> YAMAMOTO Takashi wrote:
> 
> > for long term, i want to remove "lookup before create" from vfs.
> > so i hope to see the assumption is removed from veriexec, rather than
> > making the rest of kernel veriexec-aware.
> 
> So it's not just an *NFS* optimization, is it? :)

probably, but it's merely my thought at this point.

> Basically, Veriexec has a feature where it can prevent creation of new
> files. I'd like to maintain that feature... or at least learn more about
> what benefits this optimization has if the direction is that the two
> can't co-exist.

it reduces the number of rpcs for an operation.

> Would it be possible to have Veriexec treat a "create unless exists" as
> "create"? or would that break programs that open, say, log files with
> O_RDWR|O_CREAT?
> 
> -e.

doesn't "lockdown mode" break such programs by preventing O_RDWR anyway?
i guess O_RDONLY|O_CREAT is rare.

YAMAMOTO Takashi