Date: Thu, 1 Nov 2001 16:14:43 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: arch@FreeBSD.org Subject: Changes to suser() and friends Message-ID: <Pine.NEB.3.96L.1011101160457.6122D-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
Currently, in a post-KSE world, we have the following calls relating to
the 'superuser' concept:
int suser __P((struct proc *));
int suser_td __P((struct thread *));
int suser_xxx __P((struct ucred *cred, struct proc *proc, int flag));
int suser_xxx_td __P((struct ucred *cred, struct thread *thread, int flag));
I'd like to propose they be collapsed into one of the following:
(1) Two calls, one with flags, and one without, both accepting ucreds as
arguments:
int suser __P((struct ucred *));
int suser_xxx __P((struct ucred *cred, int flag));
(2) One call, with flags, accepting a ucred as an argument:
int suser __P((struct ucred *cred, int flag));
I don't really mind which it is, but have a slightly preference for
suser() without a suser_xxx(), since suser_xxx() has the appearance of a
hack. Rationale for the change:
(1) suser() no longer requires access to the process or thread structure,
since (a) ASU has been deprecated, and (b) prison-related proc
contents required for access control have been moved to struct ucred.
As such, a ucred is now sufficient.
(2) Removal of redundant interfaces. All of these calls are wrappers for
suser_xxx().
(3) Simplification of locking and reference management. The new suser
call(s) will require only a valid read-only reference to a struct
ucred pointer. Existing calls may (depending on arguments) require a
references to threads and processes, and conceivably locks on them.
The new model allows the caller to select the correct ucred (which the
calling code already does, by virtue of selecting what gets passed in).
Given that current calling code generally has to now choose between a
process and a thread to find the ucred, I don't believe the slightly
increased complication of:
error = suser(p->p_ucred);
or
error = suser(td->td_proc->p_ucred);
or
error = suser(td->td_ucred);
is substantial. In fact, given that threads will have access to two
credentials (the thread cached credential, and the process credential),
making it explicit is probably a very good idea.
Assuming there are no objections, I plan to commit this change on Monday.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011101160457.6122D-100000>