Extending MADV_PROTECT
John Baldwin
jhb at freebsd.org
Wed May 8 16:26:45 UTC 2013
On Tuesday, May 07, 2013 5:29:30 pm Adrian Chadd wrote:
> On 7 May 2013 12:39, John Baldwin <jhb at freebsd.org> wrote:
>
> > Well, only root can do it. Even now MADV_PROTECT is a similar foot shooting
> > device (though not quite as easy to do). You can also get yourself into a heap
> > of trouble with other things like rtprio, etc., so I sort of think that is up to
> > the user/administrator to manage. I do think that the more fine-grained priority
> > approach may be a good way to mitigate that if it really becomes an issue at some
> > point.
>
> This is the kind of thing that begs for a capability. And I'm
> surprised Robert hasn't chimed in and said just that.
There is an existing PRIV_* already that this still respects.
> However, I think we still lack the ability to do useful capability
> work from user-space. God I'd like to be wrong on this one.
You should talk to Robert. I think you can write a MAC module that
hooks into priv_check() and can establish arbitrary rules for granting
privileges.
--
John Baldwin
More information about the freebsd-arch
mailing list