jls, jexec support
Matthew Dillon
dillon at apollo.backplane.com
Mon Jan 31 10:10:33 PST 2005
:On Mon, Jan 31, 2005 at 09:16:59AM -0800, Matthew Dillon wrote:
:> That's one of the major features of the new namecache code. The old
:> namecache code was purely advisory... in fact, VFS's could bypass it
:> (and did). The new namecache code is fully integrated, mandatory,
:> separated from the vnode algorithms, and cannot be bypassed.
:
:Do we still have to mess with the vnode in kern_chroot? Can we use
:the namespace entry of the new root directly for fdp->fd_rdir?
:
:Joerg
I've considered that point several times but for now I think we have
to keep the vnode as a security measure. Otherwise the chroot directory
can be rm -rf'd, a new directory with the same name can be created,
and then the process's chroot will be in a different directory.
In anycase, the issue needs more thought.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Submit
mailing list