>> Something fh*()-like was only for calls which don't involve paths,
>> and for those, you must already have access to the vnode anyway, so
>> performing checks based on a path walk is inappropriate.
> Perhaps you're mis-understanding how fh*() work.  fhopen() allows you
> to open a file (using a file handle) that you DO NOT currently have
> open, and bypasses the full path permission checking along the way.

Yes.

But because *you* (the checking daemon) don't have it open at the
moment is more or less irrelevant; *someone* (the entity attempting to
perform the access you're checking) does.  (You have the kernel's word
for this, because it's the one who gave you the vnode to check.)

You, however, need some kind of handle on the vnode in order to perform
your checks.  It doesn't _have_ to be a character string (like a
pathname); it could be something filehandle-like instead.  It could
even be something else like a serial number that was included in the
request that you perform your checks, akin to an RPC xid.  But you need
*some* way to access that vnode, and a conventional path, besides being
impossible if it's open-but-unlinked, imposes inappropriate directory
permission checks.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B