Subject: Re: Veriexec enabled by default
To: None <elad@NetBSD.org>
From: YAMAMOTO Takashi <firstname.lastname@example.org>
Date: 10/28/2006 00:36:39
> YAMAMOTO Takashi wrote:
> > i think it's better to remove "#ifdef NVERIEXEC" by replacing them
> > with kauth or something like that and unlisten the scope when inactive,
> > rather than inventing this kind of optimizations.
> I'm glad you brought it up. :)
> what scope should we use?
in the case of vn_open, i think following apple's KAUTH_SCOPE_VNODE is
the best bet.
btw, why veriexec cares namespace operations like rename?
it associates fingerprints to filehandles, which are not affected by rename,