Re: Vnode scope implementation

[Elad Efrat <elad%NetBSD.org@localhost>]

On Sat, Jul 4, 2009 at 8:52 PM, Marc Balmer<marc%msys.ch@localhost> wrote:
>
> Am 04.07.2009 um 19:14 schrieb Elad Efrat:
>
>> Hi,
>>
>> I'd like to start implementing the vnode scope for some of our
>> file-systems. As with the rest of kauth(9), we'll do so in several
>> steps, rather than switch all functionality at once.
>>
>> The first step will be implementing the back-end itself: the scope
>> definition, some actions (just read/write/execute for now), an
>> authorization wrapper, and a bsd44/suser simple listener ("if root
>> or file-system allows then allow") -- see the attached diff.
>>
>> Once the back-end is in place, I'll follow-up with some more diffs
>> transitioning various file-systems to use kauth(9) in different places
>> -- access, chflags, chmod, etc.
>
> can't you explain beforehand a bit what the goals are?  Why do we need this
> backend if we can't yet see what purpose it will serve?

You can see the purpose it will serve by reading Apple's TN2127, on
which kauth(9) is loosely based. Basically, as I've said in several
emails in the past, the vnode scope allows authorization of
file-system related operations (such as read, write, execute, change
owner, change flags, change modes, ...) using kauth(9). In other
words, it allows us to plug security models that extends the
traditional behavior to other things -- like the ACLs I've posted not
too long ago:

    http://mail-index.netbsd.org/tech-kern/2009/06/27/msg005353.html

>> +int
>> +secmodel_bsd44_suser_vnode_cb(kauth_cred_t cred, kauth_action_t action,
>> +    void *cookie, void *arg0, void *arg1, void *arg2,
>> +    void *arg3)
>> +{
>> +        bool isroot;
>> +        int result;
>> +       struct vnode *vp, *dvp;
>> +       int fs_decision;
>> +
>> +        isroot = (kauth_cred_geteuid(cred) == 0);
>> +        result = KAUTH_RESULT_DEFER;
>> +
>> +       vp = arg0;
>> +       dvp = arg1;
>> +       fs_decision = (int)(unsigned long)arg2;
>
> this is ugly, to say the least...

Yes, it is.

Thanks,

-e.