On Wed, Aug 21, 2013 at 12:14 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>
> So let's be careful for now: only allow linkat(..., AT_EMPTY_PATH)
> if the target is I_LINKABLE.
So I really detest this just because it's such a special case. Now
this is only useful for that one special case, and the thing very
fundamentally checks that one special case in a place that is
impossible to check for the /proc case, so the proc case remains
totally separate.
Which just bothers me.
I think we could easily at least allow the "file->f_creds ==
current->creds" case (and yes, I literally mean comparing the pointers
- not only is it cheaper, but it literally means "nothing odd has
happened in between opening and the lookup").
And I'm wondering if we shouldn't actually do that at "path_init"
time. Right now the code says:
/* Caller must check execute permissions on the
starting path component */
struct fd f = fdget_raw(dfd);
and then uses the struct file mindlessly.
I'm wondering if we should just do some validation in that place, and say:
- for directories, we require exec permissions here
- for everything else, we require that f->f_cred == current->cred check.
I dunno. But that I_LINKABLE thing just bothers me. It screams "I'm
hacky" to me.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
