Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp824650imd; Fri, 26 Oct 2018 18:48:12 -0700 (PDT) X-Google-Smtp-Source: AJdET5eJUmc+uc3stUADrihLfnEU3Yktn1v6YGM9C6sHe1eXFOX5vtntv4W4iMy4U6wHRy1lJREI X-Received: by 2002:a63:741:: with SMTP id 62mr5511876pgh.352.1540604892523; Fri, 26 Oct 2018 18:48:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540604892; cv=none; d=google.com; s=arc-20160816; b=Zz1KSgRfszMVriq9Q9zz8jk01WEG4PWKdoj+0rqCVG9k2DTRquEPX7dUNEwL7ixh7f vaZjSZVuR/P32Wzv08LfYgMWrh8C4zE6Bv4jwn22pkm+T4rL6Z1z+xH/gvRM1JMAQRhP nquafwMs7v0+LeSUDpygBVB/4hAD3Y038tHzS+PFucoHDD+eC6lEXntMT+LT9XHCF1sH M8s2r/5XyX0tVIJ6ycnq0gWgUsuLBY3Hgjbgjgwxydp1RINlJst1ZSbvwAnPOD/jpJEn GGBiNwCYIn+VPWL/I9jn+oOVWDBb2vmQ+gutL70Vbcg+DoNXuFJ2mPFkAGtOAqgwoWPq wngQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:message-id:subject:to:from:date; bh=8eMYZEoJsRDw8kK0NssLXCPVpkpqvUf42x+fi0c+r0I=; b=udBoU86KMmM3R1sN0RGFo+HJCE3panZDoy4OS7h9fIaulJvXC7cYUdTJL5t+Z1MdW7 j9bnTjIf8l8OqOoYj6qMWQFTDRp2qvfSzX2cs2L9+qY7ICZaiqh3tMOesFoJilRICnqD jldiyneYphz+ivz+9Ltq2/yQs3nxJUk82gqbu6Zi9h4WQkvV6hmNzFxQmkdoV0/T2kaX /7J/j+41pQmHxEzHcOdjHMEI9N0xGi45YtFI3gAC6e/1OtGKvtKQOql8GEhyDf7L5HER E+2/iNWa6CwxMRvDEgRffwEd3KI5sKLPRZLW1CDU2D/T7VQfR81TROK2RMdUGjqmlP83 JXaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16-v6si12386222plr.439.2018.10.26.18.47.29; Fri, 26 Oct 2018 18:48:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726531AbeJ0KZ7 (ORCPT + 99 others); Sat, 27 Oct 2018 06:25:59 -0400 Received: from mx2.freebsd.org ([8.8.178.116]:27121 "EHLO mx2.freebsd.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725828AbeJ0KZ7 (ORCPT ); Sat, 27 Oct 2018 06:25:59 -0400 X-Greylist: delayed 325 seconds by postgrey-1.27 at vger.kernel.org; Sat, 27 Oct 2018 06:25:58 EDT Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mx1.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx2.freebsd.org (Postfix) with ESMTPS id E48126712A; Sat, 27 Oct 2018 01:41:15 +0000 (UTC) (envelope-from emaste@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4896275558; Sat, 27 Oct 2018 01:41:15 +0000 (UTC) (envelope-from emaste@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1079) id 250881C44; Sat, 27 Oct 2018 01:41:14 +0000 (UTC) Date: Sat, 27 Oct 2018 01:41:14 +0000 From: Ed Maste To: cyphar@cyphar.com, David Drysdale , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags Message-ID: <20181027014114.GA52393@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181009065300.11053-3-cyphar@cyphar.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 9 Oct 2018 at 02:53, Aleksa Sarai wrote: > > +#ifndef O_BENEATH > +#define O_BENEATH 00040000000 /* *Not* the same as capsicum's O_BENEATH! */ > +#endif I had originally followed up privately to Aleksa about this comment (to suggest that it's outdated and should be removed), but the reference Capsicum implementation now supports O_BENEATH and I think it's sensible to follow up here with the additional context. O_BENEATH originally came from the Capsicum Linux port, and inherited the restriction against ".." path components from years ago when the port was done. In addition, FreeBSD did not originally implement O_BENEATH as the "beneath" behaviour is inherently provided once a process enters a capability mode sandbox. However, Capsicum now allows ".." paths, and FreeBSD supports O_BENEATH separately from capability mode. Absolute paths are not yet allowed with O_BENEATH but a change is in review to permit them. On FreeBSD a lookup prevented by O_BENEATH semantics returns ENOTCAPABLE, the errno coming from the Capsicum implementation. Ideally I would like to see us have the same API; none of this work has yet shipped in a FreeBSD release and there is an opportunity for us to make changes to match the interface and errors Linux may adopt.