On Tue, 2008-07-22 at 13:43 -0700, Garrett D'Amore wrote: > Sebastien Roy wrote: > > I'll include you in the code-review if you'd like to get a close look at > > the implementation. Basically, dld does these checks centrally in one > > place based on a "description" of the ioctls that modules pass in to dld > > using a registration mechanism. Part of this "description" includes > > whether a given ioctl requires the sys_dl_config privilege. > > > > "It happens in the dld kernel module" is sufficiently detailed for my > concern. Them main thing is that the checks in dladm itself are going away.
That's right. > > What protections are you referring to exactly? Yes, the VNIC file > > permissions will no longer apply since there will no longer be a VNIC > > control device node. There will only be a single /dev/dld. > > Perhaps /dev/dld should be mentioned in the fast-track, even though it's > > really an implementation detail. > > > > As a postscript, its not a bad note to have. The point of concern here > is that the other (various) access control methods are being removed, in > favor of a single check in dld. Right? That's exactly right. Thanks, -Seb
