James Carlson wrote: >Darren J Moffat writes: > >>I think the relevant functions in libdlpi should in their man page >>document what privilege they need and they should cross reference to >>privileges(5). It isn't the library as a whole but the individual >>functions. >> > >The problem is that it's not the library itself that needs these >privileges, but the things underneath that the library accesses. That >makes the message awkward at best: > > "The calling application must have sufficient privilege (see > privileges(5)) to access the underlying driver node and, where > applicable, the individual functions implemented by that driver. > Since there are no common security standards that apply universally > to all network drivers, you must consult the documentation for the > driver you're trying to use." > >... or something like that. And the result is chaos for application >writers. If the application depends on resources that may have >varying requirements (e.g., both legacy and "new" drivers), there's >really no good way to document what privileges that application might >need to be granted in order to get its job done. >
If we're shipping any legacy drivers, I'd consider that a bug. Granted that doesn't hold for 3rd party developers, but again, how would you, as a developer writing a network driver, know that you should make use of various privileges in your code? So there is work here for HCTS/VTS, to check if a network driver requires or makes use of privileges(5) in order to enforce security. What I'd like to see us able to include would be a paragraph (to start with what you had) that goes like this: "The calling application must have sufficient privilege (see privileges(5)) to access the underlying driver node and, where applicable, the individual functions implemented by that driver." Which is to say that if we don't have a common security standard for, in this case, network drivers then we need one. >I think the best that we can do is document what we 'intend' (if we >have any intent at all) for applications to do, and then add an escape >clause: > > "Some legacy or special devices may require additional privileges. > Granting the privileges listed here to your application does not > guarantee that it will work with all drivers." > Reading your reply, it sounds very much like a "there's nothing for us to do here." I don't accept that. We need to find a way to better expose the security features in Solaris so that application developers can more accurately use them. The other way to read your reply is that we've got no clue about what's going on. I don't believe that is the case either. If we can't achieve better integration in our documention of the implementation of privileges and how it integrates into the rest of Solaris, then with the exclusion of customers that use TX, privileges(5) is a white elephant. I don't want that to happen. Darren
