Re: kauth and socket calls (esp. bind())

To: tech-net%netbsd.org@localhost, tech-security%netbsd.org@localhost, tech-kern%netbsd.org@localhost
Subject: Re: kauth and socket calls (esp. bind())
From: Andrew Doran <ad%NetBSD.org@localhost>
Date: Fri, 9 Apr 2010 13:11:00 +0000

On Fri, Apr 09, 2010 at 02:25:29PM +0200, Joerg Sonnenberger wrote:
> On Fri, Apr 09, 2010 at 10:24:38AM +0000, Andrew Doran wrote:
> > > I'm not sure I grasp how things like the filesystem or device scopes could
> > > even really work if you can't make kauth calls with locks held.
> > 
> > It cannot work without locks held in various places. 
> > What it should say is that kauth itself must not take locks..
> 
> That doesn't work either for the interesting advanced security models
> either. E.g. an implementation of zones/jails must be able to protect
> access to the global data structures.

Do you think authorization is the correct tool to implement the classic
bits of zones/jails?  I certainly don't.  What other examples are there?

Follow-Ups:
- Re: kauth and socket calls (esp. bind())
  - From: Joerg Sonnenberger
- Re: kauth and socket calls (esp. bind())
  - From: Thor Lancelot Simon

References:
- kauth and socket calls (esp. bind())
  - From: Thor Lancelot Simon
- Re: kauth and socket calls (esp. bind())
  - From: Andrew Doran
- Re: kauth and socket calls (esp. bind())
  - From: Joerg Sonnenberger

Prev by Date: Re: kauth and socket calls (esp. bind())
Next by Date: Re: rbuf starvation in the iwn driver
Previous by Thread: Re: kauth and socket calls (esp. bind())
Next by Thread: Re: kauth and socket calls (esp. bind())
Indexes:

Home | Main Index | Thread Index | Old Index