move audit/priviliage check into VFS

[Robert Watson]

On Sun, 22 Apr 2007, Howard Su wrote:

> When I working on tmpfs privilege, I need copy a lot of privilege check code 
> from UFS. I suppose there is same problem in ZFS. So moving this sort of 
> privilege code into VFS will reduce a lot of duplicate code and also make fs 
> implementation simple and consistent in security thing.
>
> Besides that, some quota/extattr feature can be also implement in VFS layer.
>
> I suppose the fact today that a lot of stuffs are UFS related is because we 
> have VFS after UFS. So VFS only abstracts the common stuffs for a misc file 
> system like iso/udf/msdosfs. We didn't suppose we will have more 
> full-featured file system besides UFS. (NFS has its own & different 
> implementation about security.)
>
> Does VFS have other design goal that I am not aware to preventing us moving 
> more shared code into it?

Pawel and I have talked about this a bit in the past -- vaccess(9) and 
vaccess_acl_posix1e(9) were really the first step in abstracting file system 
access control decisions, and aren't a bad step -- they certainly cover a lot 
of the previously plentifully replicated cases (countless foo_access() VOP 
implementations).  However, I think we should be restrained and do a bit of 
experimentation -- sometimes as much work could be done bundling up the common 
arguments to deliver them to a central access check as is done in having the 
access check appear in the calling code itself.  Can we refine VOP_ACCESS() a 
bit further to get what we need, or do we need new common functions?

Robert N M Watson
Computer Laboratory
University of Cambridge