Sorry, I could've sworn I responded when you posted this -- comments below. And sorry for not getting back to you before the 5.06 release. On 2020-04-01, Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> wrote: > On 3/31/20 4:39 PM, Aleksa Sarai wrote: > > On 2020-03-30, Michael Kerrisk (man-pages) <mtk.manpages@xxxxxxxxx> wrote: > >> On 2/2/20 4:19 PM, Aleksa Sarai wrote: > >>> Rather than trying to merge the new syscall documentation into open.2 > >>> (which would probably result in the man-page being incomprehensible), > >>> instead the new syscall gets its own dedicated page with links between > >>> open(2) and openat2(2) to avoid duplicating information such as the list > >>> of O_* flags or common errors. > >>> > >>> In addition to describing all of the key flags, information about the > >>> extensibility design is provided so that users can better understand why > >>> they need to pass sizeof(struct open_how) and how their programs will > >>> work across kernels. After some discussions with David Laight, I also > >>> included explicit instructions to zero the structure to avoid issues > >>> when recompiling with new headers. > >>> > >>> Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx> > >> > >> Thanks. I've applied this patch, but also done quite a lot of > >> editing of the page. The current draft is below (and also pushed > >> to Git). Could I ask you to review the page, to see if I injected > >> any error during my edits. > > > > Looks good to me. > > > >> In addition, I've added a number of FIXMEs in comments > >> in the page source. Can you please check these, and let me > >> know your thoughts. > > > > Will do, see below. > > > >> .\" FIXME I find the "previously-functional systems" in the previous > >> .\" sentence a little odd (since openat2() ia new sysycall), so I would > >> .\" like to clarify a little... > >> .\" Are you referring to the scenario where someone might take an > >> .\" existing application that uses openat() and replaces the uses > >> .\" of openat() with openat2()? In which case, is it correct to > >> .\" understand that you mean that one should not just indiscriminately > >> .\" add the RESOLVE_NO_XDEV flag to all of the openat2() calls? > >> .\" If I'm not on the right track, could you point me in the right > >> .\" direction please. > > > > This is mostly meant as a warning to hopefully avoid applications > > because the developer didn't realise that system paths may contain > > symlinks or bind-mounts. For an application which has switched to > > openat2() and then uses RESOLVE_NO_SYMLINKS for a non-security reason, > > it's possible that on some distributions (or future versions of a > > distribution) that their application will stop working because a system > > path suddenly contains a symlink or is a bind-mount. > > > > This was a concern which was brought up on LWN some time ago. If you can > > think of a phrasing that makes this more clear, I'd appreciate it. > > Thanks. I've made the text: > > Applications that employ the RESOLVE_NO_XDEV flag > are encouraged to make its use configurable (unless > it is used for a specific security purpose), as bind > mounts are widely used by end-users. Setting this > flag indiscriminately—i.e., for purposes not specif‐ > ically related to security—for all uses of openat2() > may result in spurious errors on previously-func‐ > tional systems. This may occur if, for example, a > system pathname that is used by an application is > modified (e.g., in a new distribution release) so > that a pathname component (now) contains a bind > mount. > > Okay? Yup, and the same text should be used for the same warning I gave for RESOLVE_NO_SYMLINKS (for the same reason, because system paths may switch to symlinks -- the prime example being what Arch Linux did several years ago). > >> .\" FIXME: what specific details in symlink(7) are being referred > >> .\" by the following sentence? It's not clear. > > > > The section on magic-links, but you're right that the sentence ordering > > is a bit odd. It should probably go after the first sentence. > > I must admit that I'm still confused. There's only the briefest of > mentions of magic links in symlink(7). Perhaps that needs to be fixed? It wouldn't hurt to add a longer description of magic-links in symlink(7). I'll send you a small patch to beef up the description (I had planned to include a longer rewrite with the O_EMPTYPATH patches but those require quite a bit more work to land). > And, while I think of it, the text just preceding that FIXME says: > > Due to the potential danger of unknowingly opening > these magic links, it may be preferable for users to > disable their resolution entirely. > > This sentence reads a little strangely. Could you please give me some > concrete examples, and I will try rewording that sentence a bit. The primary example is that certain files (such as tty devices) are best not opened by an unsuspecting program (if you do not have a controlling TTY, and you open such a file that console becomes your controlling TTY unless you use O_NOCTTY). But more generally, magic-links allow programs to be "beamed" all over the system (bypassing ordinary mount namespace restrictions). Since they are fairly rarely used intentionally by most programs, this is more of a tip to programmers that maybe they should play it safe and disallow magic-links unless they are expecting to have to use them. > >> .\" FIXME I found the following hard to understand (in particular, the > >> .\" meaning of "scoped" is unclear) , and reworded as below. Is it okay? > >> .\" Absolute symbolic links and ".." path components will be scoped to > >> .\" .IR dirfd . > > > > Scoped does broadly mean "interpreted relative to", though the > > difference is mainly that when I said scoped it's meant to be more of an > > assertive claim ("the kernel promises to always treat this path inside > > dirfd"). But "interpreted relative to" is a clearer way of phrasing the > > semantics, so I'm okay with this change. > > Okay. > > >> .\" FIXME The next piece is unclear (to me). What kind of ".." escape > >> .\" attempts does chroot() not detect that RESOLVE_IN_ROOT does? > > > > If the root is moved, you can escape from a chroot(2). But this sentence > > might not really belong in a man-page since it's describing (important) > > aspects of the implementation and not the semantics. > > So, should I just remove the sentence? Yup, sounds reasonable. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature