From: Ameer Hamza <ahamza@ixsystems.com>
To: Christian Brauner <brauner@kernel.org>
Cc: viro@zeniv.linux.org.uk, jlayton@kernel.org,
chuck.lever@oracle.com, arnd@arndb.de, guoren@kernel.org,
palmer@rivosinc.com, f.fainelli@gmail.com, slark_xiao@163.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, awalker@ixsystems.com
Subject: Re: [PATCH] Add new open(2) flag - O_EMPTY_PATH
Date: Wed, 19 Apr 2023 06:15:29 +0500 [thread overview]
Message-ID: <ZD9AsWMnNKJ4dpjm@hamza-pc> (raw)
In-Reply-To: <20230106130651.vxz7pjtu5gvchdgt@wittgenstein>
On Fri, Jan 06, 2023 at 02:06:51PM +0100, Christian Brauner wrote:
> On Wed, Dec 28, 2022 at 09:02:49PM +0500, Ameer Hamza wrote:
> > This patch adds a new flag O_EMPTY_PATH that allows openat and open
> > system calls to open a file referenced by fd if the path is empty,
> > and it is very similar to the FreeBSD O_EMPTY_PATH flag. This can be
> > beneficial in some cases since it would avoid having to grant /proc
> > access to things like samba containers for reopening files to change
> > flags in a race-free way.
> >
> > Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>
> > ---
>
> In general this isn't a bad idea and Aleksa and I proposed this as part
> of the openat2() patchset (see [1]).
>
> However, the reason we didn't do this right away was that we concluded
> that it shouldn't be simply adding a flag. Reopening file descriptors
> through procfs is indeed very useful and is often required. But it's
> also been an endless source of subtle bugs and security holes as it
> allows reopening file descriptors with more permissions than the
> original file descriptor had.
>
> The same lax behavior should not be encoded into O_EMPTYPATH. Ideally we
> would teach O_EMPTYPATH to adhere to magic link modes by default. This
> would be tied to the idea of upgrade mask in openat2() (cf. [2]). They
> allow a caller to specify the permissions that a file descriptor may be
> reopened with at the time the fd is opened.
>
> [1]: https://lore.kernel.org/lkml/20190930183316.10190-4-cyphar@cyphar.com/
> [2]: https://lore.kernel.org/all/20220526130355.fo6gzbst455fxywy@senku/Kk
Thank you for the detailed explanation and sorry for getting back late
at it. It seems like a pre-requisite for O_EMPTYPATH is to make it safe
and that depends on a patchset that Aleksa was working on. It would be
helpful to know the current status of that effort and if we could expect
it in the near future.
The repo[1] that was mentioned here[2] seems to be private. I am wondering
if there's a way to look at the patch somehow.
[1]: https://github.com/cyphar/linux/tree/magiclink/main
[2]: https://lore.kernel.org/all/20220526130952.z5efngrnh7xtli32@senku/
next prev parent reply other threads:[~2023-04-19 1:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-28 16:02 [PATCH] Add new open(2) flag - O_EMPTY_PATH Ameer Hamza
2022-12-31 0:15 ` kernel test robot
2022-12-31 23:56 ` [PATCH v2] " Ameer Hamza
2023-01-01 11:16 ` kernel test robot
2023-01-01 11:16 ` kernel test robot
2023-01-01 15:37 ` [PATCH v3] " Ameer Hamza
2023-01-02 14:01 ` [PATCH v2] " David Laight
2023-01-02 14:35 ` Ameer Hamza
2023-01-02 14:35 ` Ameer Hamza
2023-01-06 9:21 ` David Laight
2023-01-06 9:21 ` David Laight
2023-01-06 13:06 ` [PATCH] " Christian Brauner
2023-04-19 1:15 ` Ameer Hamza [this message]
[not found] ` <7454A798-1277-411A-853C-635B33439029@gmail.com>
2023-04-19 9:18 ` Christian Brauner
2023-04-19 21:29 ` David Laight
2023-04-26 13:10 ` Andrew Walker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZD9AsWMnNKJ4dpjm@hamza-pc \
--to=ahamza@ixsystems.com \
--cc=arnd@arndb.de \
--cc=awalker@ixsystems.com \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=f.fainelli@gmail.com \
--cc=guoren@kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=palmer@rivosinc.com \
--cc=slark_xiao@163.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.