tech-kern: Re: eliminating veriexec #ifdefs in vfs

Subject: Re: eliminating veriexec #ifdefs in vfs_vnops.c
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 12/30/2006 00:44:11

YAMAMOTO Takashi wrote:
>> but can't user a race and
>> replace the path after validation?
> 
> yes, it's what i meant.
> 
>> say:
>>
>> 	1. userland: open(/bin/ls)
>> 	2. kernel: copies in path, '/bin/ls', veriexec check, passes
>> 	3. userland: mv /tmp/evil /bin/ls
>> 	4. kernel: second namei(), proceeds to open the file
>>
>> classic toctou. ideas?
> 
> if it's a problem for you, you shouldn't do namei twice.
> (unless you are going to introduce transactions for this. :-)
> 
> YAMAMOTO Takashi

let's just move the namei() to the top and have the veriexec stuff
after it.

something like:

	if (fmode & O_CREAT) {
		ndp->ni_cnd.cn_nameiop = CREATE;
		ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
	} else {
		ndp->ni_cnd.cn_nameiop = LOOKUP;
		ndp->ni_cnd.cn_flags = LOCKLEAF;
	}
	error = namei(ndp);
	/* stuff */

right after the 'restart:' label.

-e.