Subject: Re: nfs optimization and veriexec
To: None <>
From: YAMAMOTO Takashi <>
List: tech-security
Date: 12/22/2007 10:34:52
> That out of the way, it seems that this problem only applies to remote
> file-systems, even if the "create" semantics are changed. Correct me if
> I'm wrong, but the local file-system implementation will always know
> when it's going to create a file or just open it -- even if the VFS
> layer issues a "create if doesn't exist". Presuming that's the case,
> wouldn't it be possible to add a kauth(9) scope allowing subsystems like
> Veriexec to listen to, potentially blocking events?

it isn't clear to me why the distinction is that important for veriexec.
can you explain?