On Dec 4, 10:20am, m...@eterna.com.au (matthew green) wrote: -- Subject: re: CVS commit: src/sys/kern
| i just had an idea about a relatively simple hack to allow | kvm tools to work sanely in kaslr space, even if they're not | fully converted yet. | | a secmodel overlay that has a way to allow a uid/gid combo | to retrieve the addresses, not just root, and then have that | combo set to */kvm. then, kvm tools don't drop gid kvm until | after doing sysctl. | | this would restrict the sysctls to gid kvm. | | we still would have to audit the tools to ensure they do not | expose these addresses directly (ie, printf), but only use | them internally, but until functional parity is achieved it | would allow both security and usability today. | | just an idea.. We already have the hooks for that: In proc_listener_cb() one can add to KAUTH_REQ_PROCESS_CANSEE_KPTR a credentials check based on two new sysctl's (kern.expose_address.uid, kern.expose_address.gid). These can work as: If kern.expose_address.enabled == 0, then nothing is allowed If kern.expose_address.enabled == 1, then kern.expose_address.{uid,gid} are consulted: if -1, all are allowed, else the euid/egid needs to match. The changes to do this are trivial :-) christos