tech-security: Re: nfs optimization and veriexec

Subject: Re: nfs optimization and veriexec
To: None <tech-kern@netbsd.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-security
Date: 10/29/2007 19:49:59

> hi,
> 
> i'd like to make a change like the following, which optimize a RPC away
> in some cases.
> however, i think it breaks veriexec. (specifically, breaks assumptions
> held by veriexec_openchk.)
> can any veriexec people take a look and suggest how it should be solved?
> 
> thanks.
> 
> YAMAMOTO Takashi

as some people asked me to explain more...

currently, create basically works as the following,

	1. VOP_LOOKUP: issue a LOOKUP RPC to check if the file already exists.
	2. veriexec_openchk.
	3. VOP_CREATE: issue a CREATE RPC to create a file.

the patch changes it to delegate more to nfs server.
ie.
	1. VOP_LOOKUP: just return.
	2. veriexec_openchk ???
	3. VOP_CREATE: issue a CREATE RPC to do "create a file unless
	   it already exists."

YAMAMOTO Takashi