Subject: Re: simple tpe implementation
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
From: Antti Kantee <pooka@cs.hut.fi>
List: tech-kern
Date: 02/02/2007 18:31:34
On Fri Feb 02 2007 at 00:41:00 +0200, Elad Efrat wrote:
> +/*
> + * Check if the vnode is in a trusted path.
> + */
> +int
> +tpe_check(struct lwp *l, struct vnode *vp, struct vattr *va)
There's probably a good reason for the third parameter, but I'm missing
that now.
On Fri Feb 02 2007 at 08:44:31 +0900, YAMAMOTO Takashi wrote:
> > YAMAMOTO Takashi wrote:
> > >> + /* XXX Must be owned by root. */
> > >> + if (va->va_uid != 0)
> > >> + return (EPERM);
> > >> +
> > >> + /* Must not be writable by group or other. */
> > >> + if (va->va_mode & (S_IWGRP | S_IWOTH))
> > >> + return (EPERM);
> > >> +
> > >> + return (0);
> > >
> > > this kind of permission checks are filesystem dependent.
> > > consider acls or remote filesystems.
> >
> > yes, that's why it's "simple".
> >
> > how do you suggest doing it?
> >
> > -e.
>
> i have no good idea off hand.
>
> VOP_ACCESS is the right way to check permissions,
> but it doesn't have "only root can.." functionality.
> we can change VOP, but it's almost impossible to implement
> for some filesystems.
... in which case we don't want the vattr argument to the function.
Also, it could encompass the notion of "vnode is a directory" in favour
of more transparent vnodes. So essentially everything here would be
reduced to a single VOP-call. And I don't see how that could be any
worse than these abstract checks for some file systems.
But I don't currently really care either way.
--
Antti Kantee <pooka@iki.fi> Of course he runs NetBSD
http://www.iki.fi/pooka/ http://www.NetBSD.org/
"la qualité la plus indispensable du cuisinier est l'exactitude"