From: Florian Weimer <fweimer@redhat.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: David Howells <dhowells@redhat.com>,
linux-api@vger.kernel.org, viro@zeniv.linux.org.uk,
metze@samba.org, torvalds@linux-foundation.org,
cyphar@cyphar.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: Have RESOLVE_* flags superseded AT_* flags for new syscalls?
Date: Mon, 02 Mar 2020 12:30:47 +0100 [thread overview]
Message-ID: <87h7z7ngd4.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <20200228152427.rv3crd7akwdhta2r@wittgenstein> (Christian Brauner's message of "Fri, 28 Feb 2020 16:24:27 +0100")
* Christian Brauner:
> [Cc Florian since that ends up on libc's table sooner or later...]
I'm not sure what you are after here …
> On Fri, Feb 28, 2020 at 02:53:32PM +0000, David Howells wrote:
>>
>> I've been told that RESOLVE_* flags, which can be found in linux/openat2.h,
>> should be used instead of the equivalent AT_* flags for new system calls. Is
>> this the case?
>
> Imho, it would make sense to use RESOLVE_* flags for new system calls
> and afair this was the original intention.
> The alternative is that RESOLVE_* flags are special to openat2(). But
> that seems strange, imho. The semantics openat2() has might be very
> useful for new system calls as well which might also want to support
> parts of AT_* flags (see fsinfo()). So we either end up adding new AT_*
> flags mirroring the new RESOLVE_* flags or we end up adding new
> RESOLVE_* flags mirroring parts of AT_* flags. And if that's a
> possibility I vote for RESOLVE_* flags going forward. The have better
> naming too imho.
>
> An argument against this could be that we might end up causing more
> confusion for userspace due to yet another set of flags. But maybe this
> isn't an issue as long as we restrict RESOLVE_* flags to new syscalls.
> When we introduce a new syscall userspace will have to add support for
> it anyway.
I missed the start of the dicussion and what this is about, sorry.
Regarding open flags, I think the key point for future APIs is to avoid
using the set of flags for both control of the operation itself
(O_NOFOLLOW/AT_SYMLINK_NOFOLLOW, O_NOCTTY) and properaties of the
resulting descriptor (O_RDWR, O_SYNC). I expect that doing that would
help code that has to re-create an equivalent descriptor. The operation
flags are largely irrelevant to that if you can get the descriptor by
other means.
>> (*) It has been suggested that AT_SYMLINK_NOFOLLOW should be the default, but
>> only RESOLVE_NO_SYMLINKS exists.
>
> I'd be very much in favor of not following symlinks being the default.
> That's usually a source of a lot of security issues.
But that's inconsistent with the rest of the system. And for example,
if you make /etc/resolv.conf a symbolic link, a program which uses a new
I/O library (with the new interfaces) will not be able to read it.
AT_SYMLINK_NOFOLLOW only applies to the last pathname component anyway,
so it's relatively little protection.
Thanks,
Florian
next prev parent reply other threads:[~2020-03-02 11:30 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-28 14:53 Have RESOLVE_* flags superseded AT_* flags for new syscalls? David Howells
2020-02-28 15:24 ` Christian Brauner
2020-02-29 15:26 ` Aleksa Sarai
2020-02-29 15:54 ` Aleksa Sarai
2020-03-01 16:46 ` Christian Brauner
2020-03-01 16:38 ` Christian Brauner
2020-03-02 11:30 ` Florian Weimer [this message]
2020-03-02 11:52 ` Christian Brauner
2020-03-02 12:05 ` Christian Brauner
2020-03-02 15:10 ` Christian Brauner
2020-03-02 15:36 ` Aleksa Sarai
2020-03-02 16:31 ` Christian Brauner
2020-03-02 12:09 ` Florian Weimer
2020-03-02 12:19 ` Christian Brauner
2020-03-02 12:35 ` Christian Brauner
2020-03-02 12:42 ` Florian Weimer
2020-03-02 12:55 ` Christian Brauner
2020-03-05 14:33 ` David Howells
2020-03-05 14:38 ` Florian Weimer
2020-03-05 14:43 ` David Howells
[not found] ` <20200305141154.e246swv62rnctite@yavin>
2020-03-05 15:23 ` Christian Brauner
2020-03-02 14:27 ` David Howells
2020-03-02 14:35 ` Christian Brauner
2020-03-02 14:50 ` David Howells
2020-03-02 15:05 ` Christian Brauner
2020-03-02 15:24 ` Aleksa Sarai
2020-03-02 16:37 ` David Howells
[not found] ` <20200306140032.tpwfytofaeuazalo@yavin>
2020-03-06 14:48 ` David Howells
2020-03-02 15:10 ` Aleksa Sarai
2020-03-02 15:23 ` David Howells
2020-03-02 14:30 ` David Howells
2020-03-02 15:04 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7z7ngd4.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=christian.brauner@ubuntu.com \
--cc=cyphar@cyphar.com \
--cc=dhowells@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=metze@samba.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.