Re: Vnode scope implementation

[Elad Efrat <elad%NetBSD.org@localhost>]

On Sun, Jul 19, 2009 at 4:47 PM, Thor Lancelot Simon<tls%panix.com@localhost> 
wrote:
> On Sun, Jul 19, 2009 at 02:53:09PM +0300, Elad Efrat wrote:
>> On Sun, Jul 19, 2009 at 10:34 AM, YAMAMOTO
>> Takashi<yamt%mwd.biglobe.ne.jp@localhost> wrote:
>>
>> > can you explain what's the point to call kauth when fs_decision is
>> > already non-0?
>> > i don't think it's a good idea to let kauth allow operations which
>> > have already been rejected by the filesystem itself.
>>
>> I think it's a very good idea, because then kauth(9) can implement MACs.
>
> That doesn't make sense to me.  Operations rejected by the filesystem
> itself are probably semantically invalid for that type of filesystem.

That was the idea when I added the foo_check_possible(), where
kauth(9) does NOT intervene, and foo_check_permitted(), where the
operation is "okay", but is only left subject to permissions/ACLs. I
fail to see what does not make sense about a kauth(9) listener, let's
call it bsd44/suser, that says "I allow the operation if the euid is
0", flipping the file-system's decision when it checks for access
control and the comparison between 1000 and 0 turns out to be false.

-e.