On Thu, May 04, 2017 at 06:27:10PM -0700, Linus Torvalds wrote: > As mentioned last time, at least for the git usage, even relative > symlinks are a no-no - not because they'd escape, but simply because > git wants to see the *unique* name, and resolve relative symlinks to > either the symlink, or to the actual file it points to. > > So I think that we'd want an additional flag that says "no symlinks at all". OK, that's easily done. > And I think the "no mountpoint" traversal might be splittable too. > > Yes, sometimes you'd probably want to say "stay exactly inside this > filesystem" (like find -xdev). So no arguments against AT_XDEV that > refuses any mount traversal (kind of like my "no symlink traversal" > thing). > > But at other points you might want to just guarantee that the walk > stays below a certain starting point and doesn't escape. > > That could still allow crossing mount-points, but only if they are > non-bind mounts and cannot let us escape. > > I'm not sure if that's testable, though. This one isn't, unfortunately - there is no difference between bind and no-bind; vfsmounts form a tree and both normal mount and bind add leaves to it. Moreover, mount -t ext2 /dev/sdc7 /mnt; mount -t ext2 /dev/sdc7 /tmp/a yield the same state as mount -t ext2 /dev/sdc7; mount --bind /mnt /tmp/a. There is no way to tell the difference, simply because there *is* no difference. Moreover, either can be followed by umount /mnt and you'll get the same state as you would have after a solitary mount of the same fs on /tmp/a. Ho-hum... So: AT_BENEATH AT_XDEV AT_NO_SYMLINKS absolute pathname: EXDEV non-relative symlink: EXDEV ? ELOOP relative symlink: ELOOP .. from starting point: EXDEV .. crossing mountpoint: EXDEV crossing into mountpoint: EXDEV 1) What should AT_XDEV do about absolute symlinks? Nothing special? EXDEV? EXDEV if we are not on root? 2) What should AT_BENEATH | AT_NO_SYMLINKS do on absolute symlinks? My preference would be "AT_NO_SYMLINKS wins, ELOOP for you", but that's based mostly upon the convenience of implementation. 3) What effect should AT_NO_SYMLINKS have upon the final component? Same as AT_SYMLINK_NOFOLLOW?
