Date: Fri, 06 Jun 2008 09:23:24 -0400 From: Coleman Kane <cokane@cokane.org> To: Stanislav Sedov <stas@FreeBSD.org> Cc: Rui Paulo <rpaulo@FreeBSD.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, kib@FreeBSD.org, current@FreeBSD.org Subject: Re: cpuctl(formely devcpu) patch test request Message-ID: <1212758604.1904.33.camel@localhost> In-Reply-To: <20080606025533.8322ee08.stas@FreeBSD.org> References: <20080606020927.8d6675e1.stas@FreeBSD.org> <10261.1212703949@critter.freebsd.dk> <20080606025533.8322ee08.stas@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2008-06-06 at 02:55 +0400, Stanislav Sedov wrote: > On Thu, 05 Jun 2008 22:12:29 +0000 > "Poul-Henning Kamp" <phk@phk.freebsd.dk> mentioned: > > > In message <20080606020927.8d6675e1.stas@FreeBSD.org>, Stanislav Sedov writes: > > > > >The updated patch is available at > > >http://www.springdaemons.com/stas/cpuctl.2.diff > > > > Have we fully thought though the potential for halt&catch_fire ? > > > > Would it make sense to have a more granular security model than > > the simple device-node access based "are you root?" test ? > > There's a check that prevents playing with cpuctl if > securelevel is greater than 0. And if it's 0 you can always > execute any code you want in kernel mode. > > Or you're talking about something different? > What about using the API in priv(9) or similar, such as is done in the mlock(2)/munlock(2) code in sys/vm/vm_mmap.c ? -- Coleman Kane
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1212758604.1904.33.camel>