openat, mkdirat, and TOCTOU for directory creation

openat, mkdirat, and TOCTOU for directory creation

[Drew DeVault]

Hiya! I'm looking into the mkdirat and openat syscalls, and I noticed
that there's no means of implementing TOCTOU (time-of-check to
time-of-use, a technique for preventing race conditions) on directory
creation.

To create a directory and obtain a dirfd for it, you have to (1)
mkdirat, then (2) openat with O_DIRECTORY, and if the directory is
removed in between, the latter will fail.

One possibly straightforward solution is to support openat with the
O_DIRECTORY and O_CREAT flags specified.

The present behavior of this flag combination is to create a file and
return ENOTDIR. The appropriate behavior is probably to create a
directory as proposed, or, at a minimum, to return EINVAL and not create
the file.

Re: openat, mkdirat, and TOCTOU for directory creation

[Aleksa Sarai]

[-- Attachment #1: Type: text/plain, Size: 1451 bytes --]

On 2021-02-27, Drew DeVault <sir@cmpwn.com> wrote:
> Hiya! I'm looking into the mkdirat and openat syscalls, and I noticed
> that there's no means of implementing TOCTOU (time-of-check to
> time-of-use, a technique for preventing race conditions) on directory
> creation.
> 
> To create a directory and obtain a dirfd for it, you have to (1)
> mkdirat, then (2) openat with O_DIRECTORY, and if the directory is
> removed in between, the latter will fail.
> 
> One possibly straightforward solution is to support openat with the
> O_DIRECTORY and O_CREAT flags specified.

This was discussed last year[1]. I think it would be useful but it
shouldn't be done as part of openat(2) because we already have enough
multiplexing with that syscall.

Maybe a mkdirat2(2) (which takes a flags argument -- sigh) that can be
told to return a handle to the new directory would be a nicer API.

> The present behavior of this flag combination is to create a file and
> return ENOTDIR. The appropriate behavior is probably to create a
> directory as proposed, or, at a minimum, to return EINVAL and not create
> the file.

Changing the semantics of open scares me a fair bit -- you could
probably change openat2(2) since it's not as widely used yet.

[1]: https://lore.kernel.org/linux-fsdevel/20200316142057.xo24zea3k5zwswra@yavin/

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: openat, mkdirat, and TOCTOU for directory creation

[Drew DeVault]

On Sat Feb 27, 2021 at 12:58 PM EST, Aleksa Sarai wrote:
> Maybe a mkdirat2(2) (which takes a flags argument -- sigh) that can be
> told to return a handle to the new directory would be a nicer API.

That seems appropriate. Hear hear on the sigh.

> Changing the semantics of open scares me a fair bit -- you could
> probably change openat2(2) since it's not as widely used yet.

Seems agreeable, at least for a start.