Maxime Villard writes: > Le 25/04/2018 à 19:47, Alexander Nasonov a écrit : > > Alexander Nasonov wrote: > >> Alexander Nasonov wrote: > >>> When securelevel is set, should be lock 1->0 change for > >>> machdep.svs.enabled (and possibly for other sysctls related > >>> to recent security mitigations)? > >> > >> Can I commit the attached patch? (doc update will follow) > > > > If I don't hear any objections, I will commit the patch soon and > > I will request a pullup to netbsd-8.
it's the right idea to me. > > Alex > > Yes, it's fine. I've never taken care of securelevel, but your change > can't be incorrect. Perhaps I would use just KAUTH_MACHDEP_SVS instead > of KAUTH_MACHDEP_SVS_DISABLE, in case another operation gets added in > the future, but that doesn't matter. i considered this idea -- plain SVS would have to not include ENABLE, which doesn't seem right. perhaps another generic name that implies !enable would work. .mrg.