> > In article <20110829003259.913f014a...@mail.netbsd.org>, > > YAMAMOTO Takashi <y...@mwd.biglobe.ne.jp> wrote: > >>hi, > >> > >>> I'd like to apply the attached patch. > >>> It implements two things: > >>> > >>> - chroot(2)-ed process is given new kauth_cred_t with reference count > >>> equal to 1. > >> > >>can you find a way to avoid this? > >> > >>YAMAMOTO Takashi > > > > He tried and I think that this is the minimal hook he needs. > > do you mean that we need to unshare the credential unconditionally, > regardless his module is used or not? why?
maybe it's just me, but i actually have absolutely no problem with chroot unsharing kauth_cred_t by default. it just seems to have more generic safety aspects. .mrg.