From: Andy Lutomirski <firstname.lastname@example.org> To: Linus Torvalds <email@example.com> Cc: Al Viro <firstname.lastname@example.org>, Jann Horn <email@example.com>, Linux API <firstname.lastname@example.org>, Linux Kernel Mailing List <email@example.com>, linux-fsdevel <firstname.lastname@example.org> Subject: Re: new ...at() flag: AT_NO_JUMPS Date: Thu, 4 May 2017 21:31:08 -0700 [thread overview] Message-ID: <CALCETrVGC7p8J9gDKLq5R=5K0cXVRsv_4JbTUDnhyD2F4epu2w@mail.gmail.com> (raw) In-Reply-To: <CA+55aFy8faOrivrKREJHVd2Ua5VsuOz+CKQu=Y+k_xQHU5TqGA@mail.gmail.com> On Thu, May 4, 2017 at 9:01 PM, Linus Torvalds <email@example.com> wrote: > On Thu, May 4, 2017 at 8:00 PM, Al Viro <firstname.lastname@example.org> wrote: >>> >>> That could still allow crossing mount-points, but only if they are >>> non-bind mounts and cannot let us escape. >>> >>> I'm not sure if that's testable, though. >> >> This one isn't, unfortunately - there is no difference between bind and >> no-bind; vfsmounts form a tree and both normal mount and bind add leaves >> to it. Moreover, mount -t ext2 /dev/sdc7 /mnt; mount -t ext2 /dev/sdc7 /tmp/a >> yield the same state as mount -t ext2 /dev/sdc7; mount --bind /mnt /tmp/a. >> There is no way to tell the difference, simply because there *is* no >> difference. Moreover, either can be followed by umount /mnt and you'll get >> the same state as you would have after a solitary mount of the same fs on >> /tmp/a. > > Fair enough. > >> Ho-hum... So: >> >> AT_BENEATH AT_XDEV AT_NO_SYMLINKS >> absolute pathname: EXDEV >> non-relative symlink: EXDEV ? ELOOP >> relative symlink: ELOOP >> .. from starting point: EXDEV >> .. crossing mountpoint: EXDEV >> crossing into mountpoint: EXDEV >> >> 1) What should AT_XDEV do about absolute symlinks? Nothing special? EXDEV? >> EXDEV if we are not on root? > > My mental model would say that AT_XDEV without AT_BENEATH would > _logically_ result in "EXDEV if / is a different vfsmount", accept the > absolute path otherwise. > > But honestly, just returning EXDEV unconditionally for an absolute > symlink might just be the simpler and more straightforward thing to > do. > > Because testing the particular vfsmount of / simply doesn't seem to be > a very useful operation. I dunno. My intuition is that, regardless of whether it's obviously useful to test the vfsmount, we should allow / if it's the same mount for orthogonality and because it seems more likely to be the expected behavior. > >> 3) What effect should AT_NO_SYMLINKS have upon the final component? Same >> as AT_SYMLINK_NOFOLLOW? > > I actually would suggest "error if it's followed". > > So if you use AT_SYMLINK_NOFOLLOW | AT_NO_SYMLINKS, then you do *not* > get an error if the last component (but nothing before it) is a > symlink, and the end result is the symlink itself. > > If you use just AT_NO_SYMLINKS, then the lack of NOFOLLOW implies that > you'd follow the symlink to look it up, and then AT_NO_SYMLINKS means > that you get an error (ELOOP). > > So the user gets to choose, and gets to basically indicate whether > it's fine to end at a dangling symlink or not. Which is exactly what > AT_SYMLINK_NOFOLLOW is all about. Sounds reasonable to me. --Andy
next prev parent reply other threads:[~2017-05-05 4:31 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-04-29 22:04 Al Viro 2017-04-29 23:17 ` Andy Lutomirski 2017-04-29 23:25 ` Al Viro 2017-04-30 1:13 ` Andy Lutomirski 2017-04-30 4:38 ` Matthew Wilcox 2017-04-30 16:10 ` Al Viro 2017-05-01 4:52 ` Andy Lutomirski 2017-05-01 5:15 ` Al Viro 2017-05-01 17:36 ` Jann Horn 2017-05-01 19:37 ` Andy Lutomirski 2017-05-05 0:30 ` Al Viro 2017-05-05 0:44 ` Andy Lutomirski 2017-05-05 1:06 ` Al Viro 2017-05-05 1:27 ` Linus Torvalds 2017-05-05 3:00 ` Al Viro 2017-05-05 4:01 ` Linus Torvalds 2017-05-05 4:31 ` Andy Lutomirski [this message] 2017-05-05 2:47 ` Jann Horn 2017-05-05 3:46 ` Linus Torvalds 2017-05-05 4:39 ` Al Viro 2017-05-05 4:44 ` Andy Lutomirski 2017-05-05 20:04 ` Eric W. Biederman 2017-05-05 20:28 ` Eric W. Biederman 2017-05-08 19:34 ` Mickaël Salaün 2017-05-18 8:50 ` David Drysdale 2017-09-10 20:26 Jürg Billeter
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CALCETrVGC7p8J9gDKLq5R=5K0cXVRsv_4JbTUDnhyD2F4epu2w@mail.gmail.com' \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: new ...at() flag: AT_NO_JUMPS' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).