linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ameer Hamza <ahamza@ixsystems.com>
To: Christian Brauner <brauner@kernel.org>
Cc: viro@zeniv.linux.org.uk, jlayton@kernel.org,
	chuck.lever@oracle.com, arnd@arndb.de, guoren@kernel.org,
	palmer@rivosinc.com, f.fainelli@gmail.com, slark_xiao@163.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-arch@vger.kernel.org, awalker@ixsystems.com
Subject: Re: [PATCH] Add new open(2) flag - O_EMPTY_PATH
Date: Wed, 19 Apr 2023 06:15:29 +0500	[thread overview]
Message-ID: <ZD9AsWMnNKJ4dpjm@hamza-pc> (raw)
In-Reply-To: <20230106130651.vxz7pjtu5gvchdgt@wittgenstein>

On Fri, Jan 06, 2023 at 02:06:51PM +0100, Christian Brauner wrote:
> On Wed, Dec 28, 2022 at 09:02:49PM +0500, Ameer Hamza wrote:
> > This patch adds a new flag O_EMPTY_PATH that allows openat and open
> > system calls to open a file referenced by fd if the path is empty,
> > and it is very similar to the FreeBSD O_EMPTY_PATH flag. This can be
> > beneficial in some cases since it would avoid having to grant /proc
> > access to things like samba containers for reopening files to change
> > flags in a race-free way.
> > 
> > Signed-off-by: Ameer Hamza <ahamza@ixsystems.com>
> > ---
> 
> In general this isn't a bad idea and Aleksa and I proposed this as part
> of the openat2() patchset (see [1]).
> 
> However, the reason we didn't do this right away was that we concluded
> that it shouldn't be simply adding a flag. Reopening file descriptors
> through procfs is indeed very useful and is often required. But it's
> also been an endless source of subtle bugs and security holes as it
> allows reopening file descriptors with more permissions than the
> original file descriptor had.
> 
> The same lax behavior should not be encoded into O_EMPTYPATH. Ideally we
> would teach O_EMPTYPATH to adhere to magic link modes by default. This
> would be tied to the idea of upgrade mask in openat2() (cf. [2]). They
> allow a caller to specify the permissions that a file descriptor may be
> reopened with at the time the fd is opened.
> 
> [1]: https://lore.kernel.org/lkml/20190930183316.10190-4-cyphar@cyphar.com/
> [2]: https://lore.kernel.org/all/20220526130355.fo6gzbst455fxywy@senku/Kk

Thank you for the detailed explanation and sorry for getting back late
at it. It seems like a pre-requisite for O_EMPTYPATH is to make it safe
and that depends on a patchset that Aleksa was working on. It would be
helpful to know the current status of that effort and if we could expect
it in the near future.

The repo[1] that was mentioned here[2] seems to be private. I am wondering
if there's a way to look at the patch somehow.

[1]: https://github.com/cyphar/linux/tree/magiclink/main
[2]: https://lore.kernel.org/all/20220526130952.z5efngrnh7xtli32@senku/

  reply	other threads:[~2023-04-19  1:15 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-28 16:02 [PATCH] Add new open(2) flag - O_EMPTY_PATH Ameer Hamza
2022-12-31  0:15 ` kernel test robot
2022-12-31 23:56   ` [PATCH v2] " Ameer Hamza
2023-01-01 11:16     ` kernel test robot
2023-01-01 15:37       ` [PATCH v3] " Ameer Hamza
2023-01-02 14:01     ` [PATCH v2] " David Laight
2023-01-02 14:35       ` Ameer Hamza
2023-01-06  9:21         ` David Laight
2023-01-06 13:06 ` [PATCH] " Christian Brauner
2023-04-19  1:15   ` Ameer Hamza [this message]
     [not found]     ` <7454A798-1277-411A-853C-635B33439029@gmail.com>
2023-04-19  9:18       ` Christian Brauner
2023-04-19 21:29     ` David Laight
2023-04-26 13:10       ` Andrew Walker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZD9AsWMnNKJ4dpjm@hamza-pc \
    --to=ahamza@ixsystems.com \
    --cc=arnd@arndb.de \
    --cc=awalker@ixsystems.com \
    --cc=brauner@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=f.fainelli@gmail.com \
    --cc=guoren@kernel.org \
    --cc=jlayton@kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=palmer@rivosinc.com \
    --cc=slark_xiao@163.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).