On 2018-11-23, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > > On Nov 23, 2018, at 5:10 AM, Jürg Billeter <j@xxxxxxxxx> wrote: > > > > Hi Aleksa, > > > >> On Tue, 2018-11-13 at 01:26 +1100, Aleksa Sarai wrote: > >> * O_BENEATH: Disallow "escapes" from the starting point of the > >> filesystem tree during resolution (you must stay "beneath" the > >> starting point at all times). Currently this is done by disallowing > >> ".." and absolute paths (either in the given path or found during > >> symlink resolution) entirely, as well as all "magic link" jumping. > > > > With open_tree(2) and OPEN_TREE_CLONE, will O_BENEATH still be > > necessary? > > This discussion reminds me of something I’m uncomfortable with in the > current patches: currently, most of the O_ flags determine some > property of the returned opened file. The new O_ flags you're adding > don't -- instead, they affect the lookup of the file. So O_BENEATH > doesn't return a descriptor that can only be used to loop up files > beneath it -- it just controls whether open(2) succeeds or fails. It > might be nice for the naming of the flags to reflect this. I agree that there is something quite weird about having path resolution flags in an *open* syscall. The main reason why it's linked to open is because that's the only way to get O_PATH descriptors (which is what you would use for most of the extended operations we need -- as well as reading+writing to files which is what most users would do with this). And I think O_PATH is another example of an open flag that is just odd in how it changes the semantics of using open(2). One of the ideas I pitched in an earlier mail was a hypothetical resolveat(2) -- which would just be a new way of getting an O_PATH descriptor. This way, we wouldn't be using up more O_* flag bits with this feature and we'd be able to play with more radical semantic changes in the future. I can outline these here if you like, but it's a bit of a long discussion and I'd prefer not to derail things too much if resolveat(2) is definitely out of the question. > I also don't love that we have some magic AT_ flags that work with > some syscalls and some magic O_ flags that work with others. I also completely agree. I think that we should have a discussion about the long-term plan of syscall flags because it's starting to get a little bit crazy: * Every "get an fd" syscall has its own brand of O_CLOEXEC. Thankfully, many of them use the same value (except for memfd_create(2) and a few other examples). * AT_* was supposed to be generic across all *at(2) syscalls, but there are several cases where this isn't really true anymore. * renameat2(2) only supports RENAME_* flags. * openat(2) supports only O_* flags. * Most AT_* flags have O_* counterparts (or are even more of a mess such as with {AT_SYMLINK_FOLLOW,AT_SYMLINK_NOFOLLOW,O_NOFOLLOW}). * statx(2) added AT_STATX_* flags, making AT_* no longer generic. (Also I just want to mention something I noticed while writing this patch -- openat(2) violates one of the kernel "golden rules" -- that you reject unknown flags. openat(2) will silently ignore unknown flag bits. I'm sure there's a really good reason for this, but it's another flag oddity that I felt fit here.) -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature