Re: Vnode scope

[Elad Efrat <elad%NetBSD.org@localhost>]

Matt Benjamin wrote:

> Anyway, it does seem problematic to require every fs to present a
> normalised representation of ACLs.  However, my impression was that
> kauth was sufficiently flexible as to allow (for this use) the fs to
> implement it's own security policy though the implementation of new
> listener(s).  Would that be a possibility for vnode scope?

Expected usage of the vnode scope, as suggested by Apple, is heavy, so
we're hoping to not have to require each file-system to provide its own
kauth(9) listener (which is, IMO, much more than asking for a normalized 
representation).

Either way, as my reply to Andrew states, we don't have to do that
though, if we split the access control decision to (what I believe is)
a more realistic representation: "is this operation even possible", and
"is this operation allowed". The first will rule out immediately, the
second will be passed to kauth(9) listeners for consulting

        vnode_authorize():
                error = fs->is_this_possible(...);
                if (error)
                        return error;

                fs_decision = fs->is_this_allowed(...);

                /* "fail-closed" */
                if (!nsecmodels)
                        return fs_decision;

                error = kauth_authorize_action(...);

        suser_vnode_listener():
                if (isroot || fs_decision == 0)
                        result = KAUTH_RESULT_ALLOW;

Thanks,

-e.