Re: Using File Operation Scope (KAUTH_SCOPE_FILEOP)
Re: Using File Operation Scope (KAUTH_SCOPE_FILEOP)
- Subject: Re: Using File Operation Scope (KAUTH_SCOPE_FILEOP)
- From: Quinn <email@hidden>
- Date: Tue, 29 Nov 2005 17:18:17 +0000
Title: Re: Using File Operation Scope
(KAUTH_SCOPE_FILEOP)
At 10:29 +0000 29/11/05, Oliver Donald wrote:
But my main question
is, why does the KAUTH_SCOPE_FILEOP scope not allow me to
deny?
That's just the way it's designed. KAUTH_SCOPE_FILEOP is
for notification, KAUTH_SCOPE_VNODE is for checking.
Is there any chance of
this being implemented in the future?
No.
My second plan would
be to use the KAUTH_SCOPE_VNODE scope, but this is too
late,
Why do you say that? Vnode scope authorization is requested
when the file is opened, not for each individual read or write (that
would be /way/ too expensive). A vnode scope listener is the
correct place to add extra security checks. In fact, the default
listener for the vnode scope is responsible for implementing the
system's built-in permissions checking.
S+E
--
Quinn "The
Eskimo!"
<http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications,
Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden