PaX, kauth(9), and beyond
Elad Efrat has been working on kauth(9) in the past, and he has committed
it to NetBSD-current now. See
his original proposal
of all the details about the framework, which basically can be used
to authorize access to various kernel mechanisms.
After kauth(9) is now committed, the implementation of
secure levels is the first thing that will be re-implemented based
on kauth(9), see
Elad's mail to tech-security
for an analysis of the current secure levels, and a way to map them
onto the kauth(9) framework.
In the mean time while this is hashed out, Elad has also
his work on PaX MPROTECT, which offers mprotect(2) restrictions used
to strengthen W^X mappings.
More information on PaX is available in
Elad's initial proposal
at the grsecurity site.
[Tags: kauth, pax, Security]