Sebastien Roy wrote:
> Hi Garrett,
>
> On Tue, 2008-07-22 at 12:46 -0700, Garrett D'Amore wrote:
>
>> Where will the new checks for sys_dl_config be inserted?
>>
>
> I'll include you in the code-review if you'd like to get a close look at
> the implementation. Basically, dld does these checks centrally in one
> place based on a "description" of the ioctls that modules pass in to dld
> using a registration mechanism. Part of this "description" includes
> whether a given ioctl requires the sys_dl_config privilege.
>
"It happens in the dld kernel module" is sufficiently detailed for my
concern. Them main thing is that the checks in dladm itself are going away.
>
>> Will the other
>> protections (except for WiFi) be removed (particularly from the device
>> drivers and the framework components? -- also the VNIC file permissions?)
>>
>
> What protections are you referring to exactly? Yes, the VNIC file
> permissions will no longer apply since there will no longer be a VNIC
> control device node. There will only be a single /dev/dld.
> Perhaps /dev/dld should be mentioned in the fast-track, even though it's
> really an implementation detail.
>
As a postscript, its not a bad note to have. The point of concern here
is that the other (various) access control methods are being removed, in
favor of a single check in dld. Right?
-- Garrett
>
>> "show-wifi" would be very, very useful to have reduced privilege (none?)
>> access to.
>>
>
> Totally agreed, and this is part of the motivation for this work.
> Allowing show-wifi with no privileges is in progress, and involves
> implementing the WiFi properties as Brussels properties. This work will
> enable you to do a show-wifi with no privileges, as obtaining properties
> will not require privileges.
>
> -Seb
>
>
> _______________________________________________
> nwam-discuss mailing list
> nwam-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/nwam-discuss
>
