Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1045440ybi;
        Fri, 24 May 2019 16:09:24 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzWdYgBxJoNCdgXEJAKZoXzM8yMLZGxdZSqmx42ognh6FU7MkIckTHkOiypEM0pOG2xDWSN
X-Received: by 2002:a17:90a:bb8d:: with SMTP id v13mr12658233pjr.79.1558739364111;
        Fri, 24 May 2019 16:09:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558739364; cv=none;
        d=google.com; s=arc-20160816;
        b=a09OzW4ODVE76v68YAmooSlzySCp5PTKr62+UO5mqS506WukJoeniUaMpWEgrk33UN
         OZXs10egEWm3iY1/F7RpDeWRqs9wckyP1SLciWGdx/tgtkfOxSMrstAO7h2r9b0H4KKI
         qlsVQXFjGyuYXyW+dxpG/4JNzad9VkfRfUDFSF1dzsoFw7V53oIGxl9vcJ6/dHvXndY3
         Wi4cf9AkksAnY4dTCvlkIuIt5jnYzUWd8+yLyKvuC97bwWLH8z/9s0eq3PV46HjTOCDG
         4vby/S49TlVvq+EzZ8WLoFFpdGyBeZfeJxpAyhkFnPEgvxrp1POBHfRl85+gr65wwqae
         3X2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=pQINizPFkNPnto59K0HZACSWR9ngvO3M7aOeMX8dPW8=;
        b=wQondpYg3352QIuYcY+7f/o6+sKTo5xehqZElHC0PcCNTGkdhbrbh3d48LUPKaHvZK
         wZ6OsogSBDEG3nQheQn1GKhXHInKOftrfbjPhOYffC865xc6ZInkpB5TYnpokjmuomX0
         /vjm/0W1rraUyU/N+ZSrrJTclvug8UPueFafyScVVFWHZa1Oa9hEdV/2katS9scdc77l
         Afl5ER/BZIF20QBy32b1DXTG9u/zcZLPJb78LdeorhRgftQQX4rSuyIQbIG0k/L26sbJ
         gg2GZOr8SD/tKXpIZTB4wdTltI5jnSK5CoTdZrh8Prg0pNWKMLzOy318fYVsiQtgHiU3
         BiPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=GmxgEiG+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ay7si5934527plb.135.2019.05.24.16.08.57;
        Fri, 24 May 2019 16:09:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=GmxgEiG+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732136AbfEXXG4 (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Fri, 24 May 2019 19:06:56 -0400
Received: from mail-lf1-f68.google.com ([209.85.167.68]:34178 "EHLO
        mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727091AbfEXXG4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 May 2019 19:06:56 -0400
Received: by mail-lf1-f68.google.com with SMTP id v18so8255154lfi.1
        for <linux-kernel@vger.kernel.org>; Fri, 24 May 2019 16:06:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=pQINizPFkNPnto59K0HZACSWR9ngvO3M7aOeMX8dPW8=;
        b=GmxgEiG+jMRxi4LmBi9k7J2C8n7RpiC2NBCZ3DLX08K85gcoyywZ4tl+P32/mMwcqG
         O4Y184LyNs6/HdVttJYg26SnTEZenmTPwRlWi8OYmFedIXmlG1SXqhBugOdxMaqrphSg
         0/iJn6C0x9KeeqMxCK7RF+v4pYfhlNizqxwtc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=pQINizPFkNPnto59K0HZACSWR9ngvO3M7aOeMX8dPW8=;
        b=Jqi65uJO0FB/qdV7+/ozDId50ZTx4is7efMWOBIH7obbvE0g8AN63AI0qAjrruus8G
         r8LxoG527UxILwHmEGjn80XqcIfaFN0G+6EQPVfSDSIRL2EWySX/Q22Yygf1RbWRvbbg
         trMq1pLj5fOgATIo59hLZRtWmKIUrP+ll7yHAlIXtlltaLglEjbv5l+/izxWwd87kD0/
         SnkQ8v+S/n10nP6OHiRYZGLwpLCm8DuoepPxhSjEsGzrvqG+uKmn8bwjVoddt/xwBswl
         7TEQ4NUggRVDUbOuqS+ltJaVCEjaJqiC/ZyqRaK66mDGTpE/ByfLIU9IJP9Oj6hRaPr3
         1uYQ==
X-Gm-Message-State: APjAAAWDDMekD7VG34VHtazTBofzUnVv5Gdg1Zf0TrZPjURzJWmmcJiF
        Ujd/LNAip3Z2DC4wHhhA5lQlmIjBGrY=
X-Received: by 2002:a19:27cc:: with SMTP id n195mr26505715lfn.172.1558739213015;
        Fri, 24 May 2019 16:06:53 -0700 (PDT)
Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com. [209.85.208.169])
        by smtp.gmail.com with ESMTPSA id g15sm740722ljk.83.2019.05.24.16.06.52
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 May 2019 16:06:52 -0700 (PDT)
Received: by mail-lj1-f169.google.com with SMTP id r76so4544533lja.12
        for <linux-kernel@vger.kernel.org>; Fri, 24 May 2019 16:06:52 -0700 (PDT)
X-Received: by 2002:a2e:97d8:: with SMTP id m24mr44440219ljj.52.1558738775052;
 Fri, 24 May 2019 15:59:35 -0700 (PDT)
MIME-Version: 1.0
References: <20190507164317.13562-1-cyphar@cyphar.com> <20190507164317.13562-6-cyphar@cyphar.com>
In-Reply-To: <20190507164317.13562-6-cyphar@cyphar.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri, 24 May 2019 15:59:19 -0700
X-Gmail-Original-Message-ID: <CAHk-=whbFMg4+HuWOBuHpvDNiAyowX2HUowv3+pt8vPWk5W-YQ@mail.gmail.com>
Message-ID: <CAHk-=whbFMg4+HuWOBuHpvDNiAyowX2HUowv3+pt8vPWk5W-YQ@mail.gmail.com>
Subject: Re: [PATCH v7 5/5] namei: resolveat(2) syscall
To:     Aleksa Sarai <cyphar@cyphar.com>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Jeff Layton <jlayton@kernel.org>,
        "J. Bruce Fields" <bfields@fieldses.org>,
        Arnd Bergmann <arnd@arndb.de>,
        David Howells <dhowells@redhat.com>,
        Christian Brauner <christian@brauner.io>,
        Eric Biederman <ebiederm@xmission.com>,
        Andy Lutomirski <luto@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Jann Horn <jannh@google.com>, Tycho Andersen <tycho@tycho.ws>,
        David Drysdale <drysdale@google.com>,
        Chanho Min <chanho.min@lge.com>,
        Oleg Nesterov <oleg@redhat.com>, Aleksa Sarai <asarai@suse.de>,
        Linux Containers <containers@lists.linux-foundation.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 7, 2019 at 9:44 AM Aleksa Sarai <cyphar@cyphar.com> wrote:
>
> The most obvious syscall to add support for the new LOOKUP_* scoping
> flags would be openat(2) (along with the required execveat(2) change
> included in this series). However, there are a few reasons to not do
> this:

