tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Vnode scope implementation


> On Sun, Aug 23, 2009 at 11:15 AM, YAMAMOTO
> Takashi<> wrote:
>> ok, you will document it.  it's fine.
> Good. Btw, could this:
> be another manifestation of a similar issue...?

it just means that not all filesystems are ufs-feature-compatible.

>> let me repeat my questions.
>> do you mean that nothing except documentation will be done for nfs?
> At least for now, yes, nothing except documentation will be done for nfs.
>> does it mean the use of the vnode scope is optional and a filesystem is
>> free to choose not using it, right?
> No, what is your reasoning here?

what do you mean by "No"?  it won't be optional?
it can't be mandated because it's simply impossible for some filesystems.

> It means that if a file-system's security policy effectively comes
> from a host that you have no control over, you can not explicitly
> allow an operation because you don't have the last word, but you can
> certainly short-circuit and deny the operation.

sometimes you can't short-circuit with the suggested api because you
need to get "fs_decision" first.


> It's very similar to a firewall running on machine A allowing all
> outbound communication to port 80, but that will be of little meaning
> if the remote host B does not allow any inbound communication to port
> 80.
> -e.

Home | Main Index | Thread Index | Old Index