kern/51583: [nullfs] [patch] allow to work with devices and sockets over nullfs [STABLE, 5.0-CURRENT]

Timothy Bourke timbob at bigpond.com
Sun Dec 17 23:30:35 PST 2006 

The following reply was made to PR kern/51583; it has been noted by GNATS.

From: Timothy Bourke <timbob at bigpond.com>
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: kern/51583: [nullfs] [patch] allow to work with devices and sockets over nullfs [STABLE, 5.0-CURRENT]
Date: Mon, 18 Dec 2006 18:01:40 +1100

 --45Z9DzgjV8m4Oswq
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 I confirm that this is still a problem on 6.1-RELEASE (-p11).
 
 In particular, it prevents using nullfs to run X clients through Unix
 domain sockets from a chroot or jail (i.e. connecting via /tmp/.X11-unix/X0=
 ).
 (http://lists.freebsd.org/pipermail/freebsd-emulation/2006-December/002912.=
 html)
 
 The Linimon/Le Hen tests can be verified using the net/netcat port:
 
     setup
     -----
     mkdir lower
     mkdir upper
     mount -t nullfs lower upper
     touch lower/testport
 
     test.sh
     --------
     #!/bin.sh
 
     rm lower/testport
     nc -lU $BIND/testport &
     SERVER=3D$!
     echo test | nc -U $CONNECT/testport
     echo $?
     kill $SERVER 2>/dev/null
 
     tests
     -----
     BIND=3Dlower CONNECT=3Dlower ./test.sh # works
     BIND=3Dupper CONNECT=3Dupper ./test.sh # works
     BIND=3Dlower CONNECT=3Dupper ./test.sh # FAILS before patch, works after
     BIND=3Dupper CONNECT=3Dlower ./test.sh # FAILS before and after patch
 
 The Sivachenko patch corrects the following situation:
 
     analysis: BIND=3Dlower CONNECT=3Dupper
     ----------------------------------
     1. s =3D socket(AF_UNIX, SOCK_STREAM, 0)
        falloc: creates a new open file in the process descriptor table
        socreate: associates a socket with this file and associates the unix
                  domain protosw functions
 
     2. connect(s, name, namelen)
        kern_connect -> so_connect -> pru_connect -> unp_connect
 
        * unp_connect (src/sys/kern/uipc_usrreq.c, v1.155.2.3)
 
        * call namei to retrieve the requested vnode
          -calls null_lookup in src/sys/fs/null_vnops.c
          -in turn calls null_nodeget in src/sys/fs/null_subr.c
           returns the UPPER vnode
           DOES NOT copy the v_un field from the lower vnode.
 
        * line 962: so2 =3D vp->v_socket;              (vp->v_un.vu_socket)
          DIRECT ACCESS to v_un field of (UPPER) vnode.
 
 The Buchanan analysis refers to a different location:
 
     analysis: BIND=3Dupper CONNECT=3Dlower
     ----------------------------------
     1. s =3D socket(AF_UNIX, SOCK_STREAM, 0)
     2. bind(s, name, namelen)
       =20
        * unp_bind (src/sys/kern/uipc_usrreq.c, v1.155.2.3)
        * creates new vnodes
        * line 902: vp->v_socket =3D unp->unp_socket;  (vp->v_un.vu_socket)
          DIRECT ACCESS to v_un field of (UPPER) vnode.
 
     Not fixed by the submitted patch.
     Messy. The socket information in the upper (nullfs) vnode must somehow =
 be
     passed down into the lower vnode...
 
 A proper fix is beyond me.
 
 
 --45Z9DzgjV8m4Oswq
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.4 (FreeBSD)
 
 iD8DBQFFhjzUtKVK1sFb0ecRAqZmAJ4nKiLNcXggXY/SduAOMKkHDYU08gCeJGhZ
 cpD93q7IabDe8GSXTxJHggA=
 =T6rX
 -----END PGP SIGNATURE-----
 
 --45Z9DzgjV8m4Oswq--

More information about the freebsd-bugs mailing list