Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754601AbbLKWwX (ORCPT <rfc822;w@1wt.eu>);
	Fri, 11 Dec 2015 17:52:23 -0500
Received: from mail-ob0-f171.google.com ([209.85.214.171]:35611 "EHLO
	mail-ob0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752822AbbLKWwV (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 11 Dec 2015 17:52:21 -0500
MIME-Version: 1.0
In-Reply-To: <87y4d0sjff.fsf@x220.int.ebiederm.org>
References: <CA+55aFw9Bg+Zh_T4zP487n3ieaxoMHgZ_nNJVdpSR4kQK9gQ9w@mail.gmail.com>
 <1CB621EF-1647-463B-A144-D611DB150E15@zytor.com> <20151208223135.GA8352@kroah.com>
 <87oae0h2bo.fsf@x220.int.ebiederm.org> <56677DE3.5040705@zytor.com>
 <20151209012311.GA11794@kroah.com> <84B136DF-55E4-476A-9CB2-062B15677EE5@zytor.com>
 <20151209013859.GA12442@kroah.com> <20151209083225.GA30452@1wt.eu>
 <87wpskyds7.fsf_-_@x220.int.ebiederm.org> <20151211210400.GL20997@ZenIV.linux.org.uk>
 <87h9jovgf7.fsf@x220.int.ebiederm.org> <CALCETrWVbWz-cOaOZrcU1MLPyviknssEWY5OoKLVqkoDi-9kjA@mail.gmail.com>
 <566B4931.5080806@zytor.com> <CALCETrUB-52tNC3TiRiAoUpMPHnA8vHky7a0-YixseVsh0TZdA@mail.gmail.com>
 <87y4d0sjff.fsf@x220.int.ebiederm.org>
From: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 11 Dec 2015 14:52:01 -0800
Message-ID: <CALCETrX25-T-8fLLRsjrAEkfCJqFjvq3LRtySmo-c5yk4bm41g@mail.gmail.com>
Subject: Re: [PATCH] devpts: Sensible /dev/ptmx & force newinstance
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>, Al Viro <viro@zeniv.linux.org.uk>,
        Greg KH <greg@kroah.com>, Jiri Slaby <jslaby@suse.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Aurelien Jarno <aurelien@aurel32.net>,
        Florian Weimer <fw@deneb.enyo.de>,
        Serge Hallyn <serge.hallyn@ubuntu.com>, Jann Horn <jann@thejh.net>,
        "security@kernel.org" <security@kernel.org>,
        "security@ubuntu.com >> security" <security@ubuntu.com>,
        security@debian.org, Willy Tarreau <w@1wt.eu>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3379
Lines: 79

On Fri, Dec 11, 2015 at 2:35 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Andy Lutomirski <luto@amacapital.net> writes:
>
>> On Fri, Dec 11, 2015 at 2:07 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>>> On 12/11/15 13:48, Andy Lutomirski wrote:
>>>> On Fri, Dec 11, 2015 at 1:11 PM, Eric W. Biederman
>>>> <ebiederm@xmission.com> wrote:
>>>>> Al Viro <viro@ZenIV.linux.org.uk> writes:
>>>>>
>>>>>> On Fri, Dec 11, 2015 at 01:40:40PM -0600, Eric W. Biederman wrote:
>>>>>>
>>>>>>> +    inode = path.dentry->d_inode;
>>>>>>> +    filp->f_path = path;
>>>>>>> +    filp->f_inode = inode;
>>>>>>> +    filp->f_mapping = inode->i_mapping;
>>>>>>> +    path_put(&old);
>>>>>>
>>>>>> Don't.  You are creating a fairly subtle constraint on what the code in
>>>>>> fs/open.c and fs/namei.c can do, for no good reason.  You can bloody
>>>>>> well maintain the information you need without that.
>>>>>
>>>>> There is a good reason.  We can not write a race free version of ptsname
>>>>> without it.
>>>>
>>>> As long as this is for new userspace code, would it make sense to just
>>>> add a new ioctl to ask "does this ptmx fd match this /dev/pts fd?"
>>>>
>>>
>>> For the newinstance case st_dev should match between the master and the
>>> slave.  Unfortunately this is not the case for a legacy ptmx, as a
>>> stat() on the master descriptor still returns the st_dev, st_rdev, and
>>> st_ino for the ptmx device node.
>>
>> Sure, but I'm not talking about stat.  I'm saying that we could add a
>> new ioctl that works on any ptmx fd (/dev/ptmx or /dev/pts/ptmx) that
>> answers the question "does this ptmx logically belong to the given
>> devpts filesystem".
>>
>> Since it's not stat, we can make it do whatever we want, including
>> following a link to the devpts instance that isn't f_path or f_inode.
>
> The useful ioctl to add in my opinion would be one that actually opens
> the slave, at which point ptsname could become ttyname, and that closes
> races in grantpt.

Unfortunately, ptsname is POSIX, so we can't get rid of it.  It's a
bad idea, but it's in the standard.

>
> I even posted an implementation earlier in the discussion and no one was
> interested.
>
> Honestly the more weird special cases we add to devpts the less likely
> userspace will be to get things right.  We have been trying since 1998
> and devpts is still a poor enough design we have not been able to get
> rid of /usr/lib/pt_chown.  Adding another case where we have to sand on
> one foot and touch our nose does not seem to likely to achieve
> widespread adoption.  How many version of libc are there now?

Old libc can stay buggy, I think.  Given that this mess is partially a
libc mis-design, I don't see why it needs to be fixed entirely in the
kernel.

For new systems, it would be really nice if we can make a /dev/ptmx
symlink be 100% functional.

In any event, this is semi-moot.  If we actually want to retire the
newinstance=0 thing from the kernel, we apparently need a magic
/dev/ptmx node.  That doesn't mean that new userspace needs to *use*
that magic node.  So why not implement the magic node without fiddling
with f_path?

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/