Re: Vnode scope implementation

[David Holland <dholland-tech%netbsd.org@localhost>]

On Mon, Jul 06, 2009 at 01:15:30AM +0300, Elad Efrat wrote:
>> On Sat, Jul 04, 2009 at 09:08:18PM +0300, Elad Efrat wrote:
>>  > I've got a feeling that you haven't read the man-page or Apple's
>>  > TN2127, but anyway--
>>
>> Is it required to read random Apple docs to understand what you're
>> doing?
>
> There are several ways you can go about understanding what we're doing.

That wasn't the question. I'm quite aware of the general outline and
the general purpose. I am asking whether Apple technical documents are
to be taken as part of your design blueprint and/or part of your
proposals, and the answer appears to be "yes".

Anyway,

>> There are no *vnode* examples.
>[snip]

Thank you. (Although that's about the simplest cause you could possibly
have imagined.)

> [...], and our usage of the scope in general differs (as
> we will be authorizing from the file-systems, rather than normalize
> permissions/ACLs and doing it in the VFS -- which, to remind you, was
> something that you requested).

As I recall, what I requested was a sufficiently general abstraction
of canonical permissions. However, what you've got looks like it will
work as a starting point.

>> Either way, I'd like to see the complete set of actions you propose so
>> it can be checked for completeness and orthogonality.
>
> Unfortunately that will not happen.

It should. The set of possible distinct actions is an important part
of the interface, and (particularly for security!) it should be
designed rather than allowed to agglomerate.

I realize that it's a considerable amount of work up front to wade
through all the places that will need to be adjusted to come up with a
complete list of all actions that will be required.

However, I think it's an important exercise at this stage, just as
taking a survey of all the users of namei was an important
prerequisite for the namei changes I've been planning.

> If you are suggesting that I will be checking in kauth(9) functionality
> without peer review or approval, I suggest you go through some of the
> relevant commit logs.

Yes, in fact, that history is what concerns me.

> David, I've got a feeling that you're very emotional about the vnode
> scope [...]

I'm emotional because I disagree with you? Right, that's the ticket.

 > +                    /* Indicate if the parent directory is sticky. */
 > +                    if ((dnode->tn_mode & S_ISTXT) != 0) {
 > +                            action |= KAUTH_VNODE_PARENT_STICKY;
 > +                    }

...and this is the kind of thing that concerns me. The parent
directory being sticky is not an action. The parent directory being
sticky is part of the context in which an action is taken.

-- 
David A. Holland
dholland%netbsd.org@localhost