opntr
commented
8 years ago This change is required due the hbsdcontrol framework. If both exists in the system, we must ensure the proper order of applied policies.
In the current behavior secadm always overrides hbsdcontrol's policy, in the near future this will change.
Other interesting thing, is that the exec_check_permission is called twice: 1) from kern_exec.c 2) imgact_elf.c
Now the secadm directly calls pax_elf. It would be nice to change this order: calling secadm hook from pax_elf.