kern/51583: [nullfs] [patch] allow to work with devices and
sockets over nullfs [STABLE, 5.0-CURRENT]
Timothy Bourke
timbob at bigpond.com
Sun Dec 17 23:30:35 PST 2006
The following reply was made to PR kern/51583; it has been noted by GNATS.
From: Timothy Bourke <timbob at bigpond.com>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: kern/51583: [nullfs] [patch] allow to work with devices and sockets over nullfs [STABLE, 5.0-CURRENT]
Date: Mon, 18 Dec 2006 18:01:40 +1100
--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I confirm that this is still a problem on 6.1-RELEASE (-p11).
In particular, it prevents using nullfs to run X clients through Unix
domain sockets from a chroot or jail (i.e. connecting via /tmp/.X11-unix/X0=
).
(http://lists.freebsd.org/pipermail/freebsd-emulation/2006-December/002912.=
html)
The Linimon/Le Hen tests can be verified using the net/netcat port:
setup
-----
mkdir lower
mkdir upper
mount -t nullfs lower upper
touch lower/testport
test.sh
--------
#!/bin.sh
rm lower/testport
nc -lU $BIND/testport &
SERVER=3D$!
echo test | nc -U $CONNECT/testport
echo $?
kill $SERVER 2>/dev/null
tests
-----
BIND=3Dlower CONNECT=3Dlower ./test.sh # works
BIND=3Dupper CONNECT=3Dupper ./test.sh # works
BIND=3Dlower CONNECT=3Dupper ./test.sh # FAILS before patch, works after
BIND=3Dupper CONNECT=3Dlower ./test.sh # FAILS before and after patch
The Sivachenko patch corrects the following situation:
analysis: BIND=3Dlower CONNECT=3Dupper
----------------------------------
1. s =3D socket(AF_UNIX, SOCK_STREAM, 0)
falloc: creates a new open file in the process descriptor table
socreate: associates a socket with this file and associates the unix
domain protosw functions
2. connect(s, name, namelen)
kern_connect -> so_connect -> pru_connect -> unp_connect
* unp_connect (src/sys/kern/uipc_usrreq.c, v1.155.2.3)
* call namei to retrieve the requested vnode
-calls null_lookup in src/sys/fs/null_vnops.c
-in turn calls null_nodeget in src/sys/fs/null_subr.c
returns the UPPER vnode
DOES NOT copy the v_un field from the lower vnode.
* line 962: so2 =3D vp->v_socket; (vp->v_un.vu_socket)
DIRECT ACCESS to v_un field of (UPPER) vnode.
The Buchanan analysis refers to a different location:
analysis: BIND=3Dupper CONNECT=3Dlower
----------------------------------
1. s =3D socket(AF_UNIX, SOCK_STREAM, 0)
2. bind(s, name, namelen)
=20
* unp_bind (src/sys/kern/uipc_usrreq.c, v1.155.2.3)
* creates new vnodes
* line 902: vp->v_socket =3D unp->unp_socket; (vp->v_un.vu_socket)
DIRECT ACCESS to v_un field of (UPPER) vnode.
Not fixed by the submitted patch.
Messy. The socket information in the upper (nullfs) vnode must somehow =
be
passed down into the lower vnode...
A proper fix is beyond me.
--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)
iD8DBQFFhjzUtKVK1sFb0ecRAqZmAJ4nKiLNcXggXY/SduAOMKkHDYU08gCeJGhZ
cpD93q7IabDe8GSXTxJHggA=
=T6rX
-----END PGP SIGNATURE-----
--45Z9DzgjV8m4Oswq--
More information about the freebsd-bugs
mailing list