tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Splitting <fs>_access to two internal routines
YAMAMOTO Takashi wrote:
- The prototypes are:
static int
ufs_check_possible(struct vnode *vp, struct inode *ip,
mode_t mode, kauth_cred_t cred)
it seems that passing the credential to this function contradicts
your purpose. right?
Yeah... it only occurred to me after I sent the email.
static int
ufs_check_permitted(struct vnode *vp, struct inode *ip,
mode_t mode, kauth_cred_t cred)
Looking at other file-systems, it seems that the prototypes will be
similar, except of course for the second argument which will be the
internal node type.
Please have a look -- before I post a diff for all file-systems I'd like
to make sure that the interfaces are acceptable (even if they're
private).
of course, you can't do this for some of filesystems. eg. nfs
Right. Can you give another example of a file-system I can't do this
for?
while i don't have a strong opinion, i don't see much benefit.
The benefit of these changes alone is nearly meaningless, but they
should be viewed as a necessary step for implementing the "vnode" scope;
see my original mail about quantifying the file-system's decision for
further use.
Eventually, I'd like to have the access functions look like this:
int
somefs_access(...)
{
[...]
error = somefs_check_possible(...);
if (error)
return error;
fs_decision = somefs_check_permitted(...);
error = kauth_authorize_vnode(..., fs_decision);
return error;
}
The motivation is to (a) not even check permissions if we can't
perform the operation, (b) have the file-system's uid/ACL-based decision
as a fail-safe fall-back (in case nsecmodels == 0), (c) let kauth(9)
have the final word without forcing access permissions to happen in the
VFS layer (as I originally proposed).
Do you have another idea on how to achieve the above?
Thanks,
-e.
Home |
Main Index |
Thread Index |
Old Index