On Thu Nov 13 2008 at 07:56:43 -0500, Thor Lancelot Simon wrote: > > > I agree. Yet, some file systems could be modularized. I'm thinking > > > about the MSDOSFS and NTFS code. Typically, those are used only for > > > sparse transfers with USB-keys, e.g. Including them permanently in the > > > kernel is a waste of resources. > > > > I strongly advocate using rump_msdos(8) and rump_ntfs(8) for mounting > > USB media. USB sticks typically contain an untrusted file system, and > > it is way too easy to construct an evil file system to crash/exploit > > your system, if you run the file system code in the kernel. > > Unfortunately, this requires giving user code access to raw disks, which > poses essentially the same set of security risks in the long term. How exactly did you arrive at that conclusion? > With something like Elad's (abandoned?) code that enforced exclusive use > of potentially overlapping disks/partitions we'd be better off. How does disk partitioning protect against vulnerabilities in file system code?