David Kaiser <[email protected]> wrote: > So, all that a nefarious process would have to do is *not* inform the > kernel that is was running un-sourcable code, and you would never know.
The flag declaring the process as untrusted would be set by trusted code for which we do have the source *before* it transfers control to the untrusted code. It's the standard UNIX model, just like with login: the login program runs with root privileges, authenticates you (a trusted function), then it drops its privileges down (changes uid from root to you), and only then execs your shell. It's the exact same mechanism that I'm proposing. MS
