YAMAMOTO Takashi wrote:

> yes, but i really don't want to have veriexec specific code in
> each filesystems.  can't veriexec be modified to deal with it?

For a while I've been wanting to modify the way Veriexec does some
things, namely the check of strict level in dev/verified_exec.c, by
adding a kauth(9) scope for it to perform operations on.

Perhaps it's a good time to introduce said scope, and add an action
to indicate whether the NFS optimization can take place. Would that
work for you?

The only thing I'm wondering about is what the kernel would do in
case Veriexec is not even compiled in... maybe just put in weak-aliased
stubs (similar to secmodel_start() in kern/init_main.c).

(perhaps having a file that is always compiled and contains weak-aliased
always-allow stubs for when conditionally compiled in scopes are not
compiled in is appropriate? :)

-e.