On Wed, Jul 12, 2023 at 09:24:43AM -0700, Linus Torvalds wrote:
> On Wed, 12 Jul 2023 at 02:56, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > Changing the mode of symlinks is meaningless as the vfs doesn't take the
> > mode of a symlink into account during path lookup permission checking.
>
> Hmm. I have this dim memory that we actually used to do that as an
> extension at one point for the symlinks in /proc. Long long ago.
If we block it properly now. We could - crazy talk on my side now:
through a sysctl like the weird sysctl sysctl_protected_* stuff we have
already - later implement taking the mode of symlinks into account
properly. I'm not saying we should nor that it's wise but it would be
doable.
>
> Or maybe it was just a potential plan.
>
> Because at least in /proc, the symlinks *do* have protection semantics
> (ie you can't do readlink() on them or follow them without the right
> permissions.
>
> That said, blocking the mode setting sounds fine, because the proc
> permissions are basically done separately.
>
> However:
>
> > if ((ia_valid & ATTR_MODE)) {
> > + if (S_ISLNK(inode->i_mode))
> > + return -EOPNOTSUPP;
> > +
> > umode_t amode = attr->ia_mode;
>
> The above is not ok. It might compile these days because we have to
> allow statements before declarations for other reasons, but that
> doesn't make it ok.
Sorry, I completely missed that. I miss the days when that would've
thrown a compile error right away. Let me send a v2 right now.
