This closes a hole pointed out by Thor Lancelot Simon on tech-kern ~3
years ago.
The problem was with running binaries from remote storage, where our
kernel (and Veriexec) has no control over any changes to files.
An attacker could, after the fingerprint has been verified and
program loaded to memory, inject malicious code into the backing
store on the remote storage, followed by a forced flush, causing
a page-in of the malicious data from backing store, bypassing
integrity checks.
Initial implementation by Brett Lymn.
link points to the process's current working directory, and the root
link points to the process's root directory. What else would you
expect?
For directories that are out of reach (caller is in a chroot, target
process is in a different chroot, etc), the links point to "/"
instead.
tmpfs' "API" and was already rotting.
Instead, merge all the relevant comments into the code. This includes
acknowledgements to Google's Summer of Code 2005 program (they were in the
AUTHORS section of tmpfs(9) before), so all the files need to be changed
to include this sentence alongside the title. (Note that this was not a
requirement of the program.)
- Remove all NFS related stuff from file system specific code.
- Drop the vfs_checkexp hook and generalize it in the new nfs_check_export
function, thus removing redundancy from all file systems.
- Move all NFS export-related stuff from kern/vfs_subr.c to the new
file sys/nfs/nfs_export.c. The former was becoming large and its code
is always compiled, regardless of the build options. Using the latter,
the code is only compiled in when NFSSERVER is enabled. While doing this,
also make some functions in nfs_subs.c conditional to NFSSERVER.
- Add a new command in nfssvc(2), called NFSSVC_SETEXPORTSLIST, that takes a
path and a set of export entries. At the moment it can only clear the
exports list or append entries, one by one, but it is done in a way that
allows setting the whole set of entries atomically in the future (see the
comment in mountd_set_exports_list or in doc/TODO).
- Change mountd(8) to use the nfssvc(2) system call instead of mount(2) so
that it becomes file system agnostic. In fact, all this whole thing was
done to remove a 'XXX' block from this utility!
- Change the mount*, newfs and fsck* userland utilities to not deal with NFS
exports initialization; done internally by the kernel when initializing
the NFS support for each file system.
- Implement an interface for VFS (called VFS hooks) so that several kernel
subsystems can run arbitrary code upon receipt of specific VFS events.
At the moment, this only provides support for unmount and is used to
destroy NFS exports lists from the file systems being unmounted, though it
has room for extension.
Thanks go to yamt@, chs@, thorpej@, wrstuden@ and others for their comments
and advice in the development of this patch.
was developed as part of Google's Summer of Code 2005 program. This
change adds the kernel code, the mount_tmpfs utility, a regression test
suite and does all other related changes to integrate these.
The file-system is still *experimental*. Therefore, it is disabled by
default in all kernels. However, as typically done, a commented-out
entry is added in them to ease its setup.
Note that I haven't commited the required mountd(8) changes to be able
to export tmpfs file-systems because NFS support is still very unstable
and because, before enabling it, I'd like to do some other changes.
OK'ed by my project mentor, William Studenmund (wrstuden@).
killing self, instead of the other way around.
Fixes a bug where the child process would use 100% CPU spinning
while it waited for its parent to arm a non-existent watchdog timer.
Now, the child process gets killed, as was intended.
+ style (KNF).
. don't cast NULL
. white space clean up
+ use consistent format for error messages.
+ plug memory leaks and avoid malloc(0).
+ verbose message should display even when routing table is empty
(flushroutes).
opendisk() declared in that file is not used in this case anyway, and
<util.h> pulls in unwatned includes (e.g. <utmpx.h> doesn't exist on
FreeBSD 4.*).
getlabel{offset,sector} and opendisk functions declared in that file
are not used in this case anyway, and <util.h> pulls in unwatned
includes (e.g. <utmpx.h> doesn't exist on FreeBSD 4.*).
XXX: We can probably undo the #if !HAVE_NBTOOL_CONFIG_H kludge in
<util.h> now.
