From owner-freebsd-arch@FreeBSD.ORG Sat Mar 27 12:36:22 2004 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5991816A4CE for ; Sat, 27 Mar 2004 12:36:22 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9275D43D2F for ; Sat, 27 Mar 2004 12:36:21 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 34261ACAF8; Sat, 27 Mar 2004 21:36:20 +0100 (CET) Date: Sat, 27 Mar 2004 21:36:20 +0100 From: Pawel Jakub Dawidek To: freebsd-arch@freebsd.org Message-ID: <20040327203620.GR8930@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u5h+kxyd0mPeN+64" Content-Disposition: inline User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 Subject: fchroot(2) and others. X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2004 20:36:22 -0000 --u5h+kxyd0mPeN+64 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. Are we interested in fchroot(2) syscall? It exists in NetBSD. If so, its implementation is in pjd_secure_syscalls branch or at: http://people.freebsd.org/~pjd/patches/secure_syscalls.patch I've also impelemnted safe versions of other syscalls: int flink(int fd, const char *link); int funlink(int fd, const char *path); int frename(int fd, const char *from, const char *to); Maybe funlink(2) and frename(2) looks wired, but it should work. The idea is, that one cannot pass descriptor number only to those functions, because they're operating on file systems object names and there is no clean way to get path name from descriptor. So I decide to do it in this way: 1. Take vnode from file descriptor. 2. Lock vnode. 3. Take vnode from path. 4. Lock vnode. 5. Compare both vnodes. 6. If equal do the action (rename, unlink). So we need to open given file and pass descriptor number and its file name to a syscall. Code in branch is not tested yet, it is only a proof-of-concept. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --u5h+kxyd0mPeN+64 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAZeXEForvXbEpPzQRAuyRAKCKq68+JUXWh1BFgBxKIUeIRwx43ACfRKtK BLvMlFKeYp+l+4PTbdimUFg= =01Tt -----END PGP SIGNATURE----- --u5h+kxyd0mPeN+64--