:37 PDT
>> > 
>> >   Modified files:
>> >     sys/sys              socketvar.h 
>> >   Log:
>> >   o Remove extern showallsockets, defunct as of the change to
>> >     kern.security.seeotheruids_permitted.  This was missed in the
>> >     commit that made this change elsewhere.
>> 
>> As a somewhat unrelated sidenote: can you trim the name of that sysctl
>> to kern.security.seeotheruids, or perhaps to
>> kern.security.see_other_uids (which is easier on my eyes at least).  It
>> would seem that the '_permitted' is redundant and not needed just as the
>> old ps syctl was ps_showallprocs, not ps_showallprocs_permitted. 
> 
> The theory was I would append _approved and _permitted to fields in
> kern.security based on whether the corresponded to feature availability,
> or a policy decision.  I agree that the current names are unwieldy, but am
> not yet sure I know what the right names should be.  My temptation was to
> stick in an additional name, specifying the policy being modified, and
> trim the _whatever:
> 
> kern.security.bsd.see_all_uids
> kern.security.bsd.unprivileged_proc_debug
> kern.security.bsd.suser_enabled
> 
> This would allow other stuff to be slotted in dynamically when other
> policies are active:
> 
> kern.security.cap.cap_enabled
> kern.security.cap.global_bound
> 
> kern.security.mac.biba_enabled
> kern.security.mac.mls_enabled
> kern.security.mac.suser_overrides
> 
> Does this seem more seemly to you?

Sure.  I'd be tempted to call it kern.security.unix instead of
kern.security.bsd, but that would get us in trouble. :)

-- 

John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message