Date: Wed, 8 May 2013 12:05:20 -0400 From: John Baldwin <jhb@freebsd.org> To: Adrian Chadd <adrian@freebsd.org> Cc: arch@freebsd.org Subject: Re: Extending MADV_PROTECT Message-ID: <201305081205.20910.jhb@freebsd.org> In-Reply-To: <CAJ-Vmo=b1=bq6oBGB9UCGFvgwmOtbaXEaOLoZeXuhQ6zKr4KXw@mail.gmail.com> References: <201305071433.27993.jhb@freebsd.org> <201305071539.24900.jhb@freebsd.org> <CAJ-Vmo=b1=bq6oBGB9UCGFvgwmOtbaXEaOLoZeXuhQ6zKr4KXw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, May 07, 2013 5:29:30 pm Adrian Chadd wrote: > On 7 May 2013 12:39, John Baldwin <jhb@freebsd.org> wrote: > > > Well, only root can do it. Even now MADV_PROTECT is a similar foot shooting > > device (though not quite as easy to do). You can also get yourself into a heap > > of trouble with other things like rtprio, etc., so I sort of think that is up to > > the user/administrator to manage. I do think that the more fine-grained priority > > approach may be a good way to mitigate that if it really becomes an issue at some > > point. > > This is the kind of thing that begs for a capability. And I'm > surprised Robert hasn't chimed in and said just that. There is an existing PRIV_* already that this still respects. > However, I think we still lack the ability to do useful capability > work from user-space. God I'd like to be wrong on this one. You should talk to Robert. I think you can write a MAC module that hooks into priv_check() and can establish arbitrary rules for granting privileges. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305081205.20910.jhb>