Re: [PATCH 01/11] fs: add O_BENEATH

public inbox for linux-man@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2)
       [not found]         ` <CALCETrWJ-rqDo8OvSZWPUt1806gObNtwVHvC4M6kfQgvd3Eg9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2014-07-08 12:07           ` Christoph Hellwig
       [not found]             ` <20140708120702.GB30459-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2014-07-08 12:07 UTC (permalink / raw)
  To: Andy Lutomirski
  Cc: David Drysdale, Al Viro, LSM List, Greg Kroah-Hartman,
	James Morris, Kees Cook, Linux API, Meredydd Luff,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-man-u79uwXL29TY76Z2rM5mHXA

On Mon, Jun 30, 2014 at 08:53:01AM -0700, Andy Lutomirski wrote:
> > Wouldn't it need to be both O_BENEATH_ONLY (for openat()) and
> > AT_BENEATH_ONLY (for other *at() functions), like O_NOFOLLOW and
> > AT_SYMLINK_NOFOLLOW?  (I.e. aren't the AT_* flags in a different
> > numbering space than O_* flags?)
> >
> > Or am I misunderstanding?
> >
> 
> Ugh, you're probably right.  I wish openat had separate flags and
> atflags arguments.  Oh well.

There's two different AT_* namespaces.  The flags that most *at syscalls
has, and the the one for the dfd argument, which currently only contains
AT_FDCWD, although a new constant has recently been proposed to it.

Having an AT_BENEATH magic value for the dfd argument certainly feels
elegant to me, but seems to be against the language for openat in Posix:

"The openat() function shall be equivalent to the open() function except
in the case where path specifies a relative path. In this case the file
to be opened is determined relative to the directory associated with the
file descriptor fd instead of the current working directory. If the file
descriptor was opened without O_SEARCH, the function shall check whether
directory searches are permitted using the current permissions of the
directory underlying the file descriptor. If the file descriptor was
opened with O_SEARCH, the function shall not perform the check.

The oflag parameter and the optional fourth parameter correspond exactly
to the parameters of open().

If openat() is passed the special value AT_FDCWD in the fd parameter,
the current working directory shall be used and the behavior shall be
identical to a call to open()."

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <20140708120702.GB30459-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>]

* Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2)
       [not found]             ` <20140708120702.GB30459-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
@ 2014-07-08 12:48               ` Meredydd Luff
       [not found]                 ` <CAD=T17FQEZV+iy91wQAvAdd0PW2tsfjpU7atp-xeatm5sEGz5Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: Meredydd Luff @ 2014-07-08 12:48 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: Andy Lutomirski, David Drysdale, Al Viro, LSM List,
	Greg Kroah-Hartman, James Morris, Kees Cook, Linux API,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-man-u79uwXL29TY76Z2rM5mHXA

On 8 July 2014 13:07, Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
> There's two different AT_* namespaces.  The flags that most *at syscalls
> has, and the the one for the dfd argument, which currently only contains
> AT_FDCWD, although a new constant has recently been proposed to it.
>
> Having an AT_BENEATH magic value for the dfd argument certainly feels
> elegant to me

How would that work? The directory beneath which openat is looking is
conveyed in the dfd argument itself. If I'm understanding this right,
you'd have to pass a different value for "open relative to fd#5" and
"open relative to fd#5, but beneath it only", which doesn't sound
hugely elegant to me.

Meredydd

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <CAD=T17FQEZV+iy91wQAvAdd0PW2tsfjpU7atp-xeatm5sEGz5Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2)
       [not found]                 ` <CAD=T17FQEZV+iy91wQAvAdd0PW2tsfjpU7atp-xeatm5sEGz5Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2014-07-08 12:51                   ` Christoph Hellwig
       [not found]                     ` <20140708125138.GA4749-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2014-07-08 12:51 UTC (permalink / raw)
  To: Meredydd Luff
  Cc: Christoph Hellwig, Andy Lutomirski, David Drysdale, Al Viro,
	LSM List, Greg Kroah-Hartman, James Morris, Kees Cook, Linux API,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-man-u79uwXL29TY76Z2rM5mHXA

On Tue, Jul 08, 2014 at 01:48:27PM +0100, Meredydd Luff wrote:
> How would that work? The directory beneath which openat is looking is
> conveyed in the dfd argument itself. If I'm understanding this right,
> you'd have to pass a different value for "open relative to fd#5" and
> "open relative to fd#5, but beneath it only", which doesn't sound
> hugely elegant to me.

Yeah, it won't work for an explicit directory - I was thinking of
working relative to $CWD.

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <20140708125138.GA4749-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>]

* Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2)
       [not found]                     ` <20140708125138.GA4749-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
@ 2014-07-08 13:04                       ` Meredydd Luff
  2014-07-08 13:12                         ` Christoph Hellwig
  0 siblings, 1 reply; 5+ messages in thread
From: Meredydd Luff @ 2014-07-08 13:04 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: Andy Lutomirski, David Drysdale, Al Viro, LSM List,
	Greg Kroah-Hartman, James Morris, Kees Cook, Linux API,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-man

On 8 July 2014 13:51, Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> wrote:
> Yeah, it won't work for an explicit directory - I was thinking of
> working relative to $CWD.

I think that would sacrifice far too much flexibility. Even without
Capsicum, it would be worthwhile to be able to wire up a static
seccomp-bpf filter to enforce constraints such as "you can open files
under fd#5 for reading, but you can only write to files under fd#6,
and you can't do any global lookups."

Meredydd
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2)
  2014-07-08 13:04                       ` Meredydd Luff
@ 2014-07-08 13:12                         ` Christoph Hellwig
  0 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2014-07-08 13:12 UTC (permalink / raw)
  To: Meredydd Luff
  Cc: Christoph Hellwig, Andy Lutomirski, David Drysdale, Al Viro,
	LSM List, Greg Kroah-Hartman, James Morris, Kees Cook, Linux API,
	linux-kernel@vger.kernel.org, linux-man

On Tue, Jul 08, 2014 at 02:04:45PM +0100, Meredydd Luff wrote:
> On 8 July 2014 13:51, Christoph Hellwig <hch@infradead.org> wrote:
> > Yeah, it won't work for an explicit directory - I was thinking of
> > working relative to $CWD.
> 
> I think that would sacrifice far too much flexibility. Even without
> Capsicum, it would be worthwhile to be able to wire up a static
> seccomp-bpf filter to enforce constraints such as "you can open files
> under fd#5 for reading, but you can only write to files under fd#6,
> and you can't do any global lookups."

Yeah, I didn't intend to advocate this further after your reply.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-07-08 13:12 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1404124096-21445-1-git-send-email-drysdale@google.com>
     [not found] ` <1404124096-21445-2-git-send-email-drysdale@google.com>
     [not found]   ` <CALCETrU=HLmw9n-DxPkFV1xP5wtzQ7-YF3-uao6YiGZODA9kdw@mail.gmail.com>
     [not found]     ` <20140630154928.GB10375@google.com>
     [not found]       ` <CALCETrWJ-rqDo8OvSZWPUt1806gObNtwVHvC4M6kfQgvd3Eg9w@mail.gmail.com>
     [not found]         ` <CALCETrWJ-rqDo8OvSZWPUt1806gObNtwVHvC4M6kfQgvd3Eg9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-07-08 12:07           ` [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) Christoph Hellwig
     [not found]             ` <20140708120702.GB30459-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2014-07-08 12:48               ` Meredydd Luff
     [not found]                 ` <CAD=T17FQEZV+iy91wQAvAdd0PW2tsfjpU7atp-xeatm5sEGz5Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-07-08 12:51                   ` Christoph Hellwig
     [not found]                     ` <20140708125138.GA4749-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2014-07-08 13:04                       ` Meredydd Luff
2014-07-08 13:12                         ` Christoph Hellwig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox