On Sat, Jun 01, 2024 at 01:12:31AM -0700, Aleksa Sarai wrote: > Not to mention that providing a mount fd is what allows for extensions > like Christian's proposed method of allowing restricted forms of > open_by_handle_at() to be used by unprivileged users. As mentioned there I find the concept of an unprivileged open_by_handle_at extremely questionable as it trivially gives access to any inode on the file systems. > If file handles really are going to end up being the "correct" mechanism > of referencing inodes by userspace, They aren't. > then future API designs really need > to stop assuming that the user is capable(CAP_DAC_READ_SEARCH). There is no way to support open by handle for unprivileged users. The concept of an inode number based file handle simply does not work for that at all.
