On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> + if (flags & LOOKUP_DFD_MATCH_CREDS) {
> + if (f.file->f_cred != current_cred() &&
> + !capable(CAP_DAC_READ_SEARCH)) {
> + fdput(f);
> + return ERR_PTR(-ENOENT);
> + }
> + }
Side note: I suspect that this could possibly be relaxed further, by
making the rule be that if something has been explicitly opened to be
used as a path (ie O_PATH was used at open time), we can link to it
even across different credentials.
IOW, the above could perhaps even be
+ if (flags & LOOKUP_DFD_MATCH_CREDS) {
+ if (!(f.file->f_mode & FMODE_PATH) &&
+ f.file->f_cred != current_cred() &&
+ !capable(CAP_DAC_READ_SEARCH)) {
+ fdput(f);
+ return ERR_PTR(-ENOENT);
+ }
+ }
which would _allow_ people to pass in paths as file descriptors if
they actually wanted to.
After all, the only thing you can do with an O_PATH file descriptor is
to use it as a path - there would be no other reason to use O_PATH in
the first place. So if you now pass it to somebody else, clearly you
are intentionally trying to make it available *as* a path.
So you could imagine doing something like this:
// Open path as root
int fd = open('filename", O_PATH);
// drop privileges
// setresuid(..) or chmod() or enter new namespace or whatever
linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
and it would open the path with one set of privileges, but then
intentionally go into a more restricted mode and create a link to the
source within that restricted environment.
Sensible? Who knows. I'm just throwing this out as another "this may
be the solution to our historical flink() issues".
Linus
