>> This seems that we need to provide a per-device policy instead of >> per-driver policy. > > What you're seeing with add_drv is a an architecture that allows > different drivers to specify different policies even though they may > be part of the same subsystem in Solaris. > > Your question therefore, to me, sounds like you want to exempt > networking drivers from part of the general security architecture > in Solaris, correct? > Yes. What in my mind is not mature yet. But I am thinking that we will at least not to encourage people to specify the per-driver policy for *network* devices, maybe by ignore whatever assigned to network driver. But instead only apply the default policy.
> Whilst advances in Solaris may now mean that we need to be able to > specify the policy on a per-link or per-device basis for it to make > more sense, that is an enhancement for the future. > Yes. I agree. - Cathy
