Re: Vnode scope implementation

[Elad Efrat <elad%NetBSD.org@localhost>]

Hi,

I've got a feeling that you haven't read the man-page or Apple's
TN2127, but anyway--

On Sat, Jul 4, 2009 at 8:38 PM, David 
Holland<dholland-tech%netbsd.org@localhost> wrote:
> On Sat, Jul 04, 2009 at 08:14:19PM +0300, Elad Efrat wrote:
>> Once the back-end is in place, I'll follow-up with some more diffs
>> transitioning various file-systems to use kauth(9) in different places
>> -- access, chflags, chmod, etc.
>
> I'd like to see some examples of what this is expected to look like.

There are numerous examples of how this will look like: anything that
was already converted to kauth(9), pretty much, as well as the ACL
examples I've posted not too long ago.

>  >  /*
>  > + * Vnode scope - actions.
>  > + */
>  > +#define     KAUTH_VNODE_READ_DATA           (1 << 0)
>  > +#define     KAUTH_VNODE_LIST_DIRECTORY      KAUTH_VNODE_READ_DATA
>  > +#define     KAUTH_VNODE_WRITE_DATA          (1 << 1)
>  > +#define     KAUTH_VNODE_ADD_FILE            KAUTH_VNODE_WRITE_DATA
>  > +#define     KAUTH_VNODE_EXECUTE             (1 << 2)
>  > +#define     KAUTH_VNODE_SEARCH              KAUTH_VNODE_EXECUTE
>  > +
>  > +#define     KAUTH_VNODE_ACCESS              (1 << 31)
>
> I assume there's some reason these need to be bits rather than an
> enumeration;

Yes. If you will read Apple's TN2127, you'll see that the vnode
scope's actions are bits so several of them can be authorized in one
call. This is intentional.

> however, when you go to implement you'll find you've left
> a few things off here.

More than a few. Again, if you will look at TN2127, you'll see that it
contains both the definitions you see above as well as several others.
I would like to implement them incrementally and not add actions
before they're used. This is why my mail says "some actions". This is
how kauth(9) was implemented so far.

> These are the vnode actions VINO's security system defined. I believe
> that they're sufficient, and that at least most of them are necessary.
> I don't claim that there's anything particularly good about this way
> of structuring things; on the other hand, it *was* implemented and
> *did* work.

I tend to believe Apple's kauth(9) was also implemented and, well,
works, too. ;)

>  > +int
>  > +secmodel_bsd44_suser_vnode_cb(kauth_cred_t cred, kauth_action_t action,
>  > +    void *cookie, void *arg0, void *arg1, void *arg2,
>  > +    void *arg3)
>  > +{
>  >  [...]
>  > +    int fs_decision;
>  >  [...]
>  > +    fs_decision = (int)(unsigned long)arg2;
>
> Can't you figure out some way to arrange this that doesn't require
> casting integers to pointers and back?

Sure I can, only that it will affect kauth(9) as a whole, and this
email discusses the vnode scope. There are several design changes I
have planned, but I'd like to implement the vnode scope before moving
forward with them. Since all of kauth(9) works that way (emphasis on
"works"), it's going to stay that way, at least for now...

> (And if you really really must do that, use {u,}intptr_t, not unsigned
> long.)

Will do.

Thanks,

-e.