YAMAMOTO Takashi wrote:

> in the case of vn_open, i think following apple's KAUTH_SCOPE_VNODE is
> the best bet.

okay, so we add the vnode scope. problem is, the action on that scope
is a bitfield of acl requests. do you want me to follow that design with
our vnode scope?

if yes, we can use the following actions:

KAUTH_VNODE_READ_DATA (vn_open)
KAUTH_VNODE_WRITE_DATA (vn_open)
KAUTH_VNODE_EXECUTE (sys_execve)
KAUTH_VNODE_DELETE (sys_unlink)

we're missing however an action for "rename".

> btw, why veriexec cares namespace operations like rename?
> it associates fingerprints to filehandles, which are not affected by rename,
> doesn't it?

yes, it doesn't really care about the filename. it uses the name to
indicate that a monitored file was renamed or prevent renaming it (the
latter may be required in, say, ips mode, or lockdown mode for
post-mortem analysis).

-e.

-- 
Elad Efrat