On Wed, 2008-07-23 at 17:59 -0400, Peter Memishian wrote: > > I have a proposal for a PSARC fast-track detailing the breakdown of > > privileges for dladm. One question is the behavior of the *-secobj > > subcommands that for some reason require authorizations in addition to > > privileges, but not the show-secobj subcommand. > > The "RBAC model" subsection in the dladm/WiFi design document included > with PSARC/2006/623 should answer your questions here.
Okay, thanks. Looking into this more deeply, while dladm show-secobj doesn't show the key values, the ioctl which needs the privilege checks applied to it (DLDIOC_SECOBJ_GET) does return them. Issuing that ioctl currently requires sys_net_config by virtue of having to open the dld control device, so I will convert that to a requirement for sys_dl_config as I've done with other ioctls. It's a "read" ioctl, but it's special because of the sensitivity of the data it's reading. -Seb
