big filesystems can have thousands of them - no one ever writes them down.
After the first line of numbers just output a '.' for each cylinder group.
Also limit the lines to 79 columns so broken terminal emulaters don't
double-space the output lines.
table. Useful if the disk has remapping drivers installed into it (such as
Ontrack Disk Manager).
Added as an option instead of automatic behavior to let the user scan any
of the two partition tables at will.
We can now delete an entry from the tables using
veriexecctl delete /path/to/file
or remove an entire table using
veriexecctl delete /mount_point
(any directory will work for the mount point it's on)
In particular the 'read' part plays 'hunt the disklabel' in order to get a
label into a local buffer - from where it can be displayed/edited.
The 'write' part makes a separate scan of the disk looking for places to
write the label.
The main changes are:
- It can no longer write the first 8k of the mbr to the pbr (or v.v.)
- All labels on the disk (that it can find) get updated during a write
- With -A all the labels are displayed (inc. those deleted by -D)
- Addition of -D which will delete (by one's complimenting dk_magic{2}) and
existing labels before writing labels to the expected locations.
- -v gives some verbose output to stderr, -vv more etc
A better basis for processing incorrect endian labels, or labels from other
architectures.
This closes a hole pointed out by Thor Lancelot Simon on tech-kern ~3
years ago.
The problem was with running binaries from remote storage, where our
kernel (and Veriexec) has no control over any changes to files.
An attacker could, after the fingerprint has been verified and
program loaded to memory, inject malicious code into the backing
store on the remote storage, followed by a forced flush, causing
a page-in of the malicious data from backing store, bypassing
integrity checks.
Initial implementation by Brett Lymn.
link points to the process's current working directory, and the root
link points to the process's root directory. What else would you
expect?
For directories that are out of reach (caller is in a chroot, target
process is in a different chroot, etc), the links point to "/"
instead.
