Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2061577imm; Sat, 29 Sep 2018 09:35:01 -0700 (PDT) X-Google-Smtp-Source: ACcGV62W5iu644Iuny2eziPpg+vvKs0L1p+HLEbUfmro9j7j9rZii2Fuog7rNRjaE/Qz6oo/obkL X-Received: by 2002:a65:5bc1:: with SMTP id o1-v6mr3502480pgr.391.1538238901761; Sat, 29 Sep 2018 09:35:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538238901; cv=none; d=google.com; s=arc-20160816; b=iIj8oi/BkOwYKDtAywS3q2EVglewsfBwOSPm+V22x6mwHbhH1vRbkob8QkpOgLizYN 6WwLQinnxovh28/es6P7H1VtkSPwPw13CCOMVDVQR+OTdc44Zkf4Vd2TB1qhnFYhWYYR MOsLyTqLZa+miBi9g/I3fpz1sYaNE+ZdpFQaYdueeWyee2tFx9opi6ATI241vC4tfLlp nva6qTITCnVRIrhFXK0+uwaeziR40pH0eweUICuhiw2xrMCfdZnXfrFPG7VTS1CgsVGW 6iW2PTCDIHSsmeffe8GrZeFm0yc61aIVKp6ZgtduxiOouIw3diF6AFdDSMhEe8kP6mku Bg/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=KvTQtdedXDeU8JGJReEkH+sFmgNPFAPXy0iwMsr+Kg8=; b=kflo6gpWMxvAH1yMd22qW6w6B73SZk7ySq03odeMwykWRK9EB73ubFn6ya1dIvBlAA C/l7KiFQeG7of6EzFO2KxlqMfzZjqjNmLObvTKRQ6nW8c5Ym2yBDPPOhTqW6tzbO92aq T9wqu9p1bOt3sB8jwoDREZ7fABeN7wi52UwomFx30YZ/iH5wIwEJI2DUvUHc7+TYwYbc rSDJu+Mgj6ygpC53j3bETfZdFaPx+89rtWvT3Af0yWptwHtBFTTcjHExOpP8GP3GQIMj Jfqrj1AIQkVeTwTljMfy7CzwpzXZloaX2Gb8MkqZeqfkxUpYFg1rrNTE6v76JKb8pVdV DhWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dp2HqnQN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 8-v6si7512399pgx.37.2018.09.29.09.34.32; Sat, 29 Sep 2018 09:35:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dp2HqnQN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728431AbeI2XDb (ORCPT + 99 others); Sat, 29 Sep 2018 19:03:31 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:38422 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728390AbeI2XDb (ORCPT ); Sat, 29 Sep 2018 19:03:31 -0400 Received: by mail-pg1-f193.google.com with SMTP id r77-v6so6594789pgr.5 for ; Sat, 29 Sep 2018 09:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KvTQtdedXDeU8JGJReEkH+sFmgNPFAPXy0iwMsr+Kg8=; b=dp2HqnQNBLql1PVLsSR4DDXGqS/XUljVtl9wYPjuDxzzBQGZ3FzMeMuYXw9Oaxh8G+ MlGQU+y0/+U7rLcUHtNk8aq1+v1jTAHCZyX/nF8GjBPQSGg/Z18P+DzXqqgW+0uOTP4Y r+KSllKVzWu2/NcpGA+l2gWrun8wALOytkYFdoszKZO45fCm07RDaNw4efjpgdBtXBCB 9dHmLuZsgjoz+DTRSIb6jaDN9wISj902rkQbR+zUn3RjWijHVq0VerHU+Vp+CzT2xhkU 0aVccfqMi4u90oCz9ikZOhAaDMiaJ7R3uR+XMzuKCIy7stX6dzT5BcJxEA5o2LIVMGDS gwTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KvTQtdedXDeU8JGJReEkH+sFmgNPFAPXy0iwMsr+Kg8=; b=nBL725Er+Vb4usjqq0mUSoVmHTQSpAD2djNlmjfuzf/QLrrmCnpKkjuZHnZS5O7dBX Rtfup+WzsEkEHvcwryHiNSKK3Vq2tS9+TXrQuUZUI3AxxW/oVHDMlBwtcYUhFb5AJyCz tfPdj5gKkB25Mt9SZcTkIgQxgjNRYo/l8Nyfo9s3xgtIfnymf0UopMfOgtzTKgZUswy9 UIOuO/tj4qN0L5HEHxeE8PvndOj37+MpIe2gGNxHZpMxiSOwomsCfDb+WmVt17lu2G5N 7I+Acp0hnFQrSz1MJSYt/+KYXVEBPLYEh317lT4qzK92o9PrZ83fIpSWbqm25aAzunER GqOw== X-Gm-Message-State: ABuFfojNO+9M9NvzaE1x5OyDfarSvxPchNkkGNIt+MFdtQ9ZoK2gOEO5 ou45DkGco/dvL9y4mYYQ3YlKIg== X-Received: by 2002:a62:2056:: with SMTP id g83-v6mr3774816pfg.165.1538238867851; Sat, 29 Sep 2018 09:34:27 -0700 (PDT) Received: from ?IPv6:2600:1010:b029:4fc8:d7f:8889:342e:40b? ([2600:1010:b029:4fc8:d7f:8889:342e:40b]) by smtp.gmail.com with ESMTPSA id x4-v6sm11082814pfm.119.2018.09.29.09.34.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Sep 2018 09:34:26 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH 0/3] namei: implement various scoping AT_* flags From: Andy Lutomirski X-Mailer: iPhone Mail (16A366) In-Reply-To: <20180929154551.jsi6dt3xjxdxoqeh@ryuk> Date: Sat, 29 Sep 2018 09:34:24 -0700 Cc: Jeff Layton , "J. Bruce Fields" , Al Viro , Arnd Bergmann , Shuah Khan , David Howells , Andy Lutomirski , Christian Brauner , Eric Biederman , Tycho Andersen , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, dev@opencontainers.org, containers@lists.linux-foundation.org Content-Transfer-Encoding: quoted-printable Message-Id: <9D01A225-05BE-4B4A-873A-94168D17F687@amacapital.net> References: <20180929103453.12025-1-cyphar@cyphar.com> <1EE20CA2-4C8B-4A80-B613-0277D92B376D@amacapital.net> <20180929154551.jsi6dt3xjxdxoqeh@ryuk> To: Aleksa Sarai Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 29, 2018, at 8:45 AM, Aleksa Sarai wrote: >=20 > On 2018-09-29, Andy Lutomirski wrote: >>> The most obvious change is that AT_NO_JUMPS has been split as dicussed >>> in the original thread, along with a further split of AT_NO_PROCLINKS >>> which means that each individual property of AT_NO_JUMPS is now a >>> separate flag: >>>=20 >>> * Path-based escapes from the starting-point using "/" or ".." are >>> blocked by AT_BENEATH. >>=20 >> Seems useful. >>=20 >>> * Mountpoint crossings are blocked by AT_XDEV. >>=20 >> Seems useful. >>=20 >>> * /proc/$pid/fd/$fd resolution is blocked by AT_NO_PROCLINKS (more >>> correctly it actually blocks any user of nd_jump_link() because it >>> allows out-of-VFS path resolution manipulation). >>>=20 >>=20 >> So how do I disable following symlinks? ISTM the most natural way >> would be to have AT_NO_SYMLINKS, and to have that flag disable proc >> links. >=20 > So, this patchset has both AT_NO_SYMLINKS and AT_NO_PROCLINKS. And AT_THIS_ROOT, which is neat. Want to update your cover letter to include= all of this? Or at I just reading the wrong thing? >=20 > * AT_NO_SYMLINKS blocks *all* symlinks (which is something Linus requested= > in the original thread[2] -- apparently this is something that would > be useful to git even if wouldn't violate AT_BENEATH). This implies > AT_NO_PROCLINKS. >=20 > * AT_NO_PROCLINKS only blocks procfs-style "symlinks" (filesystem > "symlinks" that call nd_jump_link() themselves -- currently only > procfs and nsfs). >=20 Hmm. I=E2=80=99m not sure that blocking nsfs links is always what the contai= ner runtime wants, but the overall concept sounds quite useful. Maybe call i= t AT_NO_TELEPORT? Or AT_NO_MAGIC_LINKS? Also, as a perhaps-silly suggestion: if you end up adding a new syscall, I c= an see a use for a mode that does the path walk but, rather than failing on a= disallowed link, stops early and indicates where it stopped. Then web serve= rs, samba, etc can more efficiently implement custom behavior when links are= encountered. And it may also be useful to have a variant of AT_THIS_ROOT w= here trying to escape is an error instead of having it just get stuck at the= root.=