| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9333.1557564029@warthog.procyon.org.uk>
Date: Sat, 11 May 2019 09:40:29 +0100
From: David Howells <dhowells@...hat.com>
To: Christian Brauner <christian@...uner.io>
Cc: dhowells@...hat.com, viro@...iv.linux.org.uk,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] fs: make all new mount api fds cloexec by default
Christian Brauner <christian@...uner.io> wrote:
> This makes all file descriptors returned from new syscalls of the new mount
> api cloexec by default.
>
> From a userspace perspective it is rarely the case that fds are supposed to
> be inherited across exec. Having them not cloexec by default forces
> userspace to remember to pass the <SPECIFIC>_CLOEXEC flag along or to
> invoke fcntl() on the fd to prevent leaking it. And leaking the fd is a
> much bigger issue than forgetting to remove the cloexec flag and failing to
> inherit the fd.
> For old fd types we can't break userspace. But for new ones we should
> whenever reasonable make them cloexec by default (Examples of this policy
> are the new seccomp notify fds and also pidfds.). If userspace wants to
> inherit fds across exec they can remove the O_CLOEXEC flag and so opt in to
> inheritance explicitly.
>
> This patch also has the advantage that we can get rid of all the special
> flags per file descriptor type for the new mount api. In total this lets us
> remove 4 flags:
> - FSMOUNT_CLOEXEC
> - FSOPEN_CLOEXEC
> - FSPICK_CLOEXEC
> - OPEN_TREE_CLOEXEC
>
> Signed-off-by: Christian Brauner <christian@...uner.io>
Fine by me.
Reviewed-by: David Howells <dhowells@...hat.com>
Powered by blists - more mailing lists