Re: [RFC PATCH] f*xattr: allow O_PATH descriptors

[Amir Goldstein <amir73il@gmail.com>]

On Fri, Aug 19, 2022 at 9:05 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> On Wed, 22 Jun 2022 at 04:57, Aleksa Sarai <cyphar@cyphar.com> wrote:
> >
> > On 2022-06-20, Amir Goldstein <amir73il@gmail.com> wrote:
> > > To be a reasonable reaction to the currently broken API is
> > > to either accept the patch as is or request that setxattrat()
> > > will be added to provide the new functionality.
> >
> > Since the current functionality cannot be retroactively disabled as it
> > is being used already through /proc/self/fd/$n, adding
> > *xattrat(AT_EMPTY_PATH) doesn't really change what is currently possible
> > by userspace.
> >
> > I would say we should add *xattrat(2) and then we can add an upgrade
> > mask blocking it (and other operations) later.
> >
>
> It seems setxattrat() is the preferred way to continue.
> fsetxattr() would have one advantage though (w.r.t. SELinux):
>
> The steps to label a file are:
>   1. get the type of the file (via stat(2) family)
>   2. lookup the desired label from the label database via selabel_lookup(3)
>   3. assign the retrieved label to the file
>
> The label is sensitive to the file type, e.g.
>
>     $ matchpathcon -m file /etc/shadow
>     /etc/shadow     system_u:object_r:shadow_t:s0
>     $ matchpathcon -m lnk_file /etc/shadow
>     /etc/shadow     system_u:object_r:etc_t:s0
>
> Using the *at() family the file type could change between step 1. and 3.,
> which operating on an O_PATH file descriptor would prevent.

I don't understand the problem.

If you have an O_PATH fd, the object it represents does not change.
If you use fstatat(fd, ..., AT_EMPTY_PATH) (or fstat) and
setxattrat(fd, ..., AT_EMPTY_PATH), it prevents the race.

Thanks,
Amir.