YAMAMOTO Takashi wrote:

>> yeah. we'll have to keep the kauth_cred_t of the mounter in struct
>> mount (note: this will have to be a copy, not a reference), then we
>> could use these credentials in requests to whether respect or not
>> suid bit, devices, etc.
>>
>> I think it's ugly. :)
>>
>> -e.
> 
> what's the benefit to defer the decision, rather than having
> additional two kauth calls in mount-time?
> 
> YAMAMOTO Takashi

for my reply, I'll assume you mean something like this:

	/* check if can mount */
	error = kauth_authorize_system(...);
	if (error)
		return;

	/* check if can keep priv'd flags */
	if (!(flags & (MOUNT_NOFOO|MOUNT_NOBAR))) {
		error = kauth_authorize_system(...);
		if (error) {
			flags |= (MOUNT_NOFOO|MOUNT_NOBAR);
			/* for update, keep MNT_NOEXEC... */
		}
	}

the biggest problem I see with it is that we issue two kauth
calls, where there's only one request. this second call is really
introduced because of a design flaw in the 4.4bsd secmodel: if the
original code did something like:

	if (dovfsusermount && uid != 0 && (flags & MOUNT_PRIV_FLAGS))
		return (EPERM);

then we would not have a problem. but the current design dictated
the second call ("can keep these flags") -- which is, I believe, not
something we should do. (and I'm not yet sure we want to piggyback it
for the MNT_NOEXEC part)

by passing the flags as a pointer, we give a change to the bsd44
secmodel to change them silently, but other secmodels will use it
(hopefully) normally. I think that although kind-of unpleasant, this
is the best we can do. :/

-e.