Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp19248ybl; Thu, 9 Jan 2020 16:11:33 -0800 (PST) X-Google-Smtp-Source: APXvYqxSVMaCpwGCco3iiGEY37WkaWIUjhgP9lU1XXoA21zLbY9CRr8fMAbWnY6yoaRHWOXXxiWk X-Received: by 2002:a9d:6c01:: with SMTP id f1mr372998otq.133.1578615093335; Thu, 09 Jan 2020 16:11:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578615093; cv=none; d=google.com; s=arc-20160816; b=n7Lyu0kjHZI5PIqul1a302O2PYKF0PHdaZOjDasH3gDAdNnbtjiVcqT23+SdhpvfKg u/vP2tiHsWFy/E7VHjbTUHwNLz0x5B0+ymMojj8xnV+Ukm2RoMMfZ80Rn1tQfdS8Eq5L K6Ga3XRVdcaKmyKZPlU028rdIoQD4BBPyKL6hFLc3u/dTWrNKZHutioKQ18lwbAdJK/M mhS/VnXeWv2xQe0HGT6l4uOk8gGhfW1PSVx79ONZTlbNwiQb/k4JmFt1iF/QhNTfk5lh Wjye3L5pfEn7rvAgJk0nElQJ1OYQQf5dIZgwg0wWkFCkb7C5Xh2vfjQxL/bQnLwOOzxF wgyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qjrwlNrUWv0QXAIqsTPozbObZ8/7GgridjmNme8W52I=; b=CR6kG5S4KWccLWkOUKBvHEqe9fqEVqpxu7JmP+PMZYUhCR0KzTDcUqZ3D9kgMq7xfO WRm6hlKXsPI0SfnmKqr4+Whn7f419WgjEudqljcB/hMCLSUQ6+mWKsN6nClsbhd0ltRD jLdQVknz2AYTrW5Vpu0CG1lEajl/NcTuit+yOuxVt5N5eyu7Iofe+NKSwh5j9Afs5m7a ErCZNh+/g0SSapOjwc7hcC+dlKH44SSXybEEQSxtJPd/fOTfhuquUvBK+oXwdB4buqNa MYtYeOI3Pa1782x83YMvoUwHo8iFl8Yjhn1OkFE8QVY3zmD6k1apzWJj5Z/+bpwJfmnG oWWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ZtRoq1DR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si96700otq.322.2020.01.09.16.10.46; Thu, 09 Jan 2020 16:11:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ZtRoq1DR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730045AbgAJAIf (ORCPT + 99 others); Thu, 9 Jan 2020 19:08:35 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:40192 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730030AbgAJAIf (ORCPT ); Thu, 9 Jan 2020 19:08:35 -0500 Received: by mail-lf1-f66.google.com with SMTP id i23so107919lfo.7 for ; Thu, 09 Jan 2020 16:08:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qjrwlNrUWv0QXAIqsTPozbObZ8/7GgridjmNme8W52I=; b=ZtRoq1DRX7RXsXHhNmpxW4UB5JzoQNOKVTmOa01bx5ggT/DHqnRKaMysJGfaxE1BO8 89pqzHmvERx+seKq1dYzZ8We/mt3eqN1+GxPl8i6s9a40Llm5xj1AoQQ53D6zO8ixCG8 zDKJYDEBm9yUsTkdwHLUa14RvnsxxJ0XX8xZo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qjrwlNrUWv0QXAIqsTPozbObZ8/7GgridjmNme8W52I=; b=Ipy1gjXFoQo8X2V+cDTJHqfXmb0Z955GIvaDKom2CVGTCxRMZ+6+5drRRO2wxdC9OF iB8NzgRZy+ZUK6dXB1hg35V9XMXhZbFgQB/xVjXOYK8A5Ui2S6H2iG6hSPeDgwaIWUGs U0+pUavWqm9qMVnahL0pxwFqrHP8y5BSDezQ62ejnisR3jVxMX20CrEox77W1jUJAsLt vvAlu8KhQCVbJ90ysEsEM3VsPWtyKFuglrP3Ntdhzjv5CYvpa5toSolzaGnZBiXVaYBQ xyAvN4CbVW0afQdSLWw2gb/Oow6Vd2/ZvTZi+AfCFqGTrVyz/jWpvSmgg8WZou9mRH3R 4RnQ== X-Gm-Message-State: APjAAAWjGjB975w1dvC+q7pyUjRCOi5bI34oneviIaPr/LaHKqNcL8+H PxeW0wB7/LRacmmP50660gIXzXphcuY= X-Received: by 2002:ac2:4909:: with SMTP id n9mr252212lfi.21.1578614913528; Thu, 09 Jan 2020 16:08:33 -0800 (PST) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com. [209.85.208.170]) by smtp.gmail.com with ESMTPSA id i5sm88712ljj.29.2020.01.09.16.08.32 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Jan 2020 16:08:33 -0800 (PST) Received: by mail-lj1-f170.google.com with SMTP id w1so228135ljh.5 for ; Thu, 09 Jan 2020 16:08:32 -0800 (PST) X-Received: by 2002:a05:651c:239:: with SMTP id z25mr455607ljn.48.1578614912546; Thu, 09 Jan 2020 16:08:32 -0800 (PST) MIME-Version: 1.0 References: <20191230072959.62kcojxpthhdwmfa@yavin.dot.cyphar.com> <20200101004324.GA11269@ZenIV.linux.org.uk> <20200101005446.GH4203@ZenIV.linux.org.uk> <20200101030815.GA17593@ZenIV.linux.org.uk> <20200101144407.ugjwzk7zxrucaa6a@yavin.dot.cyphar.com> <20200101234009.GB8904@ZenIV.linux.org.uk> <20200102035920.dsycgxnb6ba2jhz2@yavin.dot.cyphar.com> <20200103014901.GC8904@ZenIV.linux.org.uk> <20200108031314.GE8904@ZenIV.linux.org.uk> <20200108213444.GF8904@ZenIV.linux.org.uk> In-Reply-To: <20200108213444.GF8904@ZenIV.linux.org.uk> From: Linus Torvalds Date: Thu, 9 Jan 2020 16:08:16 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC 0/1] mount: universally disallow mounting over symlinks To: Al Viro Cc: Aleksa Sarai , David Howells , Eric Biederman , stable , Christian Brauner , Serge Hallyn , dev@opencontainers.org, Linux Containers , Linux API , linux-fsdevel , Linux Kernel Mailing List , Ian Kent Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 8, 2020 at 1:34 PM Al Viro wrote: > > The point is, we'd never followed mounts on /proc/self/cwd et.al. > I hadn't checked 2.0, but 2.1.100 ('97, before any changes from me) > is that way. Hmm. If that's the case, maybe they should be marked implicitly as O_PATH when opened? > Actually, scratch that - 2.0 behaves the same way > (mountpoint crossing is done in iget() there; is that Minix influence > or straight from the Lions' book?) I don't think I ever had access to Lions' - I've _seen_ a printout of it later, and obviously maybe others did, More likely it's from Maurice Bach: the Design of the Unix Operating System. I'm pretty sure that's where a lot of the FS layer stuff came from. Certainly the bad old buffer head interfaces, and quite likely the iget() stuff too. > 0.10: forward traversal in iget(), back traversal in fs/namei.c:find_entry() Whee, you _really_ went back in time. So I did too. And looking at that code in iget(), I doubt it came from anywhere. Christ. It's just looping over a fixed-size array, both when finding the inode, and finding the superblock. Cute, but unbelievably stupid. It was a more innocent time. In other words, I think you can chalk it up to just me, because blaming anybody else for that garbage would be very very unfair indeed ;) > How would your proposal deal with access("/proc/self/fd/42/foo", MAY_READ) > vs. faccessat(42, "foo", MAY_READ)? I think that in a perfect world, the O_PATH'ness of '42' would be the deciding factor. Wouldn't those be the best and most consistent semantics? And then 'cwd'/'root' always have the O_PATH behavior. > The latter would trigger automount, > the former would not... Or would you extend that to "traverse mounts > upon following procfs links, if the file in question had been opened with > O_PATH"? Exactly. But you know what? I do not believe this is all that important, and I doubt it will matter to anybody. So what matters most is what makes the most sense to the VFS layer, and what makes the most sense to _you_. Because my reaction from this thread is that not only have you thought about this issue and followed the history a whole lot more than I would ever have done, it's also that I trust you to DTRT. I think it would be good to have some self-consistency, but at the same time clearly we already don't really, and our behavior here has subtly changed over the years (and not so subtly - if you go back sufficiently far, /proc behavior wrt file descriptors has had both "dup()" behavior and "make a new file descriptor with the same inode" behavior, afaik). Linus