:On Mon, Jan 31, 2005 at 09:16:59AM -0800, Matthew Dillon wrote: :> That's one of the major features of the new namecache code. The old :> namecache code was purely advisory... in fact, VFS's could bypass it :> (and did). The new namecache code is fully integrated, mandatory, :> separated from the vnode algorithms, and cannot be bypassed. : :Do we still have to mess with the vnode in kern_chroot? Can we use :the namespace entry of the new root directly for fdp->fd_rdir? : :Joerg I've considered that point several times but for now I think we have to keep the vnode as a security measure. Otherwise the chroot directory can be rm -rf'd, a new directory with the same name can be created, and then the process's chroot will be in a different directory. In anycase, the issue needs more thought. -Matt Matthew Dillon <dillon@backplane.com>