From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) From: arisawa In-Reply-To: <491F5E4C-E68D-44A5-81A5-1C6BC5E8DC96@ar.aichi-u.ac.jp> Date: Tue, 1 Dec 2015 18:39:11 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: <59EA2A73-3E31-413E-8037-1D3BE16B2CC4@ar.aichi-u.ac.jp> References: <491F5E4C-E68D-44A5-81A5-1C6BC5E8DC96@ar.aichi-u.ac.jp> To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Subject: Re: [9fans] unmount Topicbox-Message-UUID: 79a3e7aa-ead9-11e9-9d60-3106f5b1d025 I said: > 2015/12/01 12:24=E3=80=81arisawa = =E3=81=AE=E3=83=A1=E3=83=BC=E3=83=AB=EF=BC=9A >=20 > Hello 9fans, >=20 > current kernel allows unmount even if after rfork m. > this feature makes sandboxing difficult. > can anyone explain this feature is necessary? >=20 > Kenji Arisawa I make a protection for unmounting after rfork -m and now testing. my idea is: protecting unmount with a single argument. it seems the following code is working, however I am not sure this is = OK. any comment welcome. /sys/src/9/port/sysfile.c: sysunmount(va_list list) { Chan *cmount, *cmounted; char *name, *old; name =3D va_arg(list, char*); old =3D va_arg(list, char*); /* a protection for 'unmount' after 'rfork m' * we can reject any unmount, however it might not be user = friendly to do so. * more moderate way might be disallowing * unmount mntpoint # sigle argument * it is ideal though: we disalow unmount dirs that are = mounted before rfork m. * probably we need this protection also in regular kernel * * print("name=3D%s old=3D%s\n",name,old); * the output is, e.g, * name=3Dsrv/factorum * old=3D/mnt * -Kenar- */ if(up->pgrp->noattach && (name =3D=3D nil)){ error(Eperm); return 0; }