From: Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
To: "Aneesh Kumar K.V"
<aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
Mike Frysinger <vapier-aBrp7R+bbdUdnm+yROfE0A@public.gmane.org>,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
pschiffe-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: [PATCH] open(2): document O_PATH
Date: Tue, 8 Jan 2013 18:52:02 +0000 [thread overview]
Message-ID: <20130108185202.GA22857@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20120503141156.GP6871-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
On Thu, May 03, 2012 at 03:11:56PM +0100, Al Viro wrote:
> On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:
>
> > I looked at dnotify_flush, they remove markers on an inode.
> > But then it also checks for filp to match. So I am not sure
> > whether skipping dnotify_flush for O_PATH descriptor have any impact. We
> > can't use O_PATH descriptor for dnotify fcntl any way. So in
> > dnotify_flush we will not match the filp.
> >
> > Viro,
> >
> > Any reason why we skip dnotify_flush ?
>
> See your last sentence above - why bother finding the mark, scanning the
> list, etc. when we know that there won't be any matches?
[Apologies for replying to the wrong posting, but this is the closest thing
thread-wise to what I wanted to reply to that I've got sitting in my mailbox]
The rules are:
* syscalls acting purely on descriptor level are allowed - close(),
dup(), dup2(), dup3(), fcntl(F_DUPFD{,_CLOEXEC}), fcntl(F_[SG]ETFD),
fcntl(F_GETFL), passing descriptors in SCM_RIGHTS datagrams)
* syscalls using the descriptor just to indicate a location in
the tree - *at() family, fchdir(), fstat()
The list might get expanded - for example, fstatfs() arguably belongs to the
second group. The approach had been conservative - the second group gets
expanded on per-case basis. E.g. anything requiring the file to have
been opened for write is *not* a candidate, so it really has to be reviewed
separately for each syscall of that sort.
As far as dnotify and POSIX locks go, close() (and replacing dup2(), etc.)
are irrelevant - the rules are exactly as usual. All dnotify watches or
POSIX locks associated with that opened file get evicted; it's just that
there is no way to *set* them on O_PATH descriptors in the first place.
We might eventually allow fcntl(F_NOTIFY) on them, but I'm not sure there's
any good reason to do so; allowing to use them for setting POSIX locks is
almost certainly a bad idea wrt security.
The test in filp_close() is just an optimization - if/when we allow F_NOTIFY
on O_PATH descriptors, the same commit will need to make the call of
dnotify_flush() in filp_open() unconditional. All there is to it...
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: mtk.manpages@gmail.com, Mike Frysinger <vapier@gentoo.org>,
linux-man@vger.kernel.org, Richard Weinberger <richard@nod.at>,
lkml <linux-kernel@vger.kernel.org>,
pschiffe@redhat.com
Subject: Re: [PATCH] open(2): document O_PATH
Date: Tue, 8 Jan 2013 18:52:02 +0000 [thread overview]
Message-ID: <20130108185202.GA22857@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20120503141156.GP6871@ZenIV.linux.org.uk>
On Thu, May 03, 2012 at 03:11:56PM +0100, Al Viro wrote:
> On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:
>
> > I looked at dnotify_flush, they remove markers on an inode.
> > But then it also checks for filp to match. So I am not sure
> > whether skipping dnotify_flush for O_PATH descriptor have any impact. We
> > can't use O_PATH descriptor for dnotify fcntl any way. So in
> > dnotify_flush we will not match the filp.
> >
> > Viro,
> >
> > Any reason why we skip dnotify_flush ?
>
> See your last sentence above - why bother finding the mark, scanning the
> list, etc. when we know that there won't be any matches?
[Apologies for replying to the wrong posting, but this is the closest thing
thread-wise to what I wanted to reply to that I've got sitting in my mailbox]
The rules are:
* syscalls acting purely on descriptor level are allowed - close(),
dup(), dup2(), dup3(), fcntl(F_DUPFD{,_CLOEXEC}), fcntl(F_[SG]ETFD),
fcntl(F_GETFL), passing descriptors in SCM_RIGHTS datagrams)
* syscalls using the descriptor just to indicate a location in
the tree - *at() family, fchdir(), fstat()
The list might get expanded - for example, fstatfs() arguably belongs to the
second group. The approach had been conservative - the second group gets
expanded on per-case basis. E.g. anything requiring the file to have
been opened for write is *not* a candidate, so it really has to be reviewed
separately for each syscall of that sort.
As far as dnotify and POSIX locks go, close() (and replacing dup2(), etc.)
are irrelevant - the rules are exactly as usual. All dnotify watches or
POSIX locks associated with that opened file get evicted; it's just that
there is no way to *set* them on O_PATH descriptors in the first place.
We might eventually allow fcntl(F_NOTIFY) on them, but I'm not sure there's
any good reason to do so; allowing to use them for setting POSIX locks is
almost certainly a bad idea wrt security.
The test in filp_close() is just an optimization - if/when we allow F_NOTIFY
on O_PATH descriptors, the same commit will need to make the call of
dnotify_flush() in filp_open() unconditional. All there is to it...
next prev parent reply other threads:[~2013-01-08 18:52 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-29 3:25 [PATCH] open(2): document O_PATH Mike Frysinger
[not found] ` <1335669917-23970-1-git-send-email-vapier-aBrp7R+bbdUdnm+yROfE0A@public.gmane.org>
2012-04-29 21:39 ` Michael Kerrisk (man-pages)
2012-04-29 21:39 ` Michael Kerrisk (man-pages)
2012-04-30 7:39 ` Aneesh Kumar K.V
2012-04-30 7:39 ` Aneesh Kumar K.V
2012-04-30 11:44 ` Ted Ts'o
[not found] ` <20120430114410.GB28308-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2012-05-03 6:48 ` Michael Kerrisk (man-pages)
2012-05-03 6:48 ` Michael Kerrisk (man-pages)
2012-05-03 8:27 ` Aneesh Kumar K.V
2012-05-03 8:27 ` Aneesh Kumar K.V
[not found] ` <87fwbhhdp2.fsf-6yE53ggjAfyqSkle7U1LjlaTQe2KTcn/@public.gmane.org>
2012-05-03 13:07 ` Ted Ts'o
2012-05-03 13:07 ` Ted Ts'o
[not found] ` <20120503130707.GF18002-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2012-05-03 13:20 ` Al Viro
2012-05-03 13:20 ` Al Viro
2012-05-06 1:00 ` H. Peter Anvin
2012-05-06 1:00 ` H. Peter Anvin
[not found] ` <877gwxacti.fsf-6yE53ggjAfyqSkle7U1LjlaTQe2KTcn/@public.gmane.org>
2012-05-03 6:47 ` Michael Kerrisk (man-pages)
2012-05-03 6:47 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiRH8p=Dp1tqkb3D9oRVCOSnj2bofgFN5x2svntN7vtPg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-05-03 14:04 ` Aneesh Kumar K.V
2012-05-03 14:04 ` Aneesh Kumar K.V
[not found] ` <87bom5xswc.fsf-6yE53ggjAfyqSkle7U1LjlaTQe2KTcn/@public.gmane.org>
2012-05-03 14:11 ` Al Viro
2012-05-03 14:11 ` Al Viro
[not found] ` <20120503141156.GP6871-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2012-05-05 11:31 ` Michael Kerrisk (man-pages)
2012-05-05 11:31 ` Michael Kerrisk (man-pages)
2013-01-08 18:52 ` Al Viro [this message]
2013-01-08 18:52 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2013-03-14 9:35 Michael Kerrisk (man-pages)
2013-03-14 9:35 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgWiANFA1Z7o2EQmKmsMzzpa1ga2ggLeX3Bo58QmjDx6g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-04-13 2:17 ` Geoffrey Thomas
[not found] ` <alpine.DEB.2.02.1304121917230.29639-TW+ixCjnw15HKceWYcIGBEp/09x8KikSkwxctJ+8KrKSEQKx1GYgKAC/G2K4zDHf@public.gmane.org>
2013-07-20 21:07 ` Michael Kerrisk
2013-07-20 11:40 ` Al Viro
2013-07-20 11:40 ` Al Viro
[not found] ` <20130720114017.GA2118-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2013-07-20 20:56 ` Michael Kerrisk
2013-07-20 20:56 ` Michael Kerrisk
[not found] ` <51EAF997.2090300-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-07-22 8:46 ` Peter Schiffer
2013-07-22 8:46 ` Peter Schiffer
[not found] ` <51ECF166.4080007-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-07-22 10:45 ` Michael Kerrisk (man-pages)
2013-07-22 10:45 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130108185202.GA22857@ZenIV.linux.org.uk \
--to=viro-3bdd1+5odreifsdqtta3olvcufugdwfn@public.gmane.org \
--cc=aneesh.kumar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=pschiffe-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=vapier-aBrp7R+bbdUdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.