[OpenAFS-devel] Re: [OpenAFS] 2.6 kernel support anytime soon? Workarounds?

[Garrett Wollman]

<<On Mon, 10 May 2004 15:50:42 -0400, "chas williams (contractor)" <chas@cmf.nrl.navy.mil> said:

> nfsv4 might want to use but i havent see anything in that direction.
> a possible fix might be to get bsd and linux to support registering a
> callback from the setgroups syscall.  directly modifying sys_call_table[]
> was broken because its dangerous and difficult to do safely.

Putting the PAG in the supplementary group list, though unavoidable,
was and is no less broken.  The semantics that AFS really wants (and
probably kNFS/NFSv4 as well) are much closer to those of a process
label.

What AFS wants are the following three functions:

int afs_assign_process_label(afs_process_t p);
int afs_get_label(afs_process_t p, afs_label_t *l);
int afs_label_destruction_callback(afs_label_t l);

This is trivial to implement in the TrustedBSD MAC framework, in which
MAC labels in credentials are implemnted as an array of
        union {
                void    *l_ptr;
                long     l_long;
        }
...and callbacks are provided at all the appropriate points to do
reference-counting.

It should be fairly easy to implement this interface on any operating
system that has a similar notion of extended process credentials.

-GAWollman