Re: CVS commit: [elad-kernelauth] src/sys

To: Elad Efrat <elad%netbsd.org@localhost>
Subject: Re: CVS commit: [elad-kernelauth] src/sys
From: Jason Thorpe <thorpej%shagadelic.org@localhost>
Date: Wed, 8 Mar 2006 08:42:17 -0800

[Moving to tech-kern -- follow-ups there, please]

On Mar 7, 2006, at 9:17 PM, YAMAMOTO Takashi wrote:

Module Name:    src
Committed By:   elad
Date:           Tue Mar  7 23:23:56 UTC 2006

Added Files:
        src/sys/kern [elad-kernelauth]: kern_auth.c
        src/sys/sys [elad-kernelauth]: kauth.h

Log Message:
Add kernel authorization routines.


- IMO, it's better to use "org.netbsd.kauth.generic" as TN says.

I definitely agree with Yamamoto-san here... we should use the"reverse DNS name" convention as well (I would like more of oursubsystems that name things to use this convention, includingrepresenting dependencies within things like config(8)).

Also, please cite the TN in <sys/kauth.h>, and we should alsodescribe which routines are NetBSD extensions (either permanent newparts of the KPI that we have created, or transitional things thatwill eventually go away...)

- how about providing suser() as a wrapper ofKAUTH_GENERIC_ISSUSER? (for now?)


I think providing an suser() wrapper would be a fine idea.

- builtin_process seems like a too generic name to me.
- will you convert CURTAIN to KAUTH_PROCESS_CANSEE?
- locking seems broken.  try LOCKDEBUG.
- consider to follow our style.
- you can use SIMPLEQ_INSERT_TAIL on an empty queue.

I haven't had a chance to review this version of the code carefullyyet, but I will be doing so tonight, probably. So I will probablyhave some additional feedback, as well.

I would like to thank Elad for picking up this ball and rolling withit, after I nudged him in this direction. He has been working on itfor quite a while. Kauth will provide the foundation for some majorimprovements in NetBSD, including things like centralized file systemoperation authorization. Kauth also provides incredible flexibilityin how security policy is implemented, because it allows modules tointerpose themselves in the authorization process.


-- thorpej

References:
- CVS commit: [elad-kernelauth] src/sys
  - From: Elad Efrat
- Re: CVS commit: [elad-kernelauth] src/sys
  - From: YAMAMOTO Takashi

Prev by Date: Re: CVS commit: [elad-kernelauth] src/sys
Next by Date: CVS commit: [elad-kernelauth] src/sys/kern
Previous by Thread: Re: CVS commit: [elad-kernelauth] src/sys
Next by Thread: Re: CVS commit: [elad-kernelauth] src/sys
Indexes:

Home | Main Index | Thread Index | Old Index