From owner-freebsd-stable@FreeBSD.ORG  Mon Apr  3 22:52:09 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6DE916A470;
	Mon,  3 Apr 2006 22:52:08 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D2ADB43D77;
	Mon,  3 Apr 2006 22:51:53 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 9EBC846C06;
	Mon,  3 Apr 2006 18:51:52 -0400 (EDT)
Date: Mon, 3 Apr 2006 23:51:52 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: "Marc G. Fournier" <scrappy@hub.org>
In-Reply-To: <20060403163039.O947@ganymede.hub.org>
Message-ID: <20060403234918.X76562@fledge.watson.org>
References: <Pine.GSO.4.43.0604031454030.22397-100000@sea.ntplx.net>
	<20060403163039.O947@ganymede.hub.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Daniel Eischen <deischen@freebsd.org>,
	Peter Jeremy <peterjeremy@optushome.com.au>, freebsd-stable@freebsd.org
Subject: Re: [HACKERS] semaphore usage "port based"?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2006 22:52:09 -0000


On Mon, 3 Apr 2006, Marc G. Fournier wrote:

> This falls under "well,we broke kill() so that it now reports a PID is not 
> in use even though it is, so its has to be the application that fixes it" 
> ... and you *still* haven't shown *why* kill() reporting a PID is in use, 
> even if its not in the current jail, is such a security threat ...

It is an issue of completeness and consistency.  We implement a single set of 
access control checks between processes, and try to avoid exceptions to them. 
This is one of my largest architectural gripes about access control in 4.x, 
actually: everywhere you look, the same "check" is implemented differently. 
Sometimes signal checks are done way, other times, other ways.  Likewise, 
debugging, monitoring, etc.  In 5.x forward, we use a centralized set of 
access control checks in order to provide consistent, reliable, and easy to 
analyze policy.  The more exceptions we introduced, the further we get from 
that goal.

Robert N M Watson