Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933448AbdC3Qdf (ORCPT ); Thu, 30 Mar 2017 12:33:35 -0400 Received: from bombadil.infradead.org ([65.50.211.133]:41112 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753314AbdC3Qdd (ORCPT ); Thu, 30 Mar 2017 12:33:33 -0400 From: Christoph Hellwig To: Linus Torvalds , Alexander Viro Cc: linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, libc-alpha@sourceware.org Subject: RFC: reject unknown open flags Date: Thu, 30 Mar 2017 18:33:25 +0200 Message-Id: <20170330163327.23920-1-hch@lst.de> X-Mailer: git-send-email 2.11.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 830 Lines: 15 Linux has traditionally accepted random garbage in the flags argument to the open syscall (including the later added openat). This really harms when adding new flags, because applications can't just probe for the flag to actually work. While rejecting unknown flags is an ABI change strictly speaking I can't see what would actually get broken by it in practice, so by the Linux rules it might not be an issue. Below is the trivial series to reject unknown flags. If this is not acceptable there migh be some other ways, although they seem ugly: (a) add a new openat2 system call that enforces this behavior, and hope all majors libcs switch to using that by default to implement open(3). (b) add a new personality flag to enforce this behavior (or maybe opt in by default and allow admins to opt out of it)