On Thu, Aug 26, 2010 at 3:00 PM, Benjamin Kaduk <[email protected]> wrote: > On Thu, 26 Aug 2010, Garrett Wollman wrote: > >> <<On Wed, 25 Aug 2010 23:03:48 -0400 (EDT), Benjamin Kaduk <[email protected]> >> said: >> >>> On Wed, 25 Aug 2010, Benjamin Kaduk wrote: >>>> >>>> if this is FreeBSD HEAD making it harder for us to hook the syscall >>>> table or >>>> an afsd regression or me doing something stupid). >> >>> Turns out that it was them making it harder for us to hook the syscall >>> table; my machine is back up. >> >> There is only one supported way for a loadable module to install a >> system call; any other attempt at "hooking" is wrong and should not be >> attempted -- it is nearly guaranteed that you will not get the >> protocol correct. > > Indeed. Especially now that the protocol is getting more complicated. > Unfortunately, FreeBSD's entry for pioctl (and afs_syscall) does not allow > for a module to register that syscall using the proper mechanism. I have > sent a patch to Robert Watson that just replaces those entries with the > standard entry for syscalls-that-may-be-loaded-by-modules, which works on my > local system. I don't know if he and/or kib@ will decide that there is a > better way or not, though. > >> >> (Has anyone actually implemented PAGs for FreeBSD yet? It's pretty >> obvious how they should be implemented -- as a pseudo-MAC policy -- >> but I haven't followed the development sufficiently closely. I'm >> concerned that some of this "hooking" might be trying to install >> old-style getgroups/setgroups wrappers, which is definitely in >> Deserves To Lose territory.) > > Robert has also given me some ideas for how to properly implement pags, > though I have been spending my time on getting the client to be usable > before I look at that in depth. At present, I believe we are manually > munging with the groups list to implement them, but they did appear to work > when I minimally tested a few months ago. > We're not wrapping getgroups/setgroups, though.
I also talked with him a while ago, looking for something which is I could also use for MacOS. Nothing worked out but I should dig out the code and share it. -- Derrick _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
