> YAMAMOTO Takashi wrote:
>
> > yes, but i really don't want to have veriexec
specific code in
> > each filesystems. can't veriexec be modified to
deal with it?
>
> For a while I've been wanting to modify the way
Veriexec does some
> things, namely the check of strict level in
dev/verified_exec.c, by
> adding a kauth(9) scope for it to perform operations
on.
>
> Perhaps it's a good time to introduce said scope, and
add an action
> to indicate whether the NFS optimization can take
place. Would that
> work for you?
i'm not sure what you mean by "an action to indicate
whether the
NFS optimization can take place."
do you mean to make nfs call kauth_authorize_foo with the
action?
> The only thing I'm wondering about is what the kernel
would do in
> case Veriexec is not even compiled in... maybe just put
in weak-aliased
> stubs (similar to secmodel_start() in
kern/init_main.c).
>
> (perhaps having a file that is always compiled and
contains weak-aliased
> always-allow stubs for when conditionally compiled in
scopes are not
> compiled in is appropriate? 
>
> -e.
i don't understand how it matters.
do you mean a very veriexec specific scope which doesn't
make sense at all
unless veriexec is compiled in?
YAMAMOTO Takashi
|
