From owner-freebsd-arch Fri Jun 15 13: 0:17 2001 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EA81637B40A; Fri, 15 Jun 2001 12:59:59 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f5FJxif52180; Fri, 15 Jun 2001 15:59:45 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 15 Jun 2001 15:59:44 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Peter Pentchev Cc: Mike Smith , Dag-Erling Smorgrav , John Baldwin , arch@freebsd.org, audit@freebsd.org Subject: Re: new kldpath(8): display/modify the module search path In-Reply-To: <20010615225012.T94445@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG So my feeling on this thread is that right now, if the administrator wants to specify that the kernel load from world readable directories, that's fine by me. I have some outstanding patches that begin to integrate MAC integrity support into the module loading code, and require that any file and directory tree used by kldload be marked as high integrity. These same limitations will also apply to userland processes running at high integrity, so I think Mike's point about not checking for now is fine. However, in writing this type of code, we want to be careful to not exclude future security policies, just not write them in now. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message