Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1256653iob; Thu, 12 May 2022 15:04:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfvrOtnlqW41Ta7EM1fk4RCDPIq6g/Yxw9GOwJO46wIMzJr6sxcmaHYue2Qr7Ao2ej6Wii X-Received: by 2002:a05:6a00:b94:b0:50f:2255:ae03 with SMTP id g20-20020a056a000b9400b0050f2255ae03mr1431795pfj.74.1652393048546; Thu, 12 May 2022 15:04:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652393048; cv=none; d=google.com; s=arc-20160816; b=IhibhA2zGIMRzdX4LNn/pFyQM9LwnsX/0NYfgsUvk2r85VbQ6/f/fVXI4HNo65GoWq ultSs12zK5Spudo+9KwyVyYrcnNkrxFR9W+37Ea3I8yswEtJO5U9wn2Fq6f8penU5mKS abfLftCOfANqitWisKm717fDf/rAVGk7SC6JkGxBVjAvYvt4Ud+prBghSLKDtVI2tLwo zdFFmAsIh3sEQGoWrd4rdIQUBe7r4QdRgtctlkKQ/8xlUAB4wSPenNU7jd4NZTunn+2B 6z5Kf5M4vqP4v59JxZ33j5Y6Dzz4mLkBePZpGXnT7YKuqVpHxx6JSc82XbVnG2qSYNdR e4sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date; bh=1bDLbtT4qPpVkhxVZ9YG4YTO1unO0O6HGenM4HeSJ2w=; b=jD2G07Ag8KvbuI71CML9gT7puvqXD0r5Gi3XC4HlNfttEDeRtYc8sqA3cFY+f17OTv LVgFTl+m9ElLhk7SQsYtJBJoaMzUZ/iGVcSWzg4cHB19dqTSvMKNLlfLiSZU/FuUn1eS fMGeSPhqPG96uQ0uou4jD3DaPaLRLP7/qe2Nt4QNVvpsipSqYt4nDHk5+MvGTEF91mCn EbaOpumBqDIZpwJ3w01ueatKnQ5aTpOD4QVwVU4XTR13kvnFqyBJzLw8D22rd1gisyJM E5YyDRyaYcHxG1nKKaIwliO9dtGFW/9DveKGuzn/RGrHitKFxmz/5z2I3GtbX7ERS3TT MnIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@emersion.fr header.s=protonmail2 header.b="V/DCcifQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emersion.fr Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j17-20020a170903029100b00158b5b65721si1094214plr.321.2022.05.12.15.03.22; Thu, 12 May 2022 15:04:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@emersion.fr header.s=protonmail2 header.b="V/DCcifQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emersion.fr Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353887AbiELMjD (ORCPT + 99 others); Thu, 12 May 2022 08:39:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353881AbiELMjB (ORCPT ); Thu, 12 May 2022 08:39:01 -0400 Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6D5162216 for ; Thu, 12 May 2022 05:38:59 -0700 (PDT) Date: Thu, 12 May 2022 12:38:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail2; t=1652359137; bh=1bDLbtT4qPpVkhxVZ9YG4YTO1unO0O6HGenM4HeSJ2w=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=V/DCcifQUB+ddK2jWtHHqRxmowantA3oMaNHU+uKPhjqqLt6tXyrgZW4uvCwzGWGs mcVXVzWdls/yeWPWw2De+EDnLCRZZrlIv08C+k6RhSoClPywTIj6cq8xmZduXGi5ve mpp7X6yxALpSdESq4dF54JDghdDOstCFvQh7nPDlyKSMXmIL2B2OxoPO53I9n8QHEh 6TYcH6NNSVwP0iVt6jpeZpotvM1iYIhNDmmpX/HEHJjuKtIThAMldkSlTfHE5S8Gwm Lj+dUjv2xBdSF2pJ4e/G8pjv1Gw0mjNFQCPAugKLUMDRQuBe2VDxPCRemFBfubUlFH G7Dp3F3RJY2VQ== To: Amir Goldstein From: Simon Ser Cc: "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Reply-To: Simon Ser Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Message-ID: In-Reply-To: References: Feedback-ID: 1358184:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, May 12th, 2022 at 14:30, Amir Goldstein w= rote: > Clients can also readlink("/proc/self/fd/") to get the path of the fi= le > and open it from its path (if path is accessible in their mount namespace= ). What the compositor does is: - shm_open with O_RDWR - Write the kyeboard keymap - shm_open again the same file with O_RDONLY - shm_unlink - Send the O_RDONLY FD to clients Thus, the file doesn't exist anymore when clients get the FD. > Would the clients typically have write permission to those files? > Do they need to? Compositors need to disallow clients from writing to the shared files. If a client gets write access to the shared file, they can corrupt the keyboard keymap (and other data) used by all other clients. > > intended behavior, what would be a good way to share a FD to another > > process without allowing it to write to the underlying file? > > If wayland can use a read-only bind mount to the location of the files th= at it > needs to share, then re-open will get EROFS. Wayland just uses FD passing via Unix sockets to share memory. It doesn't (and can't) assume anything regarding the filesystem layout, because the clients might be running in a separate namespace with a completely different layout (e.g. Flatpak).