From owner-cvs-src@FreeBSD.ORG Wed Aug 17 01:24:56 2005 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AE2B16A41F; Wed, 17 Aug 2005 01:24:56 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D6DE43D45; Wed, 17 Aug 2005 01:24:56 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j7H1OuJJ047751; Wed, 17 Aug 2005 01:24:56 GMT (envelope-from csjp@repoman.freebsd.org) Received: (from csjp@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j7H1Ou1j047750; Wed, 17 Aug 2005 01:24:56 GMT (envelope-from csjp) Message-Id: <200508170124.j7H1Ou1j047750@repoman.freebsd.org> From: "Christian S.J. Peron" Date: Wed, 17 Aug 2005 01:24:55 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/dev/md md.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2005 01:24:56 -0000 csjp 2005-08-17 01:24:55 UTC FreeBSD src repository Modified files: sys/dev/md md.c Log: Ensure that file flags such as schg, sappnd (and others) are honored by md(4). Before this change, it was possible to by-pass these flags by creating memory disks which used a file as a backing store and writing to the device. This was discussed by the security team, and although this is problematic, it was decided that it was not critical as we never guarantee that root will be restricted. This change implements the following behavior changes: -If the user specifies the readonly flag, unset write operations before opening the file. If the FWRITE mask is unset, the device will be created with the MD_READONLY mask set. (readonly) -Add a check in g_md_access which checks to see if the MD_READONLY mask is set, if so return EROFS -Do not gracefully downgrade access modes without telling the user. Instead make the user specify their intentions for the device (assuming the file is read only). This seems like the more correct way to handle things. This is a RELENG_6 candidate. PR: kern/84635 Reviewed by: phk Revision Changes Path 1.154 +8 -8 src/sys/dev/md/md.c