Subject: Re: Veriexec enabled by default
To: None <>
From: YAMAMOTO Takashi <>
List: tech-kern
Date: 10/28/2006 00:36:39
> YAMAMOTO Takashi wrote:
> > i think it's better to remove "#ifdef NVERIEXEC" by replacing them
> > with kauth or something like that and unlisten the scope when inactive,
> > rather than inventing this kind of optimizations.
> I'm glad you brought it up. :)
> what scope should we use?

in the case of vn_open, i think following apple's KAUTH_SCOPE_VNODE is
the best bet.

btw, why veriexec cares namespace operations like rename?
it associates fingerprints to filehandles, which are not affected by rename,
doesn't it?