Date: Tue, 26 Sep 2006 01:44:45 +0200 From: Max Laier <max@love2party.net> To: Robert Watson <rwatson@freebsd.org> Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) Message-ID: <200609260144.51691.max@love2party.net> In-Reply-To: <20060923102438.N6562@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> <20060923102438.N6562@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Saturday 23 September 2006 11:26, Robert Watson wrote: > On Thu, 14 Sep 2006, Max Laier wrote: > > Right now, prison_priv_check() is looking rather scary to me. If > > something else wants to decide on finer granularity, alright, but in > > my opinion it's easier (more obvious) to keep the "normal" > > information in the .h file where the privileges are defined and > > described - as we are aiming for centralization of the decision and > > information. On top of that the caller could mask off ALLOW_IN_JAIL > > if they think it's not appropriate in a special use case of the > > privilege. > > The attached version of the kern_jail.c diff removes all the extra > commented out privileges that aren't granted, and were largely there as > development scaffolding to make sure I considered all privileges. Does > this seem a bit less scary? Yes. The argument about modules getting out of sync already had me convinced that encoding things in the value isn't the best idea. The cleaned up version of kern_jail.c now really gives a good example what we gain by this centralization. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFGGnzXyyEoT62BG0RAqtDAJ9W0GAbj3dgaRx5EEMtGkw886TGEgCcDBxr xSNh283nrR873Ezy0nc4hqU= =4msj -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609260144.51691.max>