Re: Vnode scope implementation

[David Holland <dholland-tech%netbsd.org@localhost>]

On Sun, Jul 19, 2009 at 03:58:40PM +0300, Elad Efrat wrote:
 > >>> can you explain what's the point to call kauth when fs_decision is
 > >>> already non-0?
 > >>> i don't think it's a good idea to let kauth allow operations which
 > >>> have already been rejected by the filesystem itself.
 > >>
 > >> I think it's a very good idea, because then kauth(9) can implement MACs.
 > >
 > > can you explain how it's required for MAC? ?it isn't clear to me.
 > 
 > Consider a file owned by yamt:yamt (say, 1000:1000) with permissions
 > 0600. Let's say root is trying to access that file. Because root has
 > euid 0, and the file has uid 1000, the file-system will deny access
 > due to uid mismatch. However, once kauth(9) gets a chance to flip the
 > decision, it can say, "but really, euid 0 should have access to this
 > file".

That's not MAC!

Supporting euid 0 is a reason that kauth needs to be able to switch
"not allowed" to "allowed", but without additional information (that
might be fs-specific) it is likely to turn into a too-blunt hammer.

E.g. even root isn't allowed to exec /etc/passwd, because it's not
executable. I think this requires subdividing the fs check further...

-- 
David A. Holland
dholland%netbsd.org@localhost