cvs commit: src/sys/kern kern_prot.c
rwatson at FreeBSD.org
Sun Feb 13 17:22:56 GMT 2005
On Sun, 13 Feb 2005, Maxim Sobolev wrote:
> I see. I've just committed a change which solves this problem by
> allowing emulation layers to bypass FreeBSD-specific security checks
> during signal delivery. This makes sense since emulation layers can have
> different meanings for signals and/or different security restrictions.
I agree that the problem needs fixing, but I think this was entirely the
wrong solution. Even if Linux processes expect the signal to have one set
of semantics on the target, changing how it affects all processes isn't
the right solution. Disabling a broad range of protections wasn't even
necessary to accomplish this fix. I think enough information is present
to do this check properly, and we should therefore do it properly. I
would be happy to help review further patches to correct this problem.
I also object to the name pedantic: we're not the only operating system to
enforce these protections, and there have been specific vulnerabilities in
the past of precisely this sort of protection are intended to address.
Robert N M Watson
More information about the cvs-all