Date: Mon, 3 Apr 2006 23:51:52 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: Daniel Eischen <deischen@freebsd.org>, Peter Jeremy <peterjeremy@optushome.com.au>, freebsd-stable@freebsd.org Subject: Re: [HACKERS] semaphore usage "port based"? Message-ID: <20060403234918.X76562@fledge.watson.org> In-Reply-To: <20060403163039.O947@ganymede.hub.org> References: <Pine.GSO.4.43.0604031454030.22397-100000@sea.ntplx.net> <20060403163039.O947@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Apr 2006, Marc G. Fournier wrote: > This falls under "well,we broke kill() so that it now reports a PID is not > in use even though it is, so its has to be the application that fixes it" > ... and you *still* haven't shown *why* kill() reporting a PID is in use, > even if its not in the current jail, is such a security threat ... It is an issue of completeness and consistency. We implement a single set of access control checks between processes, and try to avoid exceptions to them. This is one of my largest architectural gripes about access control in 4.x, actually: everywhere you look, the same "check" is implemented differently. Sometimes signal checks are done way, other times, other ways. Likewise, debugging, monitoring, etc. In 5.x forward, we use a centralized set of access control checks in order to provide consistent, reliable, and easy to analyze policy. The more exceptions we introduced, the further we get from that goal. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403234918.X76562>