So honestly, this last patch is what turns me off the whole thing.

It goes from a nice new feature ("you can use O_NOSYMLINKS to disallow
symlink traversal") to a special-case joke that isn't worth it any
more. You get a useless path descrptor back from s special hacky
system call, you don't actually get the useful data that you probably
*want* the open to get you.

Sure, you could eventually then use a *second* system call (openat
with O_EMPTYPATH) to actually get something you can *use*, but at this
point you've just wasted everybodys time and effort with a pointless
second system call.

So I really don't see the point of this whole thing. Why even bother.
Nobody sane will ever use that odd two-systemcall model, and even if
they did, it would be slower and inconvenient.

The whole and only point of this seems to be the two lines that say

       if (flags & ~VALID_RESOLVE_FLAGS)
              return -EINVAL;

but that adds absolutely zero value to anything.  The argument is that
"we can't add it to existing flags, because old kernels won't honor
it", but that's a completely BS argument, since the user has to have a
fallback anyway for the old kernel case - so we literally could much
more conveniently just expose it as a prctl() or something to _ask_
the kernel what flags it honors.

So to me, this whole argument means that "Oh, we'll make it really
inconvenient to actually use this".

If we want to introduce a new system call that allows cool new
features, it should have *more* powerful semantics than the existing
ones, not be clearly weaker and less useful.

So how about making the new system call be something that is a
*superset* of "openat()" so that people can use that, and then if it
fails, just fall back to openat(). But if it succeeds, it just
succeeds, and you don't need to then do other system calls to actually
make it useful.

Make the new system call something people *want* to use because it's
useful, not a crippled useless thing that has some special case use
for some limited thing and just wastes system call space.

Example *useful* system call attributes:

 - make it like openat(), but have another argument with the "limit flags"

 - maybe return more status of the resulting file. People very
commonly do "open->fstat" just to get the size for mmap or to check
some other detail of the file before use.

In other words, make the new system call *useful*. Not some castrated
"not useful on its own" thing.

So I still support the whole "let's make it easy to limit path lookup
in sane ways", but this model of then limiting using the result sanely
just makes me a sad panda.

                     Linus