[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

fchroot(2) and others.



Hi.

Are we interested in fchroot(2) syscall? It exists in NetBSD.
If so, its implementation is in pjd_secure_syscalls branch or
at:

	http://people.freebsd.org/~pjd/patches/secure_syscalls.patch

I've also impelemnted safe versions of other syscalls:

int flink(int fd, const char *link);
int funlink(int fd, const char *path);
int frename(int fd, const char *from, const char *to);

Maybe funlink(2) and frename(2) looks wired, but it should work.
The idea is, that one cannot pass descriptor number only to those
functions, because they're operating on file systems object names
and there is no clean way to get path name from descriptor.
So I decide to do it in this way:
1. Take vnode from file descriptor.
2. Lock vnode.
3. Take vnode from path.
4. Lock vnode.
5. Compare both vnodes.
6. If equal do the action (rename, unlink).
So we need to open given file and pass descriptor number and its
file name to a syscall.

Code in branch is not tested yet, it is only a proof-of-concept.

-- 
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd_(_at_)_FreeBSD_(_dot_)_org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20040327/9a559f32/attachment.bin

Visit your host, monkey.org