Darren Reed wrote: > /devices/pseudo/clone at 0:nge is 666 and "cat /dev/nge" fails with > net_rawaccess being denied but device_policy has nothing for it.
I just looked at the (closed) source and nge has this coded into the binary. I'm not an expert on how networking drivers work but I think this is actually coming from a framework level thing. Certainly providing ndd and using the 'standard' interfaces for it means that there are secpolicy_*() calls that check for sys_net_config. There are also explicit secpolicy_net_config() calls in the nge driver. IIRC the device_policy is only needed where the driver isn't explicitly aware of the least privilege system and calls drv_priv(). -- Darren J Moffat
