On Thu, 2010-02-11 at 13:32 +0000, Richard W.M. Jones wrote: > On Wed, Feb 10, 2010 at 05:19:59PM -0500, Tony Nelson wrote: > > On 10-02-10 15:48:39, Adam Williamson wrote: > > > Hi, all. So the privilege escalation policy went to FESco, who > > > suggested some minor tweaks and a final run-by the mailing lists > > > before it gets approved. > > > > > > I have now adjusted the draft - > > > https://fedoraproject.org/wiki/User:Adamwill/ > > > Draft_Fedora_privilege_escalation_policy > > > - to reflect all feedback from this list and from FESco. It will be > > > reviewed again by FESco next week. Please raise any potential issues > > > or further suggestions for adjustments before then. Of course, even > > > if the policy is accepted by FESCo it will not be set in stone and > > > changes and exceptions can be added in future as appropriate, but I'd > > > like to have it as good as possible at first :) thanks all! > > > > "Directly read or write directly to or from system memory" has an extra > > (or out of order) "directly". > > It's also going to be tricky to run any programs if they can't access > the memory in the system. Can the definition be tightened up -- > eg. "kernel memory and memory-mapped devices" or "memory other than > userspace pages allocated to the current user"?
Please read the preamble. It specifically (almost painfully) explains the meaning of the word 'directly' and the key phrase 'cause to be excepted provision waived'. When the user runs a program which accesses memory, that's fine - that's 'cause to be performed'. What the provision is attempting to disallow is the user directly examining or modifying the contents of memory. I can make it less restrictive if this is still desired, though. (It's something of a distinction without a difference at present, because a user could of course write a program which runs from their own space which then...accesses memory to which the user is permitted access). -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
