From: Linus Torvalds <torvalds@linux-foundation.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jann Horn <jannh@google.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: new ...at() flag: AT_NO_JUMPS
Date: Thu, 4 May 2017 21:01:23 -0700 [thread overview]
Message-ID: <CA+55aFy8faOrivrKREJHVd2Ua5VsuOz+CKQu=Y+k_xQHU5TqGA@mail.gmail.com> (raw)
In-Reply-To: <20170505030058.GO29622@ZenIV.linux.org.uk>
On Thu, May 4, 2017 at 8:00 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
>>
>> That could still allow crossing mount-points, but only if they are
>> non-bind mounts and cannot let us escape.
>>
>> I'm not sure if that's testable, though.
>
> This one isn't, unfortunately - there is no difference between bind and
> no-bind; vfsmounts form a tree and both normal mount and bind add leaves
> to it. Moreover, mount -t ext2 /dev/sdc7 /mnt; mount -t ext2 /dev/sdc7 /tmp/a
> yield the same state as mount -t ext2 /dev/sdc7; mount --bind /mnt /tmp/a.
> There is no way to tell the difference, simply because there *is* no
> difference. Moreover, either can be followed by umount /mnt and you'll get
> the same state as you would have after a solitary mount of the same fs on
> /tmp/a.
Fair enough.
> Ho-hum... So:
>
> AT_BENEATH AT_XDEV AT_NO_SYMLINKS
> absolute pathname: EXDEV
> non-relative symlink: EXDEV ? ELOOP
> relative symlink: ELOOP
> .. from starting point: EXDEV
> .. crossing mountpoint: EXDEV
> crossing into mountpoint: EXDEV
>
> 1) What should AT_XDEV do about absolute symlinks? Nothing special? EXDEV?
> EXDEV if we are not on root?
My mental model would say that AT_XDEV without AT_BENEATH would
_logically_ result in "EXDEV if / is a different vfsmount", accept the
absolute path otherwise.
But honestly, just returning EXDEV unconditionally for an absolute
symlink might just be the simpler and more straightforward thing to
do.
Because testing the particular vfsmount of / simply doesn't seem to be
a very useful operation. I dunno.
> 2) What should AT_BENEATH | AT_NO_SYMLINKS do on absolute symlinks? My
> preference would be "AT_NO_SYMLINKS wins, ELOOP for you", but that's based
> mostly upon the convenience of implementation.
I think either is fine, and convenience wins.
> 3) What effect should AT_NO_SYMLINKS have upon the final component? Same
> as AT_SYMLINK_NOFOLLOW?
I actually would suggest "error if it's followed".
So if you use AT_SYMLINK_NOFOLLOW | AT_NO_SYMLINKS, then you do *not*
get an error if the last component (but nothing before it) is a
symlink, and the end result is the symlink itself.
If you use just AT_NO_SYMLINKS, then the lack of NOFOLLOW implies that
you'd follow the symlink to look it up, and then AT_NO_SYMLINKS means
that you get an error (ELOOP).
So the user gets to choose, and gets to basically indicate whether
it's fine to end at a dangling symlink or not. Which is exactly what
AT_SYMLINK_NOFOLLOW is all about.
No?
Linus
next prev parent reply other threads:[~2017-05-05 4:01 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-29 22:04 new ...at() flag: AT_NO_JUMPS Al Viro
2017-04-29 22:04 ` Al Viro
2017-04-29 23:17 ` Andy Lutomirski
2017-04-29 23:17 ` Andy Lutomirski
2017-04-29 23:25 ` Al Viro
2017-04-29 23:25 ` Al Viro
2017-04-30 1:13 ` Andy Lutomirski
2017-04-30 4:38 ` Matthew Wilcox
2017-04-30 4:38 ` Matthew Wilcox
2017-04-30 16:10 ` Al Viro
2017-04-30 16:10 ` Al Viro
2017-05-01 4:52 ` Andy Lutomirski
2017-05-01 5:15 ` Al Viro
2017-05-01 5:15 ` Al Viro
2017-05-01 17:36 ` Jann Horn
2017-05-01 19:37 ` Andy Lutomirski
2017-05-05 0:30 ` Al Viro
2017-05-05 0:30 ` Al Viro
2017-05-05 0:44 ` Andy Lutomirski
2017-05-05 1:06 ` Al Viro
2017-05-05 1:27 ` Linus Torvalds
2017-05-05 1:27 ` Linus Torvalds
2017-05-05 3:00 ` Al Viro
2017-05-05 3:00 ` Al Viro
2017-05-05 4:01 ` Linus Torvalds [this message]
2017-05-05 4:31 ` Andy Lutomirski
2017-05-05 2:47 ` Jann Horn
2017-05-05 3:46 ` Linus Torvalds
2017-05-05 4:39 ` Al Viro
2017-05-05 4:39 ` Al Viro
2017-05-05 4:44 ` Andy Lutomirski
2017-05-05 20:04 ` Eric W. Biederman
2017-05-05 20:04 ` Eric W. Biederman
2017-05-05 20:28 ` Eric W. Biederman
2017-05-08 19:34 ` Mickaël Salaün
2017-05-08 19:34 ` Mickaël Salaün
2017-05-18 8:50 ` David Drysdale
2017-09-10 20:26 Jürg Billeter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+55aFy8faOrivrKREJHVd2Ua5VsuOz+CKQu=Y+k_xQHU5TqGA@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.