From: Aleksa Sarai <cyphar@cyphar.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
Jeff Layton <jlayton@kernel.org>,
Dorjoy Chowdhury <dorjoychy111@gmail.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, ceph-devel@vger.kernel.org,
gfs2@lists.linux.dev, linux-nfs@vger.kernel.org,
linux-cifs@vger.kernel.org, v9fs@lists.linux.dev,
linux-kselftest@vger.kernel.org, viro@zeniv.linux.org.uk,
jack@suse.cz, chuck.lever@oracle.com, alex.aring@gmail.com,
arnd@arndb.de, adilger@dilger.ca, mjguzik@gmail.com,
smfrench@gmail.com, richard.henderson@linaro.org,
mattst88@gmail.com, linmag7@gmail.com, tsbogend@alpha.franken.de,
James.Bottomley@hansenpartnership.com, deller@gmx.de,
davem@davemloft.net, andreas@gaisler.com, idryomov@gmail.com,
amarkuze@redhat.com, slava@dubeyko.com, agruenba@redhat.com,
trondmy@kernel.org, anna@kernel.org, sfrench@samba.org,
pc@manguebit.org, ronniesahlberg@gmail.com,
sprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com,
shuah@kernel.org, miklos@szeredi.hu, hansg@kernel.org
Subject: Re: [PATCH v5 1/4] openat2: new OPENAT2_REGULAR flag support
Date: Wed, 11 Mar 2026 13:48:47 +0900 [thread overview]
Message-ID: <2026-03-11-regular-sore-census-shops-DqYcUT@cyphar.com> (raw)
In-Reply-To: <20260309-umsturz-herfallen-067eb2df7ec2@brauner>
[-- Attachment #1: Type: text/plain, Size: 2709 bytes --]
On 2026-03-09, Christian Brauner <brauner@kernel.org> wrote:
> > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote:
> > > > I think this needs more clarification as to what "regular" means,
> > > > since S_IFREG may not be sufficient. The UAPI group page says:
> > > >
> > > > Use-Case: this would be very useful to write secure programs that want
> > > > to avoid being tricked into opening device nodes with special
> > > > semantics while thinking they operate on regular files. This is
> > > > particularly relevant as many device nodes (or even FIFOs) come with
> > > > blocking I/O (or even blocking open()!) by default, which is not
> > > > expected from regular files backed by “fast” disk I/O. Consider
> > > > implementation of a naive web browser which is pointed to
> > > > file://dev/zero, not expecting an endless amount of data to read.
> > > >
> > > > What about procfs? What about sysfs? What about /proc/self/fd/17
> > > > where that fd is a memfd? What about files backed by non-"fast" disk
> > > > I/O like something on a flaky USB stick or a network mount or FUSE?
> > > >
> > > > Are we concerned about blocking open? (open blocks as a matter of
> > > > course.) Are we concerned about open having strange side effects?
> > > > Are we concerned about write having strange side effects? Are we
> > > > concerned about cases where opening the file as root results in
> > > > elevated privilege beyond merely gaining the ability to write to that
> > > > specific path on an ordinary filesystem?
>
> I think this is opening up a barrage of question that I'm not sure are
> all that useful. The ability to only open regular file isn't intended to
> defend against hung FUSE or NFS servers or other random Linux
> special-sauce murder-suicide file descriptor traps. For a lot of those
> we have O_PATH which can easily function with the new extension. A lot
> of the other special-sauce files (most anonymous inode fds) cannot even
> be reopened via e.g., /proc.
Indeed, I see OPENAT2_REGULAR as a way of optimising the tedious checks
that userspace does using O_PATH+/proc/self/fd/$n re-opening when
dealing with regular files.
For the problem of stuck NFS handles and so on, an idea I've had on my
backlog for a long time was RESOLVE_NO_REMOTE that would block those
kinds of things. IMHO it doesn't make sense to block those things with
an O_* flag because (especially in the NFS example) directory components
can also cause the syscall to block indefinitely and so RESOLVE_* flags
make more sense for this anyway. But in my mind this is a separate
problem to OPENAT2_REGULAR.
--
Aleksa Sarai
https://www.cyphar.com/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]
next prev parent reply other threads:[~2026-03-11 4:49 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-07 14:06 [PATCH v5 0/4] OPENAT2_REGULAR flag support for openat2 Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 1/4] openat2: new OPENAT2_REGULAR flag support Dorjoy Chowdhury
2026-03-07 18:56 ` Andy Lutomirski
2026-03-08 6:31 ` Dorjoy Chowdhury
2026-03-08 11:40 ` Jeff Layton
2026-03-08 17:10 ` Andy Lutomirski
2026-03-09 8:57 ` Christian Brauner
2026-03-09 16:50 ` Andy Lutomirski
2026-03-09 17:39 ` Florian Weimer
2026-03-10 11:24 ` Christian Brauner
2026-03-11 4:48 ` Aleksa Sarai [this message]
2026-03-11 16:10 ` Andy Lutomirski
2026-03-12 9:37 ` Aleksa Sarai
2026-03-16 16:53 ` Jeff Layton
2026-03-16 17:22 ` Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 2/4] kselftest/openat2: test for OPENAT2_REGULAR flag Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 3/4] sparc/fcntl.h: convert O_* flag macros from hex to octal Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 4/4] mips/fcntl.h: " Dorjoy Chowdhury
2026-03-16 16:12 ` [PATCH v5 0/4] OPENAT2_REGULAR flag support for openat2 Dorjoy Chowdhury
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026-03-11-regular-sore-census-shops-DqYcUT@cyphar.com \
--to=cyphar@cyphar.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=adilger@dilger.ca \
--cc=agruenba@redhat.com \
--cc=alex.aring@gmail.com \
--cc=amarkuze@redhat.com \
--cc=andreas@gaisler.com \
--cc=anna@kernel.org \
--cc=arnd@arndb.de \
--cc=bharathsm@microsoft.com \
--cc=brauner@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dorjoychy111@gmail.com \
--cc=gfs2@lists.linux.dev \
--cc=hansg@kernel.org \
--cc=idryomov@gmail.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=linmag7@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mattst88@gmail.com \
--cc=miklos@szeredi.hu \
--cc=mjguzik@gmail.com \
--cc=pc@manguebit.org \
--cc=richard.henderson@linaro.org \
--cc=ronniesahlberg@gmail.com \
--cc=sfrench@samba.org \
--cc=shuah@kernel.org \
--cc=slava@dubeyko.com \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
--cc=tsbogend@alpha.franken.de \
--cc=v9fs@lists.linux.dev \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox