From: Christian Brauner <brauner@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christoph Hellwig <hch@lst.de>,
Florian Weimer <fweimer@redhat.com>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-fsdevel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
stable@vger.kernel.org
Subject: Re: [PATCH] attr: block mode changes of symlinks
Date: Wed, 12 Jul 2023 19:56:15 +0200 [thread overview]
Message-ID: <20230712-kresse-getragen-736c8d675979@brauner> (raw)
In-Reply-To: <CAHk-=whypK=-91QfDpd3PWwazx35iWT=ooKLxhbeTAwJL_WXVg@mail.gmail.com>
On Wed, Jul 12, 2023 at 09:24:43AM -0700, Linus Torvalds wrote:
> On Wed, 12 Jul 2023 at 02:56, Christian Brauner <brauner@kernel.org> wrote:
> >
> > Changing the mode of symlinks is meaningless as the vfs doesn't take the
> > mode of a symlink into account during path lookup permission checking.
>
> Hmm. I have this dim memory that we actually used to do that as an
> extension at one point for the symlinks in /proc. Long long ago.
If we block it properly now. We could - crazy talk on my side now:
through a sysctl like the weird sysctl sysctl_protected_* stuff we have
already - later implement taking the mode of symlinks into account
properly. I'm not saying we should nor that it's wise but it would be
doable.
>
> Or maybe it was just a potential plan.
>
> Because at least in /proc, the symlinks *do* have protection semantics
> (ie you can't do readlink() on them or follow them without the right
> permissions.
>
> That said, blocking the mode setting sounds fine, because the proc
> permissions are basically done separately.
>
> However:
>
> > if ((ia_valid & ATTR_MODE)) {
> > + if (S_ISLNK(inode->i_mode))
> > + return -EOPNOTSUPP;
> > +
> > umode_t amode = attr->ia_mode;
>
> The above is not ok. It might compile these days because we have to
> allow statements before declarations for other reasons, but that
> doesn't make it ok.
Sorry, I completely missed that. I miss the days when that would've
thrown a compile error right away. Let me send a v2 right now.
next prev parent reply other threads:[~2023-07-12 17:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-12 9:56 [PATCH] attr: block mode changes of symlinks Christian Brauner
2023-07-12 16:21 ` Greg KH
2023-07-12 17:58 ` Christian Brauner
2023-07-12 16:24 ` Linus Torvalds
2023-07-12 17:56 ` Christian Brauner [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-10-18 18:34 Jesse Hathaway
2023-10-18 18:40 ` Greg KH
2023-10-18 18:49 ` Jesse Hathaway
2023-10-18 19:09 ` Greg KH
2023-10-20 8:34 ` Linux regression tracking (Thorsten Leemhuis)
2023-10-20 11:01 ` Christian Brauner
2023-10-20 13:26 ` Giuseppe Scrivano
2023-10-20 14:25 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230712-kresse-getragen-736c8d675979@brauner \
--to=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=fweimer@redhat.com \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox