YAMAMOTO Takashi wrote:

> can you explain what's wrong with loading fingerprints after mount?

Sure. :)

The above example I gave focuses on Veriexec, so let me "zoom out" a bit
and elaborate.

Some subsystems, part of which are not (yet) present in NetBSD, require
that interaction with various objects in the system be done with respect
to meta-data associated with them. While fileassoc(9) at the moment
allows associating meta-data with file-system objects, it only allows
doing so once the object "exists". One drawback to that is that there's
a window between the time the object is introduced to the system (say,
mount) and the time the meta-data for the object is loaded.

One example where this applies is Veriexec. Currently, a significant
portion of the boot process happens before Veriexec entries are loaded.
Allowing entries to be loaded before the files they're associated with
"exist" allows us to better protect the system during boot: the veriexec
rc.d script can be moved to the top of the rc list, and -- depending on
how critical the environment is -- you could even embed entries in the
kernel itself for /sbin/init et al.

Other uses may be to associate, for example, integrity levels for
file-system objects, such that a security model can properly enforce its
policy on them.

Does that answer your question?

-e.