From owner-freebsd-security  Mon Oct 18  2: 9:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP
	id B6EFC14BC3; Mon, 18 Oct 1999 02:09:23 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id LAA43443;
	Mon, 18 Oct 1999 11:09:10 +0200 (CEST)
	(envelope-from des)
To: Justin Wells <jread@semiotek.com>
Cc: freebsd-arch@FreeBSD.ORG
Subject: Re: kern.securelevel and X
References: <XFMail.991015111802.shelton@sentry.granch.ru> <Pine.LNX.4.05.9910150036170.5339-100000@jason.argos.org> <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> <19991017012750.A812@fever.semiotek.com> <380A1E2C.CCA326F5@gorean.org> <19991018024704.A512@semiotek.com> <xzpyad12jd7.fsf@flood.ping.uio.no> <19991018043039.B1711@semiotek.com> <xzpso392gj0.fsf@flood.ping.uio.no>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 18 Oct 1999 11:09:09 +0200
In-Reply-To: Dag-Erling Smorgrav's message of "18 Oct 1999 10:56:51 +0200"
Message-ID: <xzpogdx2fyi.fsf@flood.ping.uio.no>
Lines: 28
X-Mailer: Gnus v5.7/Emacs 20.4
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Dag-Erling Smorgrav <des@flood.ping.uio.no> writes:
> I'm starting to think that secure levels should be implemented as
> bitmasks, with one bit for each operation or group of operation to be
> allowed or denied (0 = allow, 1 = deny). The if statement above could
> be rewritten as:
> 
> 	if (securemask & SEC_MOUNT)
> 		return (EPERM);
> 
> Using a simple bitmask might be too simple though (it would restrict
> us to 32 or 64 distinct operations), so we might want to hide the
> actual implementation behind a function call or macro:
> 
> 	if (!sec_permitted(SEC_MOUNT))
> 		return (EPERM);

I'm thinking this might be -arch material. Do we want to do this? I
think it can be done rather painlessly, and backwards compatibility
with kern.securelevel should be easy to provide.

The same mechanism can be used to implement process- or user-level
capabilities, maybe leading us to merge (the hypothetical)
sec_permitted() with suser(). After all, they're just two different
ways of asking "is this ol' joe even *allowed* to do this?"

DES (patches... must... write... patches...)
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message