[OpenAFS-devel] Re: OpenAFS Master Repository branch, master,
updated. BP--openafs-stable-1_6_x-32-g2ea508e
Derrick Brashear
shadow@gmail.com
Thu, 26 Aug 2010 15:11:54 -0400
On Thu, Aug 26, 2010 at 3:00 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Thu, 26 Aug 2010, Garrett Wollman wrote:
>
>> <<On Wed, 25 Aug 2010 23:03:48 -0400 (EDT), Benjamin Kaduk <kaduk@MIT.ED=
U>
>> said:
>>
>>> On Wed, 25 Aug 2010, Benjamin Kaduk wrote:
>>>>
>>>> if this is FreeBSD HEAD making it harder for us to hook the syscall
>>>> table or
>>>> an afsd regression or me doing something stupid).
>>
>>> Turns out that it was them making it harder for us to hook the syscall
>>> table; my machine is back up.
>>
>> There is only one supported way for a loadable module to install a
>> system call; any other attempt at "hooking" is wrong and should not be
>> attempted -- it is nearly guaranteed that you will not get the
>> protocol correct.
>
> Indeed. =A0Especially now that the protocol is getting more complicated.
> Unfortunately, FreeBSD's entry for pioctl (and afs_syscall) does not allo=
w
> for a module to register that syscall using the proper mechanism. =A0I ha=
ve
> sent a patch to Robert Watson that just replaces those entries with the
> standard entry for syscalls-that-may-be-loaded-by-modules, which works on=
my
> local system. =A0I don't know if he and/or kib@ will decide that there is=
a
> better way or not, though.
>
>>
>> (Has anyone actually implemented PAGs for FreeBSD yet? =A0It's pretty
>> obvious how they should be implemented -- as a pseudo-MAC policy --
>> but I haven't followed the development sufficiently closely. =A0I'm
>> concerned that some of this "hooking" might be trying to install
>> old-style getgroups/setgroups wrappers, which is definitely in
>> Deserves To Lose territory.)
>
> Robert has also given me some ideas for how to properly implement pags,
> though I have been spending my time on getting the client to be usable
> before I look at that in depth. =A0At present, I believe we are manually
> munging with the groups list to implement them, but they did appear to wo=
rk
> when I minimally tested a few months ago.
> We're not wrapping getgroups/setgroups, though.
I also talked with him a while ago, looking for something which is I
could also use for MacOS. Nothing worked out but I should dig out the
code and share it.
--=20
Derrick