[OpenAFS-devel] Re: OpenAFS Master Repository branch, master, updated. BP--openafs-stable-1_6_x-32-g2ea508e

[Benjamin Kaduk]

On Thu, 26 Aug 2010, Garrett Wollman wrote:

> <<On Wed, 25 Aug 2010 23:03:48 -0400 (EDT), Benjamin Kaduk <kaduk@MIT.EDU> said:
>
>> On Wed, 25 Aug 2010, Benjamin Kaduk wrote:
>>> if this is FreeBSD HEAD making it harder for us to hook the syscall table or
>>> an afsd regression or me doing something stupid).
>
>> Turns out that it was them making it harder for us to hook the syscall
>> table; my machine is back up.
>
> There is only one supported way for a loadable module to install a
> system call; any other attempt at "hooking" is wrong and should not be
> attempted -- it is nearly guaranteed that you will not get the
> protocol correct.

Indeed.  Especially now that the protocol is getting more complicated. 
Unfortunately, FreeBSD's entry for pioctl (and afs_syscall) does not allow 
for a module to register that syscall using the proper mechanism.  I have 
sent a patch to Robert Watson that just replaces those entries with the 
standard entry for syscalls-that-may-be-loaded-by-modules, which works on 
my local system.  I don't know if he and/or kib@ will decide that there is 
a better way or not, though.

>
> (Has anyone actually implemented PAGs for FreeBSD yet?  It's pretty
> obvious how they should be implemented -- as a pseudo-MAC policy --
> but I haven't followed the development sufficiently closely.  I'm
> concerned that some of this "hooking" might be trying to install
> old-style getgroups/setgroups wrappers, which is definitely in
> Deserves To Lose territory.)

Robert has also given me some ideas for how to properly implement pags, 
though I have been spending my time on getting the client to be usable 
before I look at that in depth.  At present, I believe we are manually 
munging with the groups list to implement them, but they did appear to 
work when I minimally tested a few months ago.
We're not wrapping getgroups/setgroups, though.

-Ben