From: ebiederm@xmission.com (Eric W. Biederman)
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
pavel@ucw.cz, Miklos Szeredi <miklos@szeredi.hu>,
Trond Myklebust <trond.myklebust@fys.uio.no>
Subject: Re: [PATCH] procfs: make /proc style symlinks behave like "normal" symlinks
Date: Thu, 19 Nov 2009 13:31:16 -0800 [thread overview]
Message-ID: <m14ooqw6aj.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20091119143555.7851953f@barsoom.rdu.redhat.com> (Jeff Layton's message of "Thu\, 19 Nov 2009 14\:35\:55 -0500")
Jeff Layton <jlayton@redhat.com> writes:
> Thanks, that makes sense. The raciness was evident once you pointed it
> out, so I think you're correct that we can't take this approach.
>
> Adding the missing revalidations is fine, but I don't believe that
> helps to fix Pavel's issue. I'll go back and take a more careful look
> at the suggestion that Miklos made and see whether it makes sense to
> implement a new FS_* flag for this, and see what it'll take to fix
> Pavel's issue.
Fundamentally today the proc/fd links are special kind of hard link,
the same kind as bind mounts and have the same issues crop up. Given
that definition there is absolutely nothing wrong their behavior.
The fact that we create the proc/fd implicitly is a little bit
surprising and the source of the concerns. So far the cost of
changing the semantics and breaking potentially valid user space
applications appears to outweigh the potential security benefit.
I can't find a reason for the missing revalidate. It is easy to get
into a state where the destination of of a proc/fd/N symlink or
a file bind mount has been deleted, and everything continues to
work. You can even open d_dropped file descriptors.
If you want confirmation just do:
$ mkdir toy
$ cd toy
$ echo 123 > f
$ touch g
$ sudo mount --bind ./f ./g
$ sleep 3000 < g &
$ child=$!
$ ls -l /proc/$child/fd/0
lr-x------ 1 eric eric 64 2009-11-19 13:27 /proc/28797/fd/0 -> /tmp/toy/g
$ rm f
$ ls -l /proc/$child/fd/0
lr-x------ 1 eric eric 64 2009-11-19 13:27 /proc/28797/fd/0 -> /tmp/toy/g (deleted)
$ cat /proc/$child/fd/0
123
$ kill $child
$ sudo umount ./g
$ cat g
$ rm g
What we can't do right now is revalidate the source of a mount as
that will make it impossible to find the vfsmount to unmount it.
Eric
next prev parent reply other threads:[~2009-11-19 21:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-19 13:44 [PATCH] procfs: make /proc style symlinks behave like "normal" symlinks Jeff Layton
2009-11-19 17:07 ` Eric W. Biederman
2009-11-19 18:28 ` Jeff Layton
2009-11-19 18:57 ` Eric W. Biederman
2009-11-19 19:35 ` Jeff Layton
2009-11-19 21:31 ` Eric W. Biederman [this message]
2009-11-19 21:39 ` Pavel Machek
2009-11-19 21:56 ` Eric W. Biederman
2009-11-19 22:30 ` Pavel Machek
2009-11-20 9:31 ` Miklos Szeredi
2009-11-20 9:51 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m14ooqw6aj.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=pavel@ucw.cz \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).