Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2190259ybf; Mon, 2 Mar 2020 03:54:10 -0800 (PST) X-Google-Smtp-Source: APXvYqzfL/iMnNxPf+gthA68joz0+4ozBV+gq1aeH0on85C16eemxpR3ps29Bnu6RvnaI+w4UHbY X-Received: by 2002:a05:6830:1e76:: with SMTP id m22mr13546162otr.295.1583150050767; Mon, 02 Mar 2020 03:54:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583150050; cv=none; d=google.com; s=arc-20160816; b=VBX7fwbOCsgGCu27EpKYTtZ2JeQa84E2a8x1ecH5sQ4ZtkFcA6W7tdbto+iM8kcrAI +DksHSsf3rVVFP1qSh+Y0ygCV2UoFODdol41cNZN2VCd0NCT/pPsvu06aooz/ZNBFGHX j0islC74nCLB/gqfkWU2aR0R1EqtTujvBmoPd4zgnQqIKv7/WTPhDXsJPSOLx3ndZtXM 6PcyfTeiU1tKwmEgLJCE/YvcbTH6cGLExx3sj8RZSWDxYi/u8JtnhwA3g6JTWrgklYRe i0ikGN4GORSsG6bDJ3VP3I0WJQL1PneeugZgjw/rb0lbtQo+K+MltqMqIxh23Piy3/Jm PyNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Az3pWLbNPAQhoDc8hQXOIsIF4ECs1nwoA9wgDSdrdy0=; b=ZH2BI92OwzF1Qiy/fPDaJgLJmDm2o5/kp/BV9qiRVNzkd/fvwsveEL/UYzZahLpw2T HjCGwyGWMl9j1qaeItCC8H1WgKI87WypL2zjRavf7InMLtYzUU94YNC3VakAoyfL7j5A ofto9HKLi2qwKhLTYEeyHXR+8cTOiXFTSSMYIFE8/clic5susjYv0TwA2WwHTCGfPnPX mzSPLcJcTpQNggIQcGFefjkAjcmYyjhiQJnPm8n56gMY9HM+jK7GqNdvHW+8CnkYiBRX dJnaHkB4RVHxPVdYgduGBv++PyxAwZqcFabKe5C9fSSpcn2JAIkbuRZGIvHiaxowOw5E a1PA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s70si5011364oie.178.2020.03.02.03.53.57; Mon, 02 Mar 2020 03:54:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727834AbgCBLwp (ORCPT + 99 others); Mon, 2 Mar 2020 06:52:45 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:54827 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727769AbgCBLwo (ORCPT ); Mon, 2 Mar 2020 06:52:44 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j8jcm-0001Gr-Fk; Mon, 02 Mar 2020 11:52:40 +0000 Date: Mon, 2 Mar 2020 12:52:39 +0100 From: Christian Brauner To: Florian Weimer Cc: David Howells , linux-api@vger.kernel.org, viro@zeniv.linux.org.uk, metze@samba.org, torvalds@linux-foundation.org, cyphar@cyphar.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: Have RESOLVE_* flags superseded AT_* flags for new syscalls? Message-ID: <20200302115239.pcxvej3szmricxzu@wittgenstein> References: <96563.1582901612@warthog.procyon.org.uk> <20200228152427.rv3crd7akwdhta2r@wittgenstein> <87h7z7ngd4.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87h7z7ngd4.fsf@oldenburg2.str.redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 02, 2020 at 12:30:47PM +0100, Florian Weimer wrote: > * Christian Brauner: > > > [Cc Florian since that ends up on libc's table sooner or later...] > > I'm not sure what you are after here … Exactly what you've commented below. Input on whether any of these changes would be either problematic if you e.g. were to implement openat() on top of openat2() in the future or if it would be problematic if we e.g. were to really deprecate AT_* flags for new syscalls. > > > On Fri, Feb 28, 2020 at 02:53:32PM +0000, David Howells wrote: > >> > >> I've been told that RESOLVE_* flags, which can be found in linux/openat2.h, > >> should be used instead of the equivalent AT_* flags for new system calls. Is > >> this the case? > > > > Imho, it would make sense to use RESOLVE_* flags for new system calls > > and afair this was the original intention. > > The alternative is that RESOLVE_* flags are special to openat2(). But > > that seems strange, imho. The semantics openat2() has might be very > > useful for new system calls as well which might also want to support > > parts of AT_* flags (see fsinfo()). So we either end up adding new AT_* > > flags mirroring the new RESOLVE_* flags or we end up adding new > > RESOLVE_* flags mirroring parts of AT_* flags. And if that's a > > possibility I vote for RESOLVE_* flags going forward. The have better > > naming too imho. > > > > An argument against this could be that we might end up causing more > > confusion for userspace due to yet another set of flags. But maybe this > > isn't an issue as long as we restrict RESOLVE_* flags to new syscalls. > > When we introduce a new syscall userspace will have to add support for > > it anyway. > > I missed the start of the dicussion and what this is about, sorry. > > Regarding open flags, I think the key point for future APIs is to avoid > using the set of flags for both control of the operation itself > (O_NOFOLLOW/AT_SYMLINK_NOFOLLOW, O_NOCTTY) and properaties of the > resulting descriptor (O_RDWR, O_SYNC). I expect that doing that would > help code that has to re-create an equivalent descriptor. The operation > flags are largely irrelevant to that if you can get the descriptor by > other means. > > >> (*) It has been suggested that AT_SYMLINK_NOFOLLOW should be the default, but > >> only RESOLVE_NO_SYMLINKS exists. > > > > I'd be very much in favor of not following symlinks being the default. > > That's usually a source of a lot of security issues. > > But that's inconsistent with the rest of the system. And for example, > if you make /etc/resolv.conf a symbolic link, a program which uses a new > I/O library (with the new interfaces) will not be able to read it. Fair, but I expect that e.g. a C library would simply implement openat() on top of openat2() if the latter is available and thus could simply pass RESOLVE_SYMLINKS so any new I/O library not making use of the syscall directly would simply get the old behavior. For anyone using the syscall directly they need to know about its exact semantics anyway. But again, maybe just having it opt-in is fine. > > AT_SYMLINK_NOFOLLOW only applies to the last pathname component anyway, > so it's relatively little protection. So this is partially why I think it's at least worth considerings: the new RESOLVE_NO_SYMLINKS flag does block all symlink resolution, not just for the last component in contrast to AT_SYMLINK_NOFOLLOW. This is 278121417a72d87fb29dd8c48801f80821e8f75a Christian