On Mon, Nov 3, 2014 at 7:20 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > On Mon, Nov 03, 2014 at 11:48:23AM +0000, David Drysdale wrote: >> Add a new O_BENEATH flag for openat(2) which restricts the >> provided path, rejecting (with -EACCES) paths that are not beneath >> the provided dfd. In particular, reject: >> - paths that contain .. components >> - paths that begin with / >> - symlinks that have paths as above. > > Yecch... The degree of usefulness aside (and I'm not convinced that it > is non-zero), This is extremely useful in conjunction with seccomp. > WTF pass one bit out of nameidata->flags in a separate argument? > Through the mutual recursion, no less... And then you are not even attempting > to detect symlinks that are not followed by interpretation of _any_ pathname. How many symlinks like that are there? Is there anything except nd_jump_link users? All of those are in /proc. Arguably O_BENEATH should prevent traversal of all of those links. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
