To make a long story short, the security model is strictly opt in on the part of the map implementation, the code which cares (e.g. src/local/alias.c) accepts the declarations of the mapper without question:
* An untrusted mapper commits suicide when informed that it is not wanted. * A trusted mapper sets ->dict.owner.status = DICT_OWNER_TRUSTED To make an untrusted (e.g. dict_tcp.c) mapper trusted: * Don't commit suicide; and * set dict_tcp->dict.owner.status = DICT_OWNER_TRUSTED Relax, your hair is not on fire. But maybe, like me, you dislike security theater; I find it confounds the discussion about real issues. Based on past reception I have no intention of continuing the discussion here, if you have issues with the analysis you're welcome to open an issue. https://github.com/m3047/trualias/blob/master/install/table_security_analysis.md -- Fred Morris
