On Thu, Apr 15, 2021 at 5:09 PM Christian Brauner
<christian.brauner@xxxxxxxxxx> wrote:
>
> On Thu, Apr 15, 2021 at 12:08:20PM +0200, Christian Brauner wrote:
> > Would something like this help?
Thanks for the reply, Christian!
But it's not the AT_EMPTY_PATH / LOOKUP_EMPTY part that is tricky, it's
the fact that do_linkat() allows AT_EMPTY_PATH only if the process has
CAP_DAC_READ_SEARCH capability. But AT_EMPTY_PATH is processed during
getname(), so if do_linkat() accepts struct filename* then there is no
bullet-proof way to force the capability.
We could do something like this:
do_linkat(oldfd, getname_uflags(oldname, flags), newfd,
getname(newname), flags);
I.e. call getname_uflags() without checking the capability and rely on
the fact that do_linkat() will do the checking. But this is fragile if
somehow someone passes different flags to getname_uflags and do_linkat.
And there is no way (that I know of) for do_linkat to actually check
that AT_EMPTY_PATH was not used if it gets struct filename.
Or am I creating extra problems and the thing above is OK?
--
Dmitry Kadashev
