From: Al Viro <viro@zeniv.linux.org.uk>
To: John Ericson <mail@johnericson.me>
Cc: Andy Lutomirski <luto@kernel.org>, Li Chen <me@linux.beauty>,
Cong Wang <cwang@multikernel.io>,
Christian Brauner <brauner@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-api <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>, Thomas Gleixner <tglx@kernel.org>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jan Kara <jack@suse.cz>,
Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <skhan@linuxfoundation.org>,
Kees Cook <kees@kernel.org>,
Sergei Zimmerman <sergei@zimmerman.foo>,
Farid Zakaria <farid.m.zakaria@gmail.com>
Subject: Re: [RFC] Null Namespaces
Date: Fri, 26 Jun 2026 01:15:38 +0100 [thread overview]
Message-ID: <20260626001538.GO2636677@ZenIV> (raw)
In-Reply-To: <a75a9b82-a15b-4893-8f92-62b62664ea83@app.fastmail.com>
On Wed, Jun 24, 2026 at 11:41:07PM -0400, John Ericson wrote:
> The current working directory, roughly, is *just* some global state
> holding a directory file descriptor.
So's the descriptor table; what's the difference?
> But I don't want that global state.
Don't use it, then... out of curiosity, does that extend to stdout et.al.?
> If I am writing my userland program (that is not a shell), I would not
> create the global variable. I do not appreciate the fact that the kernel
> foists that state upon me whether I like it or not.
<wry> Kernel will have to live without your appreciation, I suppose. </wry>
> Now obviously we cannot have a giant breaking change removing the notion
> of a current working directory altogether. But we can allow individual
> processes which don't want it to opt out, and that is what nulling out
> these fields (and updating the path resolution code to cope with that)
> allows.
>
> There is no loss of expressive power doing this, because one can (and
> should!) just use the `*at` and file descriptors. But there is, however,
> the imposition of discipline.
So supply a library of your own and try to convince people to use it
instead of libc. You'll have to anyway, seeing that a large and
hard-to-predict part of libc will be non-functional. Which syscalls
are used by your library is entirely up to you.
Would that kind of thing added kernel-side assist the development of such
library? Maybe, but I wouldn't bet too much on that - if you start from
scratch, you can trivially verify that you don't even attempt given
set of syscalls and if you use libc as a starting point, you get to
debug all the failure exits you've added...
> The programmer (or coding agent) is
> encouraged to do everything with file descriptors rather than path
> concatenations etc., because they need to use `*at` anyways, and then
> voilà, without browbeating anyone in security seminars or code review, a
> bunch of TOCTOU issues disappear simply because doing the right thing is
> now the path of least resistance.
I'm sorry, but the path of least resistance is picking a snippet from google
that will implement open(), etc., on top of your setup and using it.
_Especially_ if coding agents are going to be involved, precisely because
they'll do a convincing simulation of human duhveloper's behaviour, i.e.
"cut'n'paste it from the net".
next prev parent reply other threads:[~2026-06-26 0:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 22:51 [RFC] Null Namespaces John Ericson
2026-06-24 23:06 ` Andy Lutomirski
2026-06-24 23:20 ` Andy Lutomirski
2026-06-24 23:53 ` John Ericson
2026-06-25 1:10 ` Al Viro
2026-06-25 3:41 ` John Ericson
2026-06-25 15:51 ` Andy Lutomirski
2026-06-25 18:21 ` John Ericson
2026-06-26 0:15 ` Al Viro [this message]
2026-06-26 16:26 ` John Ericson
2026-06-24 23:12 ` Al Viro
2026-06-25 21:00 ` H. Peter Anvin
2026-06-25 21:50 ` John Ericson
2026-06-25 23:09 ` Andy Lutomirski
2026-06-26 8:27 ` David Laight
2026-06-26 17:23 ` John Ericson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626001538.GO2636677@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=corbet@lwn.net \
--cc=cwang@multikernel.io \
--cc=dave.hansen@linux.intel.com \
--cc=farid.m.zakaria@gmail.com \
--cc=hpa@zytor.com \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mail@johnericson.me \
--cc=me@linux.beauty \
--cc=mingo@redhat.com \
--cc=sergei@zimmerman.foo \
--cc=skhan@linuxfoundation.org \
--cc=tglx@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.