From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753851AbdEEDBD (ORCPT ); Thu, 4 May 2017 23:01:03 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:38012 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752009AbdEEDBB (ORCPT ); Thu, 4 May 2017 23:01:01 -0400 Date: Fri, 5 May 2017 04:00:58 +0100 From: Al Viro To: Linus Torvalds Cc: Jann Horn , Linux API , Linux Kernel Mailing List , linux-fsdevel Subject: Re: new ...at() flag: AT_NO_JUMPS Message-ID: <20170505030058.GO29622@ZenIV.linux.org.uk> References: <20170429220414.GT29622@ZenIV.linux.org.uk> <20170505003030.GM29622@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 04, 2017 at 06:27:10PM -0700, Linus Torvalds wrote: > As mentioned last time, at least for the git usage, even relative > symlinks are a no-no - not because they'd escape, but simply because > git wants to see the *unique* name, and resolve relative symlinks to > either the symlink, or to the actual file it points to. > > So I think that we'd want an additional flag that says "no symlinks at all". OK, that's easily done. > And I think the "no mountpoint" traversal might be splittable too. > > Yes, sometimes you'd probably want to say "stay exactly inside this > filesystem" (like find -xdev). So no arguments against AT_XDEV that > refuses any mount traversal (kind of like my "no symlink traversal" > thing). > > But at other points you might want to just guarantee that the walk > stays below a certain starting point and doesn't escape. > > That could still allow crossing mount-points, but only if they are > non-bind mounts and cannot let us escape. > > I'm not sure if that's testable, though. This one isn't, unfortunately - there is no difference between bind and no-bind; vfsmounts form a tree and both normal mount and bind add leaves to it. Moreover, mount -t ext2 /dev/sdc7 /mnt; mount -t ext2 /dev/sdc7 /tmp/a yield the same state as mount -t ext2 /dev/sdc7; mount --bind /mnt /tmp/a. There is no way to tell the difference, simply because there *is* no difference. Moreover, either can be followed by umount /mnt and you'll get the same state as you would have after a solitary mount of the same fs on /tmp/a. Ho-hum... So: AT_BENEATH AT_XDEV AT_NO_SYMLINKS absolute pathname: EXDEV non-relative symlink: EXDEV ? ELOOP relative symlink: ELOOP .. from starting point: EXDEV .. crossing mountpoint: EXDEV crossing into mountpoint: EXDEV 1) What should AT_XDEV do about absolute symlinks? Nothing special? EXDEV? EXDEV if we are not on root? 2) What should AT_BENEATH | AT_NO_SYMLINKS do on absolute symlinks? My preference would be "AT_NO_SYMLINKS wins, ELOOP for you", but that's based mostly upon the convenience of implementation. 3) What effect should AT_NO_SYMLINKS have upon the final component? Same as AT_SYMLINK_NOFOLLOW?