From: Jori Koolstra <jkoolstra@xs4all.nl>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Jeff Layton <jlayton@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Alexander Aring <alex.aring@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
gregkh@linuxfoundation.org
Cc: Jori Koolstra <jkoolstra@xs4all.nl>,
Andrew Morton <akpm@linux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Mike Rapoport <rppt@kernel.org>,
David Hildenbrand <david@redhat.com>,
Lorenzo Stoakes <ljs@kernel.org>,
zhang jiao <zhangjiao2@cmss.chinamobile.com>,
Kees Cook <kees@kernel.org>,
Penglei Jiang <superman.xpt@gmail.com>,
Ethan Tidmore <ethantidmore06@gmail.com>,
Oleg Nesterov <oleg@redhat.com>,
Suren Baghdasaryan <surenb@google.com>,
Vlastimil Babka <vbabka@kernel.org>,
wangzijie <wangzijie1@honor.com>, NeilBrown <neil@brown.name>,
Amir Goldstein <amir73il@gmail.com>,
Mateusz Guzik <mjguzik@gmail.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org
Subject: [RFC PATCH 0/1] vfs: transitive upgrade restrictions for fds
Date: Mon, 23 Mar 2026 23:00:21 +0100 [thread overview]
Message-ID: <20260323220029.765874-1-jkoolstra@xs4all.nl> (raw)
Add upgrade restrictions to openat2(). Extend struct open_how to allow
setting transitive restrictions on using file descriptors to open other
files. A use case for this feature is to block services or containers
from re-opening/upgrading an O_PATH file descriptor through e.g.
/proc/<pid>/fd/<nr> or OPENAT2_EMPTY_PATH (if upstreamed) as O_WRONLY.
The implementation idea is this: magic paths like /proc/<pid>/fd/<nr>
(currently the only one of its sort AFAIK) go through nd_jump_link() to
hard set current->nameidata. To include information about the fd
yielding the magic link, we add a new struct jump_how as a parameter.
This struct may include restictions or other metadata attached to the
magic link jump other than the struct path to jump to. So far it has
only one unsigned int field: allowed_upgrades. This is a flag int that
(for now) may be either READ_UPGRADABLE, WRITE_UPGRADABLE, or
DENY_UPGRADES.
The idea is that you can restrict what kind of open flags may be used
to open files in any way using this fd as a starting point
(transitively). The check is enforced in may_open_upgrade(), which is
just the old may_open() with an extra test. To keep this state attached
to the fds, we add a field f_allowed_upgrades to struct file. Then
in do_open(), after success, we compute:
file->f_allowed_upgrades =
op->allowed_upgrades & nd->allowed_upgrades;
where op is the struct open_flags that is build from open_how in
build_open_flags(), and nd->allowed_upgrades is set during path
traversal either in path_init() or nd_jump_link().
The implementation and the idea are a bit rough; it is the first bit of
less trivial work I have done on the kernel, hence the RFC status. I did
create some self tests already which this patch passes, and nothing
seems to break on a fresh vng kernel. But obviously there may be MANY
things I am overlooking.
The original idea for this features comes form the UAPI group kernel
feature idea list [1].
[1] https://github.com/uapi-group/kernel-features?tab=readme-ov-file#upgrade-masks-in-openat2
Jori Koolstra (1):
vfs: transitive upgrade restrictions for fds
fs/file_table.c | 2 ++
fs/internal.h | 1 +
fs/namei.c | 38 ++++++++++++++++++++++++++++----
fs/open.c | 9 ++++++++
fs/proc/base.c | 24 ++++++++++++++------
fs/proc/fd.c | 6 ++++-
fs/proc/internal.h | 4 +++-
include/linux/fcntl.h | 6 ++++-
include/linux/fs.h | 1 +
include/linux/namei.h | 15 ++++++++++++-
include/uapi/asm-generic/fcntl.h | 4 ++++
include/uapi/linux/openat2.h | 1 +
12 files changed, 96 insertions(+), 15 deletions(-)
--
2.53.0
next reply other threads:[~2026-03-23 22:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 22:00 Jori Koolstra [this message]
2026-03-23 22:00 ` [PATCH] vfs: transitive upgrade restrictions for fds Jori Koolstra
2026-03-24 8:41 ` Christian Brauner
2026-03-24 14:37 ` Greg KH
2026-03-26 11:09 ` Jori Koolstra
2026-03-26 15:32 ` Greg KH
2026-03-24 12:31 ` [RFC PATCH 0/1] " Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260323220029.765874-1-jkoolstra@xs4all.nl \
--to=jkoolstra@xs4all.nl \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=alex.aring@gmail.com \
--cc=amir73il@gmail.com \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=david@redhat.com \
--cc=ethantidmore06@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=kees@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ljs@kernel.org \
--cc=mjguzik@gmail.com \
--cc=neil@brown.name \
--cc=oleg@redhat.com \
--cc=rppt@kernel.org \
--cc=superman.xpt@gmail.com \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wangzijie1@honor.com \
--cc=zhangjiao2@cmss.chinamobile.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox