Date: Fri, 15 May 2020 12:44:33 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: Kyle Evans <kevans@freebsd.org> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, "Rodney W. Grimes" <rgrimes@freebsd.org>, Poul-Henning Kamp <phk@phk.freebsd.dk> Subject: Re: [HEADSUP] Disallowing read() of a directory fd Message-ID: <202005151944.04FJiXmr087925@gndrsh.dnsmgr.net> In-Reply-To: <CACNAnaFE6gzyvwc8kbrX8Oq-h_acVq7wqgQ1P=a3jNpFBGshGw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, May 14, 2020 at 1:26 PM Kyle Evans <kevans@freebsd.org> wrote: > > > > Hi, > > > > This is a heads up, given that I'm completely flipping our historical > > behavior- I intend to commit this review in a couple days' time > > without substantial objection: https://reviews.freebsd.org/D24596 > > > > Note that the review has been updated to reflect feedback received > through the course of this discussion. The current version, as of the > time of writing, instead adds a security.bsd.allow_read_dir > (defaulting to off) that will allow the system root (*not* jailed > root) the ability to read(2) a directory if the filesystem supports > it. A new priv(9), PRIV_VFS_READ_DIR has been added so that anyone > interested in expanding the scope of the sysctl beyond the system root > is welcome to implement a MAC policy for it. > > rgrimes@ and phk@ have been specifically invited to the review as > representatives of those opposing the original change, but of course > anyone is free to add themselves and/or simply chime in with > constructive objections. I did not oppose the change, just asked that the change be knobbed so that the few rare ones of us that do use this ability do not have to jump through hoops when we need it to fix a problem. Everyone should remeber just because you do not find it useful does not mean it is not useful functionality. Remember the mantra, methods, not policy. This is a policy change. > Thanks, > Kyle Evans Regards, -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005151944.04FJiXmr087925>