[OpenAFS-devel] keyring/pag support for linux

chas williams - CONTRACTOR chas@cmf.nrl.navy.mil
Mon, 17 Jul 2006 22:38:56 -0400 

In message <E3D83F41233D863BE47C7AA8@sirius.fac.cs.cmu.edu>,Jeffrey Hutzelman writes:
>> setpag() still works the same, but does require another library to
>> be linked against it.  yes, this is a drag.
>
>I guess I was unclear.  I don't mean setpag() the library call, I mean 
>AFSCALL_SETPAG, as called via afs_syscall() or the /proc ioctl interface. 
>OpenAFS's libsys.a is not the only thing that knows how to use this 
>interface, and it's not reasonable to make other things that use it stop 
>working, especially if the failure mode is that they think everything is 
>fine except it didn't do anything.

i didnt think there were too many applications that issue direct syscalls.
the keyring doesnt completely replace setpag(), it just uses it as a 
to carry the pag across the session boundary.  applications using the
direct syscall interface wont break, but they wont be any less broken.

>Sure, but what happens to a process that creates a new session keyring, and 
>thus has no PAG?  Can't it then join any PAG it wants?

nope.  you still had to issue the first half of the setpag() and get the
pag groups inserted into your group list.  then when the user creates
a key, the instantiate stub can make sure they arent being clever.
if you dont have the pag groups, the instantiate could/would/should fail.
because we use our own keytype we are able to enforce certain behaviors.

>> so the PagInCred() could trust only key's owned by root.
>
>I suppose you could do this, except that then you have to be root to call 
>setpag().

i dont think so.  the key instantiate is in the kernel and we can probably
modify the key during creation to change its ownership/permissions to
keep people from tampering with it.

>Please try to make the existing interfaces work, rather than just the 
>programs we happen to ship that use those interfaces.

i think setpag() is an interface.  i dont think syscall(AFS_PIOCTL)
is a "published" (or acceptable) interface.  people doing that are
just being a bit too clever.  when i want to open a file, i dont issue
syscall(SYS_OPEN).  it's also fraught with peril.  the afs syscall
number isnt the same across platforms.  this means you get to build
you own nested mess of #ifdef's.  the openafs programmers did this for
you already.

btw, if you think you can move the linx kernel mountain, more power to you.