Re: Vnode scope implementation

To: elad%NetBSD.org@localhost
Subject: Re: Vnode scope implementation
From: yamt%mwd.biglobe.ne.jp@localhost (YAMAMOTO Takashi)
Date: Sun, 19 Jul 2009 07:32:10 +0000 (UTC)

hi,

>> - for what kauth_authorize_vnode takes "error" returned from
>>  ufs_check_permitted?
> 
> Imagine what happens if no secmodels are loaded (but we do have
> listeners, say, for logging). The result inside kauth(9) will be
> "EPERM" (because we'll receive a KAUTH_RESULT_DEFER and no
> KAUTH_RESULT_ALLOW). Legit operations of e.g. me accessing my files
> will be denied. Therefore, we provide a "subsystem result" for

i don't think operations will be denied in that case
because nsecmodels == 0.

YAMAMOTO Takashi

> kauth(9) to (a) pass on to listeners in case these are interested in
> it and (b) return in case no secmodels are loaded so we fail-close but
> not render the system unusable.
> 
> Thanks,
> 
> -e.

Follow-Ups:
- Re: Vnode scope implementation
  - From: Elad Efrat

References:
- Re: Vnode scope implementation
  - From: Elad Efrat

Prev by Date: Re: dhcpd dup my socket?
Next by Date: Re: Vnode scope implementation
Previous by Thread: Re: Vnode scope implementation
Next by Thread: Re: Vnode scope implementation
Indexes:

Home | Main Index | Thread Index | Old Index