On Thu, Apr 8, 2021 at 3:45 PM Dmitry Kadashev <dkadashev@xxxxxxxxx> wrote:
>
> On Tue, Mar 30, 2021 at 2:17 PM Christian Brauner
> <christian.brauner@xxxxxxxxxx> wrote:
> > The only thing that is a bit unpleasant here is that this change
> > breaks the consistency between the creation helpers:
> >
> > do_mkdirat()
> > do_symlinkat()
> > do_linkat()
> > do_mknodat()
> >
> > All but of them currently take
> > const char __user *pathname
> > and call
> > user_path_create()
> > with that do_mkdirat() change that's no longer true. One of the major
> > benefits over the recent years in this code is naming and type consistency.
> > And since it's just matter of time until io_uring will also gain support
> > for do_{symlinkat,linkat,mknodat} I would think switching all of them to
> > take a struct filename
> > and then have all do_* helpers call getname() might just be nicer in the
> > long run.
>
> So, I've finally got some time to look into this. do_mknodat() and
> do_symlinkat() are easy. But do_linkat() is more complicated, I could use some
> hints as to what's the reasonable way to implement the change.
>
> The problem is linkat() requires CAP_DAC_READ_SEARCH capability if AT_EMPTY_PATH
> flag is passed. Right now do_linkat checks the capability before calling
> getname_flags (essentially). If do_linkat is changed to accept struct filename
> then there is no bulletproof way to force CAP_DAC_READ_SEARCH presence (e.g. if
> for whatever reason AT_EMPTY_PATH is not in flags passed to do_linkat). Also, it
> means that the caller is responsible to process AT_EMPTY_PATH in the first
> place, which means logic duplication.
>
> Any ideas what's the best way to approach this?
Ping. If someone can see how we can avoid making do_linkat() callers
ensure the process has CAP_DAC_READ_SEARCH capability if AT_EMPTY_PATH
was passed then the hints would be really appreciated.
The best I could come up with is something like getname_linkat(), which
could be used by the do_linkat callers, but this sounds error prone and
ugly.
Jens, do you want to keep the mkdir change out of 5.13 because of this?
--
Dmitry Kadashev
On Thu, Apr 8, 2021 at 3:45 PM Dmitry Kadashev <dkadashev@xxxxxxxxx> wrote:
>
> On Tue, Mar 30, 2021 at 2:17 PM Christian Brauner
> <christian.brauner@xxxxxxxxxx> wrote:
> > The only thing that is a bit unpleasant here is that this change
> > breaks the consistency between the creation helpers:
> >
> > do_mkdirat()
> > do_symlinkat()
> > do_linkat()
> > do_mknodat()
> >
> > All but of them currently take
> > const char __user *pathname
> > and call
> > user_path_create()
> > with that do_mkdirat() change that's no longer true. One of the major
> > benefits over the recent years in this code is naming and type consistency.
> > And since it's just matter of time until io_uring will also gain support
> > for do_{symlinkat,linkat,mknodat} I would think switching all of them to
> > take a struct filename
> > and then have all do_* helpers call getname() might just be nicer in the
> > long run.
>
> So, I've finally got some time to look into this. do_mknodat() and
> do_symlinkat() are easy. But do_linkat() is more complicated, I could use some
> hints as to what's the reasonable way to implement the change.
>
> The problem is linkat() requires CAP_DAC_READ_SEARCH capability if AT_EMPTY_PATH
> flag is passed. Right now do_linkat checks the capability before calling
> getname_flags (essentially). If do_linkat is changed to accept struct filename
> then there is no bulletproof way to force CAP_DAC_READ_SEARCH presence (e.g. if
> for whatever reason AT_EMPTY_PATH is not in flags passed to do_linkat). Also, it
> means that the caller is responsible to process AT_EMPTY_PATH in the first
> place, which means logic duplication.
>
> Any ideas what's the best way to approach this?
>
> Thanks.
>
> --
> Dmitry Kadashev
