Kernels, PAGs, and Filesystems -- Oh My
Sometimes there is light in the world. Okay, really, there is a lot of light, it just takes a certain view point to see it. But in this particular case it looks like we are finally going to have a way to manage process authentication groups (PAGs) for OpenAFS. This makes me quite happy.
There has finally been good, productive conversation on the Linux Kernel Mailing List about getting a keyring object associated with each process. Done in a way so that you can have multiple authentication ‘keys’ that are generic so that they can be used with any application. Think OpenAFS, NFSv4, Kerberos, insert network filesystem here. Quite nice. I hope this comes out in code as well as the planning has gone so far. Google up the LKML and search for ‘PAG’.
I would really like to state how pleased I am with the work and cooperation that David Howells and Kyle Moffett are putting into this.
I had hoped to implement more generic PAGs myself with a kernel module that uses the LSM. I did get a bit of it done…Until I started trying to link into the LSM hooks. They way that the other LSM modules work like SELinux and the Capabilities stuff works doesn’t allow further modules to be “stacked” as I would need to do. Its going to take a real kernel patch and things are, for the first time in a while, looking up. Kudos.