Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp967882iob; Fri, 13 May 2022 18:02:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzvMcFJMtTAKu43gvwz3T1dGL9swEUtfuLwQyUfRBzApJD8ykXaDmbOtlVPmiJlKHl/a49 X-Received: by 2002:a05:6000:1681:b0:20c:5aa2:ae14 with SMTP id y1-20020a056000168100b0020c5aa2ae14mr5910935wrd.443.1652490142972; Fri, 13 May 2022 18:02:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652490142; cv=none; d=google.com; s=arc-20160816; b=KU0x3VBPpxoXndOhY8GlIm+0y3gbQPWR0npi0uGRUYN8bg3TMRRdB1YODzK6U6Xh88 D4/JZ7EE3OKd7HvXU9PTdAuTQ+O33Pliq8JbvYhUZf5SLj1WFSY+O8ITEoy1nymHGNbx 2HJWsgX1UA++3d0ruSSBYhmgv1hnymohjJfx5w7mbBysSthQth63jpgzXwLxlBY4q6qF 7EhKMtAwvJba7v8vkwdxLPaFgUzNffu3BTxobkfnxuwJcW9LYa5GwTdgEVh1rgeanlh0 fnYkSqOa/8RoMdw8wCuOxMYPqOKTud7b9H8IDxz11/zRRVc+6dIFniNDj0AydWIDR1BU rzGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=yAFf5/VtyP0znN93Z14i/AsA4GJNK15la8fh9V+Enyc=; b=wae8cvnAcISgh/ukqH2cBzQfmnhSPQwxZcVDFf5vlndDPTn/XubhLoCZD9iLgKHwVA GDUO81m1+91Rl8HAUABapgBer4MSvo455XpgPSfwV1PHee5EW9qqXuoTUn3kaFIZckYM YMdIrXrohxKW0X+0QpznnIm6pKdST0H8rgQD3Q2HrzODeSassuxn5vq6ydsciwfub8Su CxoxaMK2/sKGSBTz4GDkbjaY+UdYLzBWk2InQJL6no5R+EVTKsaDXSghReCTLQbtnUFP 014nMu/FXgzu3SZEk5SoJJak8gvhivmFVRuanKmMJsNqX1Jn5ht9ogn1ScEE3R1TUnAA 7hag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=aH1Dfntm; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id j19-20020a05600c411300b0038e75fee372si6842725wmi.113.2022.05.13.18.02.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 18:02:22 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=aH1Dfntm; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A9A1A36DA82; Fri, 13 May 2022 16:36:00 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229478AbiEMJ61 (ORCPT + 99 others); Fri, 13 May 2022 05:58:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379240AbiEMJ6Y (ORCPT ); Fri, 13 May 2022 05:58:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B7EB2A9CCD; Fri, 13 May 2022 02:58:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0128362212; Fri, 13 May 2022 09:58:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1B15C34100; Fri, 13 May 2022 09:58:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1652435902; bh=geXCIWlkv+OlijzBTHXYxcV6pNiY0Up+Vp3bfhyaJJU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aH1Dfntm87x1wiZBLLaTYTEEDS0pFYEPM9XGeAJDbpIGPy93alwWKx0qA7fMShBJ7 L6pZ98Pa7wdLEUkiolkgot55ptGmQPqsrAT9VfNbJMTSqRaCJBqN/xRQCMiz/14KXY t+MkFBI+A4ZWYENR+pG9DkF499tfT8YdlkUgN7OsjUnwU+iWfMi2E9ryi4/qg5mm2I tqAe6oD5h3ko1mHVAlrs6oyaTBOW8N/Cq6fcvuCU0nqigE6YOuku9ZDtzjQxTJwU1Q ReGP3jNzoYLV1m5S8WB1tbO+2zzAIx1whsfhojPU13Fc/75kJDGbqO5WFBxqO7rU3y aOFeKr897J43A== Date: Fri, 13 May 2022 11:58:17 +0200 From: Christian Brauner To: Miklos Szeredi , Amir Goldstein Cc: Simon Ser , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Subject: Re: procfs: open("/proc/self/fd/...") allows bypassing O_RDONLY Message-ID: <20220513095817.622gcrgx3fffwk4h@wittgenstein> References: <03l0hfZIzD9KwSxSntGcmfFhvbIKiK45poGUhXtR7Qi0Av0-ZnqnSBPAP09GGpSrKGZWZNCTvme_Gpiuz0Bcg6ewDIXSH24SBx_tvfyZSWU=@emersion.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 12, 2022 at 02:56:22PM +0200, Miklos Szeredi wrote: > On Thu, 12 May 2022 at 14:41, Simon Ser wrote: > > > > On Thursday, May 12th, 2022 at 12:37, Simon Ser wrote: > > > > > what would be a good way to share a FD to another > > > process without allowing it to write to the underlying file? > > > > (I'm reminded that memfd + seals exist for this purpose. Still, I'd be > > interested to know whether that O_RDONLY/O_RDWR behavior is intended, > > because it's pretty surprising. The motivation for using O_RDONLY over > > memfd seals is that it isn't Linux-specific.) > > Yes, this is intended. The /proc/$PID/fd/$FD file represents the > inode pointed to by $FD. So the open flags for $FD are irrelevant > when operating on the proc fd file. Fwiw, the original openat2() patchset contained upgrade masks which we decided to split it out into a separate patchset. The idea is that struct open_how would be extended with an upgrade mask field which allows the opener to specify with which permissions a file descriptor is allowed to be re-opened. This has quite a lot of use-cases, especially in container runtimes. So one could open an fd and restrict it from being re-opened with O_WRONLY. For container runtimes this is a huge security win and for userspace in general it would provide a backwards compatible way of e.g., making O_PATH fds non-upgradable. The plan is to resend the extension at some point in the not too distant future. Christian