On Thu, Apr 25, 2019 at 01:38:06AM +1000, Aleksa Sarai wrote: > * openat(2) ignores unknown flags, meaning that old kernels will ignore > new programs trying to use O_THISROOT and might end up causing > security issues. Yes, it'd be trivial to check whether the new O_* > flags are supported at start-up, but I think a security feature > shouldn't have a foot-gun associated with it. In fact, I didn't know > openat(2) ignored unknown flags until I wrote this patchset -- I > doubt many other userspace developers do either. For this reason, I propose every new syscall that has flags to follow a bitmask scheme, where any flag assigned a bit in the upper half returns EOPNOTSUPP when called on an old kernel. That would allow defining which flags can be safely ignored and which can't. It otherwise takes major hacks to implement a fail-if-not-supported flag while keeping compat with old kernels. For example, for mmap(), MAP_SHARED has been duplicated as MAP_SHARED_VALIDATE just to allow an unrelated flag (MAP_SYNC) to fail on old kernels. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢰⠒⠀⣿⡁ Imagine there are bandits in your house, your kid is bleeding out, ⢿⡄⠘⠷⠚⠋⠀ the house is on fire, and seven giant trumpets are playing in the ⠈⠳⣄⠀⠀⠀⠀ sky. Your cat demands food. The priority should be obvious...
