Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp458363ybf; Sat, 29 Feb 2020 07:29:19 -0800 (PST) X-Google-Smtp-Source: APXvYqyyAu2BEK16PZN48wF41vOaCnVQdVY2t/Oda/JSdFiwgPjhduTDrwcpd4YpxwipNzpmmBjV X-Received: by 2002:aca:1b11:: with SMTP id b17mr6667249oib.45.1582990159457; Sat, 29 Feb 2020 07:29:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582990159; cv=none; d=google.com; s=arc-20160816; b=nur0D8UTUrL01cb9SCuL0qTp3Jo6I6MvVRlCoy2woXYgM+2uS9c53Jihj7/yg0oq60 P547k9l8uZk9ZH3Ddaus/skmMo6bc2Fy5PVbn+1hzhrnGF1QdrI7rdOAF1HwmAxxdMG6 OhY/8ixq5OskLMiL+oc/kR0e9fD1WifTRbng4yBjzdb7qgS2VaOgHZ9DlQr8ud6C7Ow1 dOr4sfcHXnANtG4odUucdgeqpREKqXVUD1qrkZWZl31BMuuSBia0L404BJGMN7oDxnNm 55K8kHkaEIau/0H99MTXy1ViduXmItu094kzFPeyxCUQ0YzEdRyXQyVw4Yy+28OUWeeg vPVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=2ODnUmgbMmFbAPdvGwyfkR3KN1BlEMCHbvay/64vy4w=; b=drBQKtfTP+wZ5cJDgnNTT0L57CHrAKcnywNKHfS90Bc7GtK9rf/AXqzoh4L9zaQbDy 0uPo9QS+Dw/h3/963yagiUIHScy3RilWHmNN+IohtnHkxOpA9jfvrR0Ml9igHIRTZ2HD 4YfUiKRDsQ4aDUpqf2V4LX8MCO/VDDjf0Fgup/E3hizmEaTxyooxWqjAnVL8LDF6U7nY 0JrMZ0rPra2EG94Xdl+XkMuEcMW8kCNKw/0VnUuF/zUVJj9+WpmidYRYKcStQEfAiv2r qWKp6IUaDrEb6MgaXMws/qkfSiSBT0fScBGczJPqjNg63I5n8LO6cBcOZmfEUfKSwSv0 QP5w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s8si3409343oij.275.2020.02.29.07.29.06; Sat, 29 Feb 2020 07:29:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727174AbgB2P1M (ORCPT + 99 others); Sat, 29 Feb 2020 10:27:12 -0500 Received: from mout-p-103.mailbox.org ([80.241.56.161]:9386 "EHLO mout-p-103.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727085AbgB2P1M (ORCPT ); Sat, 29 Feb 2020 10:27:12 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 48V9Hw62W7zKmhC; Sat, 29 Feb 2020 16:27:08 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter05.heinlein-hosting.de (spamfilter05.heinlein-hosting.de [80.241.56.123]) (amavisd-new, port 10030) with ESMTP id 7xLatdWfY05q; Sat, 29 Feb 2020 16:27:05 +0100 (CET) Date: Sun, 1 Mar 2020 02:26:56 +1100 From: Aleksa Sarai To: Christian Brauner Cc: David Howells , linux-api@vger.kernel.org, viro@zeniv.linux.org.uk, metze@samba.org, torvalds@linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, fweimer@redhat.com Subject: Re: Have RESOLVE_* flags superseded AT_* flags for new syscalls? Message-ID: <20200229152656.gwu7wbqd32liwjye@yavin> References: <96563.1582901612@warthog.procyon.org.uk> <20200228152427.rv3crd7akwdhta2r@wittgenstein> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gi6jozpeqmazgrpn" Content-Disposition: inline In-Reply-To: <20200228152427.rv3crd7akwdhta2r@wittgenstein> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --gi6jozpeqmazgrpn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2020-02-28, Christian Brauner wrote: > [Cc Florian since that ends up on libc's table sooner or later...] >=20 > On Fri, Feb 28, 2020 at 02:53:32PM +0000, David Howells wrote: > > =09 > > I've been told that RESOLVE_* flags, which can be found in linux/openat= 2.h, > > should be used instead of the equivalent AT_* flags for new system call= s. Is > > this the case? >=20 > Imho, it would make sense to use RESOLVE_* flags for new system calls > and afair this was the original intention. Yes, RESOLVE_ flags would ideally be usable with all new system calls (though only where it makes sense, obviously). This would make it much easier for userspace to safely resolve paths without having to go through several levels of O_PATH fuckery. The "openat2.h" name was honestly a completely arbitrary decision. > So we either end up adding new AT_* flags mirroring the new RESOLVE_* > flags or we end up adding new RESOLVE_* flags mirroring parts of AT_* > flags. And if that's a possibility I vote for RESOLVE_* flags going > forward. The have better naming too imho. I can see the argument for merging AT_ flags into RESOLVE_ flags (fewer flag arguments for syscalls is usually a good thing) ... but I don't really like it. There are a couple of problems right off the bat: * The prefix RESOLVE_ implies that the flag is specifically about path resolution. While you could argue that AT_EMPTY_PATH is at least *related* to path resolution, flags like AT_REMOVEDIR and AT_RECURSIVE aren't. * That point touches on something I see as a more fundamental problem in the AT_ flags -- they were intended to be generic flags for all of the ...at(2) syscalls. But then AT_ grew things like AT_STATX_ and AT_REMOVEDIR (both of which are necessary features to have for their respective syscalls, but now those flag bits are dead for other syscalls -- not to mention the whole AT_SYMLINK_{NO,}FOLLOW thing). * While the above might be seen as minor quibbles, the really big issue is that even the flags which are "similar" (AT_SYMLINK_NOFOLLOW and RESOLVE_NO_SYMLINKS) have different semantics (by design -- in my view, AT_SYMLINK_{NO,}FOLLOW / O_NOFOLLOW / lstat(2) has always had the wrong semantics if the intention was to be a way to safely avoid resolving symlinks). But maybe I'm just overthinking what a merge of AT_ and RESOLVE_ would look like -- would it on. > An argument against this could be that we might end up causing more > confusion for userspace due to yet another set of flags. But maybe this > isn't an issue as long as we restrict RESOLVE_* flags to new syscalls. > When we introduce a new syscall userspace will have to add support for > it anyway. >=20 > >=20 > > If so, should we comment them as being deprecated in the header file? = And > > should they be in linux/fcntl.h rather than linux/openat2.h? > >=20 > > Also: > >=20 > > (*) It should be noted that the RESOLVE_* flags are not a superset of = the > > AT_* flags (there's no equivalent of AT_NO_AUTOMOUNT for example). >=20 > That's true but it seems we could just add e.g. RESOLVE_NO_AUTOMOUNT as > soon as we have a new syscall showing up that needs it or we have an > existing syscall (e.g. openat2()) that already uses RESOLVE_* flags and > needs it? RESOLVE_NO_AUTOMOUNT is on the roadmap for openat2() -- I mentioned it as future work in the cover letter. :P But see my above concerns about merging AT_ and RESOLVE_ flags. The semantic disconnect between AT_ and RESOLVE_ (which is most obvious with AT_SYMLINK_NOFOLLOW) also exists for AT_NO_AUTOMOUNT. > > (*) It has been suggested that AT_SYMLINK_NOFOLLOW should be the defau= lt, but > > only RESOLVE_NO_SYMLINKS exists. >=20 > I'd be very much in favor of not following symlinks being the default. > That's usually a source of a lot of security issues. > And since no kernel with openat2() has been released there's still time > to switch it and with openat2() being a new syscall it won't hurt if it > has new semantics; I mean it deviates from openat() - intentionally - > already. I agree in principle, but the problem is that if we want to add new RESOLVE_ flags you end up with half (or fewer) of the flags being opt-in with the rest necessarily being opt-out (since the flag not being set needs to be the old behaviour). There's also a slight ugliness with RESOLVE_SYMLINKS|RESOLVE_MAGICLINKS -- should you have to specify both or should RESOLVE_MAGICLINKS imply RESOLVE_SYMLINKS but only for magic-links. (Is allowing magic-links but not symlinks even a sane thing to do?) Also I have a very strong feeling people won't like RESOLVE_XDEV nor RESOLVE_SYMLINKS being opt-in -- lots of systems use bind-mounts and symlinks in system paths and developers might not be aware of this. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --gi6jozpeqmazgrpn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCXlqCvAAKCRCdlLljIbnQ ErrpAPwIkNOWRinI5EBkvqXe0r+BbAw2sFvTtGTQrk63ajZnQgEApZxmCMgpgmIG Wd3LkExra2n+a0rpN3oWf8JXcgVNOgk= =diwc -----END PGP SIGNATURE----- --gi6jozpeqmazgrpn--