From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE80FC76195 for ; Thu, 18 Jul 2019 21:30:11 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9FCD921849 for ; Thu, 18 Jul 2019 21:30:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="aawYfQ5c" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9FCD921849 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arndb.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=O/rQyxQHcyOdDurAZPduy1RrYg4WQ5ugy6OZT6t0hm0=; b=aawYfQ5c4sFr+K lDSaJFbRrkggGSZ0wx19rKehSQhmAbY7c8MEePEfud7lnHweGyECb49ZvTEMgu2U2QeNETNVFxWqU Cwi7ivT6wCk1wA5j+FICeGuYDpuItbtxvQrMOjBlP6o4KJAGajZJ4YoYJPc8mnijLVTXInwUhp7Mf E4oTFFPr+Ws+zxbIR4pWPiHgZp7a8Z4VFSJHSdGBbuLGzcKpjQb8xpMtls+RUJO9fUjmUqgs7fTU1 AL3g+diW33pZJS29Ocb3/CRKMIzORtKBtEflXm8APsM+efrBwyHFcQm4ciUihEVyVTnONhu+8PC15 jsFmTRf+d8l1lGlpOs4w==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hoDyd-0004Ib-75; Thu, 18 Jul 2019 21:30:11 +0000 Received: from mail-qk1-f193.google.com ([209.85.222.193]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hoDya-0004DK-D1 for linux-arm-kernel@lists.infradead.org; Thu, 18 Jul 2019 21:30:09 +0000 Received: by mail-qk1-f193.google.com with SMTP id r6so21714478qkc.0 for ; Thu, 18 Jul 2019 14:30:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gXA3fCzwUc7S8+pRMyyFoXYQ6Lxj2094nm3NP6Me1pg=; b=XqKvJ0VLhcfvwm3h/k/UIV+xHvb711Ne77+VFM+zYGOZRDqhjY2/QQoKVGTE/w5JaE FQeBTi3ovSt7WDGlPbA7L32TOH+uPu6daCx6q58C+TmSfX2CSFz9piKHGd1IRGuTnRnq 2QDVn0clxcctpcMVp5pWPxiwZpgQT17pwlu4JKjgcXZpnm+YQ1SdG+F9rFnrFROJkgxw 7JXPz0xTVriH05DQ9qitubgWDAFhCHkD5DvO+UVoC5VSE2bGFMN+WsEBWaaM97jncBiL fqh3sMIYp7LO47rRGZtVdM8km2rVFgwyCHclJFXy87k+/Bsk9diNqGLjCIFEWYsTlT/s 06uQ== X-Gm-Message-State: APjAAAXGWr8wqMv+fawyvGq9mQmP0ki+UPht65ZaJCkQSEpsrXzgPi1i XzkV/E0buarHq5PAYtf9BKqIzJvmlTbuItdaRfE= X-Google-Smtp-Source: APXvYqwAnwmqNY3PBxWPuNJix5kLy4PEG765j1QyxyCKOemfTtTG+YSbK8sHn1TSB6/emkF2O/3aVUhdKFw2Cxuzrg4= X-Received: by 2002:a37:5f45:: with SMTP id t66mr32747316qkb.286.1563485406992; Thu, 18 Jul 2019 14:30:06 -0700 (PDT) MIME-Version: 1.0 References: <20190706145737.5299-1-cyphar@cyphar.com> <20190706145737.5299-9-cyphar@cyphar.com> <20190718161231.xcno272nvqpln3wj@yavin> In-Reply-To: <20190718161231.xcno272nvqpln3wj@yavin> From: Arnd Bergmann Date: Thu, 18 Jul 2019 23:29:50 +0200 Message-ID: Subject: Re: [PATCH v9 08/10] open: openat2(2) syscall To: Aleksa Sarai X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190718_143008_447731_0819D197 X-CRM114-Status: GOOD ( 24.26 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-ia64@vger.kernel.org, Linux-sh list , Alexei Starovoitov , Linux Kernel Mailing List , David Howells , "open list:KERNEL SELFTEST FRAMEWORK" , sparclinux , Shuah Khan , linux-arch , linux-s390 , Tycho Andersen , Aleksa Sarai , Linux ARM , linux-mips@vger.kernel.org, linux-xtensa@linux-xtensa.org, Kees Cook , Jann Horn , linuxppc-dev , linux-m68k , Al Viro , Andy Lutomirski , Shuah Khan , David Drysdale , Christian Brauner , "J. Bruce Fields" , Parisc List , Linux API , Chanho Min , Jeff Layton , Oleg Nesterov , Eric Biederman , alpha , Linux FS-devel Mailing List , Andrew Morton , Linus Torvalds , containers@lists.linux-foundation.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Jul 18, 2019 at 6:12 PM Aleksa Sarai wrote: > On 2019-07-18, Arnd Bergmann wrote: > > On Sat, Jul 6, 2019 at 5:00 PM Aleksa Sarai wrote: > > > > In fact, that seems similar enough to the existing openat() that I think > > you could also just add the fifth argument to the existing call when > > a newly defined flag is set, similarly to how we only use the 'mode' > > argument when O_CREAT or O_TMPFILE are set. > > I considered doing this (and even had a preliminary version of it), but > I discovered that I was not in favour of this idea -- once I started to > write tests using it -- for a few reasons: > > 1. It doesn't really allow for clean extension for a future 6th > argument (because you are using up O_* flags to signify "use the > next argument", and O_* flags don't give -EINVAL if they're > unknown). Now, yes you can do the on-start runtime check that > everyone does -- but I've never really liked having to do it. > > Having reserved padding for later extensions (that is actually > checked and gives -EINVAL) matches more modern syscall designs. > > 2. I really was hoping that the variadic openat(2) could be done away > using this union setup (Linus said he didn't like it, and suggested > using something like 'struct stat' as an argument for openat(2) -- > though personally I am not sure I would personally like to use an > interface like that). > > 3. In order to avoid wasting a syscall argument for mode/mask you need > to either have something like your suggested mode_mask (which makes > the syscall arguments less consistent) or have some sort of > mode-like argument that is treated specially (which is really awful > on multiple levels -- this one I also tried and even wrote my > original tests using). And in both cases, the shims for > open{,at}(2) are somewhat less clean. These are all good reasons, thanks for providing the background. > All of that being said, I'd be happy to switch to whatever you think > makes the most sense. As long as it's possible to get an O_PATH with > RESOLVE_IN_ROOT set, I'm happy. I don't feel I should be in charge of making the decision. I'd still prefer avoiding the indirect argument structure because 4. it's inconsistent with most other syscalls 5. you get the same problem with seccomp and strace that clone3() has -- these and others only track the register arguments by default. 6. copying the structure adds a small overhead compared to passing registers 7. the calling conventions may be inconvenient for a user space library, so you end up with different prototypes for the low-level syscall and the libc abstraction. I don't see any of the above seven points as a showstopper either way, so I hope someone else has a strong opinion and can make the decision easier for you. In the meantime just keep what you have, so you don't have to change it multiple times. Arnd _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel