On Thu, 26 Aug 2010, Garrett Wollman wrote:
<<On Wed, 25 Aug 2010 23:03:48 -0400 (EDT), Benjamin Kaduk <[email protected]> said:
On Wed, 25 Aug 2010, Benjamin Kaduk wrote:
if this is FreeBSD HEAD making it harder for us to hook the syscall table or
an afsd regression or me doing something stupid).
Turns out that it was them making it harder for us to hook the syscall
table; my machine is back up.
There is only one supported way for a loadable module to install a
system call; any other attempt at "hooking" is wrong and should not be
attempted -- it is nearly guaranteed that you will not get the
protocol correct.
Indeed. Especially now that the protocol is getting more complicated.
Unfortunately, FreeBSD's entry for pioctl (and afs_syscall) does not allow
for a module to register that syscall using the proper mechanism. I have
sent a patch to Robert Watson that just replaces those entries with the
standard entry for syscalls-that-may-be-loaded-by-modules, which works on
my local system. I don't know if he and/or kib@ will decide that there is
a better way or not, though.
(Has anyone actually implemented PAGs for FreeBSD yet? It's pretty
obvious how they should be implemented -- as a pseudo-MAC policy --
but I haven't followed the development sufficiently closely. I'm
concerned that some of this "hooking" might be trying to install
old-style getgroups/setgroups wrappers, which is definitely in
Deserves To Lose territory.)
Robert has also given me some ideas for how to properly implement pags,
though I have been spending my time on getting the client to be usable
before I look at that in depth. At present, I believe we are manually
munging with the groups list to implement them, but they did appear to
work when I minimally tested a few months ago.
We're not wrapping getgroups/setgroups, though.
-Ben
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
