| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3d209e29-e73d-23a6-5c6f-0267b1e669b6@samba.org>
Date: Thu, 12 Mar 2020 10:08:05 +0100
From: Stefan Metzmacher <metze@...ba.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
David Howells <dhowells@...hat.com>
Cc: Aleksa Sarai <cyphar@...har.com>,
Al Viro <viro@...iv.linux.org.uk>, Ian Kent <raven@...maw.net>,
Miklos Szeredi <mszeredi@...hat.com>,
Christian Brauner <christian@...uner.io>,
Jann Horn <jannh@...gle.com>,
"Darrick J. Wong" <darrick.wong@...cle.com>,
Karel Zak <kzak@...hat.com>, jlayton@...hat.com,
Linux API <linux-api@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 01/14] VFS: Add additional RESOLVE_* flags [ver #18]
Hi Linus,
>> Okay. So what's the equivalent of AT_SYMLINK_NOFOLLOW in RESOLVE_* flag
>> terms?
>
> Nothing.
>
> openat2() takes two sets of flags. We'll never get rid of
> AT_SYMLINK_NOFOLLOW / O_NOFOLLOW, and we've added RESOLVE_NO_SYMLINKS
> to the new set of flags. It's just a separate namespace.
>
> We will _not_ be adding a RESOLVE_XYZ flag for O_NOFOLLOW or
> AT_SYMLINK_NOFOLLOW. At least not visible to user space - because as
> people already figured out, that just causes problems with consistency
> issues.
>
> And yes, the fact that we then have three different user-visible
> namespaces (O_xyz flags for open(), AT_xyz flags for linkat(), and now
> RESOLVE_xyz flags for openat2()) is sad and messy. But it's an
> inherent messiness from just how the world works. We can't get rid of
> it.
For openat2() and other existing syscalls I agree, that it's good to
have just a single bit to control a feature.
The whole discussion was triggered by the introduction of a completely
new fsinfo()
call:
>> The new system call looks like:
>>
>> int ret = fsinfo(int dfd,
>> const char *pathname,
>> const struct fsinfo_params *params,
>> size_t params_size,
>> void *result_buffer,
>> size_t result_buf_size);
>>
>> The params parameter optionally points to a block of parameters:
>>
>> struct fsinfo_params {
>> __u32 resolve_flags;
If I remember correctly with was named at_flags initially.
And I thought it would be great to also have the new RESOLVE_YXZ feature
available for that new path based syscall.
Would you propose to have 'at_flags' and 'resolve_flags' passed in here?
Or is there something even better you would propose for new syscalls?
>> __u32 flags;
>> __u32 request;
>> __u32 Nth;
>> __u32 Mth;
>> };
> If we need linkat2() and friends, so be it. Do we?
Yes, I'm going to propose something like this, as it would make the life
much easier for Samba to have the new features available on all path
based syscalls.
In addition I'll propose to have a way to specify the source of
removeat and unlinkat also by fd in addition to the the source parent fd
and relative path, the reason are also to detect races of path
recycling. pidfd_open() solved a similar problem for pid recycling.
> Could we have a _fourth_ set of flags that are simply for internal use
> that is a superset of them all? Sure. But no, it's almost certainly
> not worth it. Four is not better than three.
As you pointed our below the LOOKUP_yxz namespace is already in place...
And the discussion was more about an possible single namespace for
completely new syscalls.
> Now, some type-safety in the kernel to make sure that we can't mix
> AT_xyz with O_xyz or RESOLVE_xyz - that might be worth it. Although
> judging by past experience, not enough people run sparse for it to
> really be worth it.
I'm new to all this and maybe too naive, but would a build bot running
sparse on linux-next be able to catch this early enough?
metze
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists