NAME
secmodel_extensions —
extensions
security model
DESCRIPTION
secmodel_extensions implements extensions to the traditional
security model based on the original
4.4BSD. They can
be used to grant additional privileges to ordinary users, or enable specific
security measures like curtain mode.
The extensions are described below.
Curtain mode
When enabled, all returned objects will be filtered according to the user-id
requesting information about them, preventing users from accessing objects
they do not own.
It affects the output of many commands, including
fstat(1),
netstat(1),
ps(1),
sockstat(1), and
w(1).
This extension is enabled by setting
security.models.extensions.curtain or
security.curtain
sysctl(7) to a non-zero value.
It can be enabled at any time, but cannot be disabled anymore when the
securelevel of the system is above 0.
Non-superuser mounts
When enabled, it allows file-systems to be mounted by an ordinary user who owns
the point
node and has at least read access to the
special device
mount(8) arguments. Note that the
nosuid and
nodev flags must be given for
non-superuser mounts.
This extension is enabled by setting
security.models.extensions.usermount or
vfs.generic.usermount
sysctl(7) to a non-zero value.
It can be disabled at any time, but cannot be enabled anymore when the
securelevel of the system is above 0.
Non-superuser control of
CPU sets
When enabled, an ordinary user is allowed to control the CPU
affinity(3) of the processes
and threads he owns.
This extension is enabled by setting
security.models.extensions.user_set_cpu_affinity
sysctl(7) to a non-zero value.
It can be disabled at any time, but cannot be enabled anymore when the
securelevel of the system is above 0.
SEE ALSO
affinity(3),
sched(3),
sysctl(7),
kauth(9),
secmodel(9),
secmodel_bsd44(9),
secmodel_securelevel(9),
secmodel_suser(9)
AUTHORS
Elad Efrat
<
elad@NetBSD.org>