Re: More duplicate code, vnode locking question

To: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
Subject: Re: More duplicate code, vnode locking question
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Tue, 21 Apr 2009 17:46:18 +0300

Matthew Mondor wrote:

On Tue, 21 Apr 2009 00:25:32 +0300
Elad Efrat <elad%NetBSD.org@localhost> wrote:

        int
        common_mount_allowed(kauth_cred_t cred, struct vnode *vp,
            bool vnode_locked, int mode)
        {
                /* if root, always allow. */
                ...


I'm actually unsure if security level has to be taken into account at
this layer, but if so, I just want to remind that even the superuser
shouldn't be able to mount new file systems under security level >1,
which still might imply a call to kauth in uid == 0 case so the 44bsd
secmodel may enforce security level policy?


This is the file-system specific code. We check securelevel way before
that. See

        http://nxr.netbsd.org/source/xref/sys/kern/vfs_syscalls.c#295

and

http://nxr.netbsd.org/source/xref/sys/secmodel/securelevel/secmodel_securelevel.c#204

Thanks,

-e.

Follow-Ups:
- Re: More duplicate code, vnode locking question
  - From: Matthew Mondor

References:
- More duplicate code, vnode locking question
  - From: Elad Efrat
- Re: More duplicate code, vnode locking question
  - From: Matthew Mondor

Prev by Date: Re: Common chmod and chown routines
Next by Date: sk and bwi power hooks
Previous by Thread: Re: More duplicate code, vnode locking question
Next by Thread: Re: More duplicate code, vnode locking question
Indexes:

Home | Main Index | Thread Index | Old Index