On Tue, Sep 24, 2019 at 10:22:29PM +0200, Christian Brauner wrote: > On Tue, Sep 24, 2019 at 10:01:41PM +0200, Jann Horn wrote: > > Mmh... but if the file descriptor has been passed through a privilege > > boundary, it isn't really clear whether the original opener of the > > file intended for this to be possible. For example, if (as a > > hypothetical example) the init process opens a service's logfile with > > root privileges, then passes the file descriptor to that logfile to > > the service on execve(), that doesn't mean that the service should be > > able to perform compressed writes into that file, I think. > > I think we should even generalize this: for most new properties a given > file descriptor can carry we would want it to be explicitly enabled such > that passing the fd around amounts to passing that property around. At > least as soon as we consider it to be associated with some privilege > boundary. I don't think we have done this generally. But I would very > much support moving to such a model. I think you've got this right. This needs to be an fcntl() flag, which is only settable by root. Now, should it be an O_ flag, modifiable by F_SETFL, or should it be a new F_ flag?
