tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Vnode scope
Matt Benjamin wrote:
Anyway, it does seem problematic to require every fs to present a
normalised representation of ACLs. However, my impression was that
kauth was sufficiently flexible as to allow (for this use) the fs to
implement it's own security policy though the implementation of new
listener(s). Would that be a possibility for vnode scope?
Expected usage of the vnode scope, as suggested by Apple, is heavy, so
we're hoping to not have to require each file-system to provide its own
kauth(9) listener (which is, IMO, much more than asking for a normalized
representation).
Either way, as my reply to Andrew states, we don't have to do that
though, if we split the access control decision to (what I believe is)
a more realistic representation: "is this operation even possible", and
"is this operation allowed". The first will rule out immediately, the
second will be passed to kauth(9) listeners for consulting
vnode_authorize():
error = fs->is_this_possible(...);
if (error)
return error;
fs_decision = fs->is_this_allowed(...);
/* "fail-closed" */
if (!nsecmodels)
return fs_decision;
error = kauth_authorize_action(...);
suser_vnode_listener():
if (isroot || fs_decision == 0)
result = KAUTH_RESULT_ALLOW;
Thanks,
-e.
Home |
Main Index |
Thread Index |
Old Index