From: Christian Brauner <brauner@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Jeff Layton <jlayton@kernel.org>,
Dorjoy Chowdhury <dorjoychy111@gmail.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, ceph-devel@vger.kernel.org,
gfs2@lists.linux.dev, linux-nfs@vger.kernel.org,
linux-cifs@vger.kernel.org, v9fs@lists.linux.dev,
linux-kselftest@vger.kernel.org, viro@zeniv.linux.org.uk,
jack@suse.cz, chuck.lever@oracle.com, alex.aring@gmail.com,
arnd@arndb.de, adilger@dilger.ca, mjguzik@gmail.com,
smfrench@gmail.com, richard.henderson@linaro.org,
mattst88@gmail.com, linmag7@gmail.com,
tsbogend@alpha.franken.de, James.Bottomley@hansenpartnership.com,
deller@gmx.de, davem@davemloft.net, andreas@gaisler.com,
idryomov@gmail.com, amarkuze@redhat.com, slava@dubeyko.com,
agruenba@redhat.com, trondmy@kernel.org, anna@kernel.org,
sfrench@samba.org, pc@manguebit.org, ronniesahlberg@gmail.com,
sprasad@microsoft.com, tom@talpey.com, bharathsm@microsoft.com,
shuah@kernel.org, miklos@szeredi.hu, hansg@kernel.org
Subject: Re: [PATCH v5 1/4] openat2: new OPENAT2_REGULAR flag support
Date: Mon, 9 Mar 2026 09:57:54 +0100 [thread overview]
Message-ID: <20260309-umsturz-herfallen-067eb2df7ec2@brauner> (raw)
In-Reply-To: <CALCETrVt7o+7JCMfTX3Vu9PANJJgR8hB5Z2THcXzam61kG9Gig@mail.gmail.com>
On Sun, Mar 08, 2026 at 10:10:05AM -0700, Andy Lutomirski wrote:
> On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton <jlayton@kernel.org> wrote:
> >
> > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote:
> > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote:
> > > >
> > > > This flag indicates the path should be opened if it's a regular file.
> > > > This is useful to write secure programs that want to avoid being
> > > > tricked into opening device nodes with special semantics while thinking
> > > > they operate on regular files. This is a requested feature from the
> > > > uapi-group[1].
> > > >
> > >
> > > I think this needs a lot more clarification as to what "regular"
> > > means. If it's literally
> > >
> > > > A corresponding error code EFTYPE has been introduced. For example, if
> > > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag
> > > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems
> > > > like FreeBSD, macOS.
> > >
> > > I think this needs more clarification as to what "regular" means,
> > > since S_IFREG may not be sufficient. The UAPI group page says:
> > >
> > > Use-Case: this would be very useful to write secure programs that want
> > > to avoid being tricked into opening device nodes with special
> > > semantics while thinking they operate on regular files. This is
> > > particularly relevant as many device nodes (or even FIFOs) come with
> > > blocking I/O (or even blocking open()!) by default, which is not
> > > expected from regular files backed by “fast” disk I/O. Consider
> > > implementation of a naive web browser which is pointed to
> > > file://dev/zero, not expecting an endless amount of data to read.
> > >
> > > What about procfs? What about sysfs? What about /proc/self/fd/17
> > > where that fd is a memfd? What about files backed by non-"fast" disk
> > > I/O like something on a flaky USB stick or a network mount or FUSE?
> > >
> > > Are we concerned about blocking open? (open blocks as a matter of
> > > course.) Are we concerned about open having strange side effects?
> > > Are we concerned about write having strange side effects? Are we
> > > concerned about cases where opening the file as root results in
> > > elevated privilege beyond merely gaining the ability to write to that
> > > specific path on an ordinary filesystem?
I think this is opening up a barrage of question that I'm not sure are
all that useful. The ability to only open regular file isn't intended to
defend against hung FUSE or NFS servers or other random Linux
special-sauce murder-suicide file descriptor traps. For a lot of those
we have O_PATH which can easily function with the new extension. A lot
of the other special-sauce files (most anonymous inode fds) cannot even
be reopened via e.g., /proc.
next prev parent reply other threads:[~2026-03-09 8:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-07 14:06 [PATCH v5 0/4] OPENAT2_REGULAR flag support for openat2 Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 1/4] openat2: new OPENAT2_REGULAR flag support Dorjoy Chowdhury
2026-03-07 18:56 ` Andy Lutomirski
2026-03-08 6:31 ` Dorjoy Chowdhury
2026-03-08 11:40 ` Jeff Layton
2026-03-08 17:10 ` Andy Lutomirski
2026-03-09 8:57 ` Christian Brauner [this message]
2026-03-09 16:50 ` Andy Lutomirski
2026-03-09 17:39 ` Florian Weimer
2026-03-10 11:24 ` Christian Brauner
2026-03-11 4:48 ` Aleksa Sarai
2026-03-11 16:10 ` Andy Lutomirski
2026-03-12 9:37 ` Aleksa Sarai
2026-03-16 16:53 ` Jeff Layton
2026-03-16 17:22 ` Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 2/4] kselftest/openat2: test for OPENAT2_REGULAR flag Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 3/4] sparc/fcntl.h: convert O_* flag macros from hex to octal Dorjoy Chowdhury
2026-03-07 14:06 ` [PATCH v5 4/4] mips/fcntl.h: " Dorjoy Chowdhury
2026-03-16 16:12 ` [PATCH v5 0/4] OPENAT2_REGULAR flag support for openat2 Dorjoy Chowdhury
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260309-umsturz-herfallen-067eb2df7ec2@brauner \
--to=brauner@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=adilger@dilger.ca \
--cc=agruenba@redhat.com \
--cc=alex.aring@gmail.com \
--cc=amarkuze@redhat.com \
--cc=andreas@gaisler.com \
--cc=anna@kernel.org \
--cc=arnd@arndb.de \
--cc=bharathsm@microsoft.com \
--cc=ceph-devel@vger.kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dorjoychy111@gmail.com \
--cc=gfs2@lists.linux.dev \
--cc=hansg@kernel.org \
--cc=idryomov@gmail.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=linmag7@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mattst88@gmail.com \
--cc=miklos@szeredi.hu \
--cc=mjguzik@gmail.com \
--cc=pc@manguebit.org \
--cc=richard.henderson@linaro.org \
--cc=ronniesahlberg@gmail.com \
--cc=sfrench@samba.org \
--cc=shuah@kernel.org \
--cc=slava@dubeyko.com \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
--cc=tsbogend@alpha.franken.de \
--cc=v9fs@lists.linux.dev \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox