Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3234332imu; Sat, 24 Nov 2018 00:43:30 -0800 (PST) X-Google-Smtp-Source: AFSGD/XXffouFAcmAtCdj4dqVqkakMj9jPs4q8ei1+Mhq6YMGBVMFqijjq+6W7kGPi6rINojP+iB X-Received: by 2002:a63:5907:: with SMTP id n7mr17064909pgb.435.1543049010558; Sat, 24 Nov 2018 00:43:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543049010; cv=none; d=google.com; s=arc-20160816; b=RfGfvNhOKb1aE5/7e6wkBLtPyT6PFsTQguprMNQFGih7HFDIFYkihT1nm/XHTI/ncS rQh2DZ5EdDApncWHwn04C9u96y2g9G3uGy61rl+1OC0YCQ5y3xNERDaP25Cpg/eRQ6HS GUXmRbaCAAG6/7aQH5w/AuFDhCtE41RNo0IPVzaFXFrx75ifWyloL9aeukCpnjRiW7jw 1f+cIRYchbojAAlUrMXN53YQzaI7JLYBobpvzbs8F6nTSzYghg8o6Jrs/Z1CpE+WS584 FTru5nxREV/hcl3O01Ja8lR7s6oCnjg12vngctORYWpw1Xgc1vLZcxpaDwaOBJlK1l5E KWqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=i76vt8LIcOmsSDjtmnsRuAqRk3dFkBNlJmMdRvVPvCY=; b=dWFG7BZGj5cI4DJuzo1m54NEjs/zj+8Rw8Y/8Ow/Jtfma+TM53aPyF5SX2azFEFgNv qOALdRRI7534W/iODXBN9caRYmZ2qXbQ05ql1g0/VpnZSadG7rJl/Z/34HfzSbGO6hfP kIQjAZXEQMo42UKtTFLzTl9rMmfszIjffD9Hn5AdpUJK4GWqhGBV3Cb4lCPamo7UJB36 KI0ELaEzncj5x3/gFtcLDP03Vxa+NQoDkVHHSEDPHBxh0Wz37SivHVenBBNfV1y0/L9T By4kbiV/TcletWiE6sHiKeBRMp3mVHMA6wlBwjZ1pdlfgH/jz2ClNBRZ8KRwZbvJa3rr Cc/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x141si9948711pgx.266.2018.11.24.00.43.16; Sat, 24 Nov 2018 00:43:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2633044AbeKXDdf (ORCPT + 99 others); Fri, 23 Nov 2018 22:33:35 -0500 Received: from mx2.suse.de ([195.135.220.15]:40574 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729195AbeKXDdf (ORCPT ); Fri, 23 Nov 2018 22:33:35 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 3C1F2AEC1; Fri, 23 Nov 2018 16:48:33 +0000 (UTC) Date: Sat, 24 Nov 2018 03:48:19 +1100 From: Aleksa Sarai To: Andy Lutomirski Cc: j@bitron.ch, Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , "Eric W. Biederman" , Christian Brauner , Linux API , Jann Horn , David Drysdale , Linux Containers , Linux FS Devel , LKML , linux-arch Subject: Re: [PATCH v4 2/4] namei: O_BENEATH-style path resolution flags Message-ID: <20181123164819.skruu23wjwzf47f5@mikami> References: <20181112142654.341-1-cyphar@cyphar.com> <20181112142654.341-3-cyphar@cyphar.com> <1ce83cdf6e3168350b69f98f08aaa202bbaa682d.camel@bitron.ch> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bd7wx4sujq35ecq2" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --bd7wx4sujq35ecq2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2018-11-23, Andy Lutomirski wrote: > > On Nov 23, 2018, at 5:10 AM, J=C3=BCrg Billeter wrote: > > > > Hi Aleksa, > > > >> On Tue, 2018-11-13 at 01:26 +1100, Aleksa Sarai wrote: > >> * O_BENEATH: Disallow "escapes" from the starting point of the > >> filesystem tree during resolution (you must stay "beneath" the > >> starting point at all times). Currently this is done by disallowing > >> ".." and absolute paths (either in the given path or found during > >> symlink resolution) entirely, as well as all "magic link" jumping. > > > > With open_tree(2) and OPEN_TREE_CLONE, will O_BENEATH still be > > necessary? >=20 > This discussion reminds me of something I=E2=80=99m uncomfortable with in= the > current patches: currently, most of the O_ flags determine some > property of the returned opened file. The new O_ flags you're adding > don't -- instead, they affect the lookup of the file. So O_BENEATH > doesn't return a descriptor that can only be used to loop up files > beneath it -- it just controls whether open(2) succeeds or fails. It > might be nice for the naming of the flags to reflect this. I agree that there is something quite weird about having path resolution flags in an *open* syscall. The main reason why it's linked to open is because that's the only way to get O_PATH descriptors (which is what you would use for most of the extended operations we need -- as well as reading+writing to files which is what most users would do with this). And I think O_PATH is another example of an open flag that is just odd in how it changes the semantics of using open(2). One of the ideas I pitched in an earlier mail was a hypothetical resolveat(2) -- which would just be a new way of getting an O_PATH descriptor. This way, we wouldn't be using up more O_* flag bits with this feature and we'd be able to play with more radical semantic changes in the future. I can outline these here if you like, but it's a bit of a long discussion and I'd prefer not to derail things too much if resolveat(2) is definitely out of the question. > I also don't love that we have some magic AT_ flags that work with > some syscalls and some magic O_ flags that work with others. I also completely agree. I think that we should have a discussion about the long-term plan of syscall flags because it's starting to get a little bit crazy: * Every "get an fd" syscall has its own brand of O_CLOEXEC. Thankfully, many of them use the same value (except for memfd_create(2) and a few other examples). * AT_* was supposed to be generic across all *at(2) syscalls, but there are several cases where this isn't really true anymore. * renameat2(2) only supports RENAME_* flags. * openat(2) supports only O_* flags. * Most AT_* flags have O_* counterparts (or are even more of a mess such as with {AT_SYMLINK_FOLLOW,AT_SYMLINK_NOFOLLOW,O_NOFOLLOW}). * statx(2) added AT_STATX_* flags, making AT_* no longer generic. (Also I just want to mention something I noticed while writing this patch -- openat(2) violates one of the kernel "golden rules" -- that you reject unknown flags. openat(2) will silently ignore unknown flag bits. I'm sure there's a really good reason for this, but it's another flag oddity that I felt fit here.) --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --bd7wx4sujq35ecq2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAlv4L08ACgkQnhiqJn3b jbQNZw//cbVZ6mja1WexO3nT8oHZekLWz51OovZZ//xUM8t4WXfqf794yLdjBW/f szkgqHpmoKEGtzJ1jrDkuNezflK8gy/2WETSTYv+hEump+c3z2RgZBbb7dmVz0pF MsPgBIAhLtFtnTyMTT57NMgQxCURCG9NAb3vWzcujuci0QX6kzKpMmhNoTe9q8G9 MuNVv7x/NJCaoUOnLsi1QoEc7RWYQIUfVGHUX6Sw5km8NzLlOOdmYDUC8rJdEIJs RBdBQWq+XR/wVFuzBzLfbMLFRsQPlDDOrWvxap7t9CwjKmc1Qm1Q0R/L28kwnNeq mPxpFCBnXQ0eWlNTUMIK+gETGlqOxs91lC1rv2FdiwEAyT1SLCBLoIE0X+d1UR4x sewI7Rs/WTlFSdPWE8QRltgIK8E0TVrfJxn/vBD/GyAX+edl9JH8Cdx8RV+MKS5x yI1d+7YNsYto2heIZ2KrAfWxWluVutiMJ1VjW477vN4T9cVE6jDIbl9dOKFoMDCQ MKY3J5CYj9COfhtTbwuIR6jOWeflBTy/VIvGLcPZjNbBLCe/38CfeCBvWObtmmcD Jpe4Nkkc5ttQXiZu37A8ZpehnoHBC45YMsRLvavPowTt82P0P8Y5RsIJfaqu0KFw xPjs0g6JHiMdUExryNZDsLEIoAeCDCE0aOi+OaHnjYaxTIUyxEk= =aoUZ -----END PGP SIGNATURE----- --bd7wx4sujq35ecq2--