On Wed, Jul 12, 2023 at 09:24:43AM -0700, Linus Torvalds wrote: > On Wed, 12 Jul 2023 at 02:56, Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > > Changing the mode of symlinks is meaningless as the vfs doesn't take the > > mode of a symlink into account during path lookup permission checking. > > Hmm. I have this dim memory that we actually used to do that as an > extension at one point for the symlinks in /proc. Long long ago. If we block it properly now. We could - crazy talk on my side now: through a sysctl like the weird sysctl sysctl_protected_* stuff we have already - later implement taking the mode of symlinks into account properly. I'm not saying we should nor that it's wise but it would be doable. > > Or maybe it was just a potential plan. > > Because at least in /proc, the symlinks *do* have protection semantics > (ie you can't do readlink() on them or follow them without the right > permissions. > > That said, blocking the mode setting sounds fine, because the proc > permissions are basically done separately. > > However: > > > if ((ia_valid & ATTR_MODE)) { > > + if (S_ISLNK(inode->i_mode)) > > + return -EOPNOTSUPP; > > + > > umode_t amode = attr->ia_mode; > > The above is not ok. It might compile these days because we have to > allow statements before declarations for other reasons, but that > doesn't make it ok. Sorry, I completely missed that. I miss the days when that would've thrown a compile error right away. Let me send a v2 right now.