Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1955526imm; Sat, 29 Sep 2018 07:26:33 -0700 (PDT) X-Google-Smtp-Source: ACcGV63kwfbo0IrN5HWZJaahi88ILzgm0+PUbd1sP85k6LuPUeops9B+1siXtKyqa7U2hfrDG/Op X-Received: by 2002:a17:902:585:: with SMTP id f5-v6mr3479988plf.7.1538231192959; Sat, 29 Sep 2018 07:26:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538231192; cv=none; d=google.com; s=arc-20160816; b=wLsnzSgx2d/3xPAvQuV5WCCOpV45nTDRixlMiLLcx5HFWcLYxWFZz/8Y6jCCekaZmM KVpO5UOL/XFp5oRAwR4F+bagtab2tUdBnPlHuZC8m5qVtA4SLw+UVA4ujLFP7zck+iyv 1pauw2jTiOq//3aqjyiKV2kVLRo0cEFqjDDpbKauUlWMb2ot/Ge6qYAURIw+HsTAnRLH 01tcjymQ832Jqg0XZCPfv6eQqsR/YZLFdKzDda4+M5dqa9ln1/R3S1c28AdtpJRt2uv/ cbmT91mAxQIAF4uK08aM+VmAeuvhVhYyKJl3i+XcS5V5PWn+fGYZwQvKeUIG2fVnKJJ6 Rebg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=JoURWbeCzheI/EXJ35r9ZJfZ5dX4CS0+xhSGJpwfsWE=; b=tBjQf1WvU6A/pMaVtBUmTFGOZlkYh04c+zD/juirpRrIvojhGxouwPvvUx+V9rbFL/ CSTWtNCESzih+2ejtU9/wavHgLaSmsmWqkTojABHJ0N+sxoKJx1e7/PCZYX0mhQWsWF1 NPpwVlr0SLSH67uoBwcLIhGGiHjNfG+87fnpbc6YnLobrh3t+LIkefwQQgx9XLi9ExY/ kMc/VQacCFjYJ+iLndOvs67XZ/F6a4Fn9sEE3905WwUOZ8wiS/dj4/dgDdvo/7iH+c1A wW85VKDsSEk1JNJ6We72p7G1gYn1J+pBrhorPO9VS9AM9b38HjytZITStu9+HddCchu+ QUug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="bCPEp/eB"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x185-v6si7881334pfb.306.2018.09.29.07.26.18; Sat, 29 Sep 2018 07:26:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b="bCPEp/eB"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728335AbeI2Uyh (ORCPT + 99 others); Sat, 29 Sep 2018 16:54:37 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:35106 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728293AbeI2Uyh (ORCPT ); Sat, 29 Sep 2018 16:54:37 -0400 Received: by mail-pg1-f193.google.com with SMTP id v133-v6so6473129pgb.2 for ; Sat, 29 Sep 2018 07:25:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=JoURWbeCzheI/EXJ35r9ZJfZ5dX4CS0+xhSGJpwfsWE=; b=bCPEp/eBRO2UuweSpjJggdh+R+hrTMN9vREziJBimjVHPCz3iuwcDtjX4f77KKLw0z tLDVXlhWt0BVE0MrW48wLQjN1ve2C9EsBbz3TIXGkZF0J+QkWbON8Q8zodGqW/8CYbL5 0oV60BWgnXf1h99zmUtab64f5AXe33cWK4RHsjsZOogiLX0YYs2kGwOll2vrTJ0X1Sjx 1qlNcheQnm9/OVmzLl/1R7AfNQnzv1xM/WmzXpmlgA1Blv0wwbUiUNUKXrx6OMrD2JM1 hMy8MLj22QqXLBi35RrMhQfeY7+XXcCIpQXSZNppl057/lBzblZFH+EZGR9QaQ/NAkaN jnRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=JoURWbeCzheI/EXJ35r9ZJfZ5dX4CS0+xhSGJpwfsWE=; b=XPvUC7KLTSg3Sq/IsNmqK/xMDo+oe2pn1udsPk1NkwWz+0yG1/QquZ6BKB28Np8b56 yWQpgsWN0FtzTCFulvEba48p4vvnmInR/WhW7zx6VOvxwOQDsB15pUM4TxHyEnQ6ogf8 K5OVAe+Mn908RGJt8Zmquyr8hW93ETtQ27QjjtEAiuvTMPpJjggNJ8LuM+jHGpL40zMG bz/EH239Lz035zRqnDBsy0+juJUpe15BK+nEHMev0wAt6do1z7mo7hea5HNtveIrqf3w 5v6FSI71H8oxyuFNJuL5e6Jn6CwfUlPVctdJlrx7vvYJDnZE4yMsbt2RilBmOH4h4GVB rieA== X-Gm-Message-State: ABuFfogr1s2asK+LLJg+NLvowMlCzRD+RyOPQZncfHPzvPze6H9r8R3J tGGgdLcrk+tfNv13JVTT25CXA2I4Bng= X-Received: by 2002:a63:5860:: with SMTP id i32-v6mr3185698pgm.178.1538231159113; Sat, 29 Sep 2018 07:25:59 -0700 (PDT) Received: from ?IPv6:2601:646:c200:7429:81d2:c733:112:8bd0? ([2601:646:c200:7429:81d2:c733:112:8bd0]) by smtp.gmail.com with ESMTPSA id 22-v6sm12557468pfl.126.2018.09.29.07.25.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Sep 2018 07:25:58 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 0/3] namei: implement various scoping AT_* flags From: Andy Lutomirski X-Mailer: iPhone Mail (16A366) In-Reply-To: <20180929103453.12025-1-cyphar@cyphar.com> Date: Sat, 29 Sep 2018 07:25:57 -0700 Cc: Jeff Layton , "J. Bruce Fields" , Al Viro , Arnd Bergmann , Shuah Khan , David Howells , Andy Lutomirski , Christian Brauner , Eric Biederman , Tycho Andersen , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, dev@opencontainers.org, containers@lists.linux-foundation.org Content-Transfer-Encoding: quoted-printable Message-Id: <1EE20CA2-4C8B-4A80-B613-0277D92B376D@amacapital.net> References: <20180929103453.12025-1-cyphar@cyphar.com> To: Aleksa Sarai Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 29, 2018, at 3:34 AM, Aleksa Sarai wrote: >=20 > The need for some sort of control over VFS's path resolution (to avoid > malicious paths resulting in inadvertent breakouts) has been a very > long-standing desire of many userspace applications. This patchset is a > revival of Al Viro's old AT_NO_JUMPS[1] patchset with a few additions. >=20 > The most obvious change is that AT_NO_JUMPS has been split as dicussed > in the original thread, along with a further split of AT_NO_PROCLINKS > which means that each individual property of AT_NO_JUMPS is now a > separate flag: >=20 > * Path-based escapes from the starting-point using "/" or ".." are > blocked by AT_BENEATH. Seems useful. > * Mountpoint crossings are blocked by AT_XDEV. Seems useful. > * /proc/$pid/fd/$fd resolution is blocked by AT_NO_PROCLINKS (more > correctly it actually blocks any user of nd_jump_link() because it > allows out-of-VFS path resolution manipulation). >=20 So how do I disable following symlinks? ISTM the most natural way would be t= o have AT_NO_SYMLINKS, and to have that flag disable proc links.=