Re: Vnode scope implementation

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Marc Balmer <marc@...>

Cc: <tech-kern@...>

Date: Saturday, July 4, 2009 - 2:15 pm

On Sat, Jul 4, 2009 at 8:52 PM, Marc Balmer wrote:

quoted text>

> Am 04.07.2009 um 19:14 schrieb Elad Efrat:

>

>> Hi,

>>

>> I'd like to start implementing the vnode scope for some of our

>> file-systems. As with the rest of kauth(9), we'll do so in several

>> steps, rather than switch all functionality at once.

>>

>> The first step will be implementing the back-end itself: the scope

>> definition, some actions (just read/write/execute for now), an

>> authorization wrapper, and a bsd44/suser simple listener ("if root

>> or file-system allows then allow") -- see the attached diff.

>>

>> Once the back-end is in place, I'll follow-up with some more diffs

>> transitioning various file-systems to use kauth(9) in different places

>> -- access, chflags, chmod, etc.

>

> can't you explain beforehand a bit what the goals are?  Why do we need this

> backend if we can't yet see what purpose it will serve?
You can see the purpose it will serve by reading Apple's TN2127, on

which kauth(9) is loosely based. Basically, as I've said in several

emails in the past, the vnode scope allows authorization of

file-system related operations (such as read, write, execute, change

owner, change flags, change modes, ...) using kauth(9). In other

words, it allows us to plug security models that extends the

traditional behavior to other things -- like the ACLs I've posted not

too long ago:
    http://mail-index.netbsd.org/tech-kern/2009/06/27/msg005353.html
>> +int

quoted text>> +secmodel_bsd44_suser_vnode_cb(kauth_cred_t cred, kauth_action_t action,

>> +    void *cookie, void *arg0, void *arg1, void *arg2,

>> +    void *arg3)

>> +{

>> +        bool isroot;

>> +        int result;

>> +       struct vnode *vp, *dvp;

>> +       int fs_decision;

>> +

>> +        isroot = (kauth_cred_geteuid(cred) == 0);

>> +        result = KAUTH_RESULT_DEFER;

>> +

>> +       vp = arg0;

>> +       dvp = arg1;

>> +       fs_decision = (int)(unsigned long)arg2;

>

> this is ugly, to say the least...
Yes, it is.
Thanks,
-e.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Vnode scope implementation, Elad Efrat, (Sat Jul 4, 1:14 pm)

Re: Vnode scope implementation, Alan Barrett, (Sat Jul 4, 3:12 pm)

Re: Vnode scope implementation, Alan Barrett, (Sun Jul 5, 6:47 am)

Re: Vnode scope implementation, Martin Husemann, (Sun Jul 5, 5:16 am)

Re: Vnode scope implementation, Marc Balmer, (Sat Jul 4, 1:52 pm)

Re: Vnode scope implementation, Elad Efrat, (Sat Jul 4, 2:15 pm)

Re: Vnode scope implementation, Matthew Mondor, (Sat Jul 4, 3:17 pm)

Re: Vnode scope implementation, Elad Efrat, (Sat Jul 4, 3:29 pm)

Re: Vnode scope implementation, David Holland, (Sat Jul 4, 1:38 pm)

Re: Vnode scope implementation, Elad Efrat, (Sat Jul 4, 2:08 pm)

Re: Vnode scope implementation, David Holland, (Sun Jul 5, 5:21 pm)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 5, 6:15 pm)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Thu Jul 16, 10:10 am)

Re: Vnode scope implementation, Elad Efrat, (Thu Jul 16, 11:44 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Sun Jul 19, 3:32 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 19, 8:00 am)

Re: Vnode scope implementation, David Holland, (Sun Jul 5, 6:53 pm)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 5, 10:02 pm)

Re: Vnode scope implementation, David Holland, (Fri Jul 10, 4:33 am)

Re: Vnode scope implementation, Elad Efrat, (Fri Jul 10, 7:06 am)

Re: Vnode scope implementation, Elad Efrat, (Mon Jul 13, 4:27 am)

Re: Vnode scope implementation, Elad Efrat, (Thu Jul 16, 8:06 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Thu Jul 16, 10:12 am)

Re: Vnode scope implementation, Andrew Doran, (Thu Jul 16, 6:06 pm)

Re: Vnode scope implementation, David Young, (Thu Jul 16, 12:19 pm)

