[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kauth and socket calls (esp. bind())
On Fri, Apr 09, 2010 at 02:25:29PM +0200, Joerg Sonnenberger wrote:
> On Fri, Apr 09, 2010 at 10:24:38AM +0000, Andrew Doran wrote:
> > > I'm not sure I grasp how things like the filesystem or device scopes could
> > > even really work if you can't make kauth calls with locks held.
> > It cannot work without locks held in various places.
> > What it should say is that kauth itself must not take locks..
> That doesn't work either for the interesting advanced security models
> either. E.g. an implementation of zones/jails must be able to protect
> access to the global data structures.
Do you think authorization is the correct tool to implement the classic
bits of zones/jails? I certainly don't. What other examples are there?
Main Index |
Thread Index |