Re: Vnode scope implementation, Elad Efrat, (Thu Jul 16, 12:39 pm)

Re: Vnode scope implementation, Christoph Badura, (Sun Jul 26, 8:07 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 26, 9:38 am)

Re: Vnode scope implementation, David Young, (Mon Jul 20, 1:02 pm)

Re: Vnode scope implementation, Elad Efrat, (Mon Jul 20, 5:25 pm)

Re: Vnode scope implementation, David Young, (Tue Jul 21, 12:29 pm)

Re: Vnode scope implementation, Elad Efrat, (Tue Jul 21, 2:06 pm)

Re: Vnode scope implementation, David Holland, (Wed Jul 22, 8:31 pm)

Re: Vnode scope implementation, Elad Efrat, (Wed Jul 22, 9:12 pm)

Re: Vnode scope implementation, David Holland, (Wed Jul 22, 10:16 pm)

Re: Vnode scope implementation, Elad Efrat, (Thu Jul 16, 12:10 pm)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Sun Jul 19, 3:34 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 19, 7:53 am)

Re: Vnode scope implementation, Thor Lancelot Simon, (Sun Jul 19, 9:47 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 19, 9:54 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Sun Jul 19, 8:49 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 19, 8:58 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Wed Jul 22, 4:05 am)

Re: Vnode scope implementation, Elad Efrat, (Wed Jul 22, 6:46 am)

Re: Vnode scope implementation, David Holland, (Wed Jul 22, 8:40 pm)

Re: Vnode scope implementation, der Mouse, (Thu Jul 23, 6:08 am)

Re: Vnode scope implementation, David Holland, (Fri Jul 24, 11:46 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Wed Jul 22, 7:05 am)

Re: Vnode scope implementation, Elad Efrat, (Wed Jul 22, 8:18 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Sun Jul 26, 10:51 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 26, 10:55 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Mon Aug 3, 7:07 pm)

Re: Vnode scope implementation, Elad Efrat, (Mon Aug 3, 11:19 pm)

Re: Vnode scope implementation, Elad Efrat, (Thu Aug 20, 9:52 pm)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Fri Aug 21, 6:19 am)

Re: Vnode scope implementation, Marc Balmer, (Fri Aug 21, 6:26 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Fri Aug 21, 6:32 am)

Re: Vnode scope implementation, Marc Balmer, (Fri Aug 21, 7:17 am)

Re: Vnode scope implementation, Elad Efrat, (Fri Aug 21, 11:11 am)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Sun Aug 23, 11:15 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Aug 23, 2:31 pm)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Tue Aug 25, 11:43 am)

Re: Vnode scope implementation, Elad Efrat, (Tue Aug 25, 2:06 pm)

Re: Vnode scope implementation, YAMAMOTO Takashi, (Tue Aug 25, 4:00 pm)

Re: Vnode scope implementation, Marc Balmer, (Tue Aug 25, 4:18 pm)

Re: Vnode scope implementation, Elad Efrat, (Fri Aug 28, 3:58 pm)

Re: Vnode scope implementation, Elad Efrat, (Tue Aug 25, 4:18 pm)

Re: Vnode scope implementation, David Holland, (Sun Jul 19, 4:17 pm)

Re: Vnode scope implementation, David Holland, (Sun Jul 19, 4:19 pm)

Re: Vnode scope implementation, Marc Balmer, (Sun Jul 19, 9:07 am)

Re: Vnode scope implementation, Elad Efrat, (Sun Jul 19, 9:30 am)

Re: Vnode scope implementation, Marc Balmer, (Sun Jul 19, 9:32 am)

Re: Vnode scope implementation, Christoph Egger, (Sat Jul 4, 1:45 pm)

Re: Vnode scope implementation, David Laight, (Sat Jul 4, 6:24 pm)

Re: Vnode scope implementation, Matthew Mondor, (Sat Jul 4, 6:52 pm)

Re: Vnode scope implementation, Elad Efrat, (Sat Jul 4, 2:09 pm)


linux-kernel:
Heiko Carstens	Re: -mm merge plans for 2.6.23 -- sys_fallocate
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Eric W. Biederman	[PATCH 0/10] sysfs network namespace support
git:

linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Natalie Protasevich	[BUG] New Kernel Bugs
openbsd-misc:

Re: Vnode scope implementation

Online users