Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp145291lqg; Wed, 10 Apr 2024 19:49:27 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWvPSr9HD7c/0WUNqht2Np2IhhcpakYfvSaiTKhsK4RWuwO1JQC/8RUpVN6Jr877P3sMxFIN2+fwhLbhd932AdZfhCZOXD22gS2U4mAdw== X-Google-Smtp-Source: AGHT+IHUUYCEr5PhaYjLbNeZ0bTEPlLunxUcAtfayKk8DIVPHhNmsAP8VlcA9dUtiYfBVZidaUSF X-Received: by 2002:a17:902:ccc4:b0:1e4:6253:2f15 with SMTP id z4-20020a170902ccc400b001e462532f15mr1928365ple.16.1712803766913; Wed, 10 Apr 2024 19:49:26 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712803766; cv=pass; d=google.com; s=arc-20160816; b=VHjEVeWObp/NG0fdkMFWFEc+HhPRESNE1V1gb1IzXsMARmErkydVYFWjnWY5cEyd5u ui70AwjNR5BwpqeO9yhy5JhK20VXqeMuWR9LupdygBm+BJHvCIDcF3L/K2O0i6cy1E4z Vtjcx1VVl0KW5b2JFjgJDFY6iUdj3xTRCSsTFp81zWIJKg/AVRicQQu5KM8BFw2OVtDN OC5aKCKcruUPd+nzZR3GL1GfLYI7oAjRa9bV7Z1yxU7E/2YW/7SH/mK7CpFfn3oA4ugQ Wc5Zm9+XqSsfJ19Uv/tj7Hr3kWKC11nWSyNMzEu90nQ9JWtUuM1kWlFkphF8G5q+m+oL 72iQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=ZAti3DeKOVRxV5o0JR8+DzuFObIz3rfvlLJ6eRgxroM=; fh=4+80M+JzVpx0CpRUCWbzsMoouRZOh8UIBsFskJWiLhI=; b=uaSKctQPPnu2E3+tnb9sPtWkIE8ea/gX+E3h8lIifPtfxJCSbog0qGM0ZobFUe+LIZ C4C9+kAS1X1s4H0l9l64UKdVk3CryvkNxIFwbTERiTLsv02Ziu6MxjE7LVXClFxmfmeR +2+jQ9Ot0Mb3hN/aXLZiS+b1vFhJ1EZZphJH2JmApeFJXGijS7huosNYfF1O9ADHO1P2 UGtTDrJ+RCf/g9ZYPKkRjJDAESaBA+htoH6P0SUJu7r32OAvUNwKKGHDrV2fd55fpRP9 9Kjt4N81aQOuBUmTO6YKKMPw6dbMFMFHwKOlk1rmHP3ZQB9yjY/Lg4Ig1qiTy7y99tNl TXug==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=HlRizrIc; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-139659-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139659-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id cp1-20020a170902e78100b001e49bce9d71si400807plb.276.2024.04.10.19.49.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 19:49:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-139659-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=HlRizrIc; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-139659-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139659-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9F414288408 for ; Thu, 11 Apr 2024 02:40:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AB34013AD2E; Thu, 11 Apr 2024 02:40:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="HlRizrIc" Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F14686256 for ; Thu, 11 Apr 2024 02:40:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712803212; cv=none; b=jqp4wyZFI4fB/LGVXgIfcPK/zDcWuJk/SCF8LaurjoUwEA0G6ugSRklN4TQWats1qSF7yeUA3GY6Es1bjFNXUgq9xTncsI04qSq8u8fHLXWeiUC0lBuBQyIP2OdoYYoDiA6iNeb7OBNrDWI/WSyWNz9YqGSV+NcmawRoqdmg8d0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712803212; c=relaxed/simple; bh=nAGR3QwbwJHg0yglTUbnjyXfmhwicyQzUNh2YPI0DmI=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=ojIGT/yiu2bhBYPSW4jsSdKAgcQVyh7oKudQkE49HqgYzM3WQGVZvDbX7Dkk2uo1W0+CbPuBEuJcaK+nJj4lDa4jrzW3WCvhDc4h/F3Z9H+Z1RK4V6Wzvd2FG0j8Hu1ukdMLcEiDfFA8qcZTlPZ0Pr+JvlMk/twU0Z5yU9nLkKI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=HlRizrIc; arc=none smtp.client-ip=209.85.208.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-56e1baf0380so8435363a12.3 for ; Wed, 10 Apr 2024 19:40:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1712803208; x=1713408008; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZAti3DeKOVRxV5o0JR8+DzuFObIz3rfvlLJ6eRgxroM=; b=HlRizrIcZiOIfOk5s2FvIiqGadh73FKZAAWv7A0W39E8VBsm20/IBL8MGo8grVIA+V k9P64q+6gNlEHTIFoPJtsnl5DJX1bPNprAHsmtcG7FOmzS8nO0GZrTkB9fldDAaoFME/ 3WogMhL+jCnctmsKBS0Cy70TM3DFA0leBVCoI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712803208; x=1713408008; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZAti3DeKOVRxV5o0JR8+DzuFObIz3rfvlLJ6eRgxroM=; b=k073JZtDRvHyA/nD/KodgYvIoV82Jo6+jtjXl+6V0QUEnpLgESHlS6vowZKsIZKXGj vZ6vAuQ6C9VEvZipJmd+Dk+9nC6ANETh908VXmcgYv2l2Gkx6goXe76sqyVHL5skot0F DfZ0Sh40sgWYO+ONUvl3E1DtaD3eV98GSIbqY5it7jBofl+xjjxdmyCHq1bSBHUqdUTh 2SN8Jjjk5TGh0M+IaM1GhWTG5Krcf5nREazDJ9vqffUsRGGkhCCjlM7JQCded2psKKyp LXPjJuJJT/E0TdhOYS3HvJs2Bfxf4N+NTctNwvEdwZ9D51ua/EivOaA4Taeh/QwZZTxQ NyQg== X-Forwarded-Encrypted: i=1; AJvYcCX2KvufC/e0kIzE0piXfTKnw7lrGs9VUBWMaE9WYuAoKEHfesJhUJJxVOWg1zf7ZHofHFSOP++Dps5K1v3GXnQ4lx0vveqb1rrQ/Mv7 X-Gm-Message-State: AOJu0Yxhv30qZhBKtEqmWqwEL5qwLuvy6I2dGhpj8BspD8f/s0naPvMT NjFV7E5pfEIChrVgSY/d1XaRlA7k+s+/qMm6yQW7HWEo/U9mxGc6EtciELuMpubRYftU+siNvIJ XvS/Tww== X-Received: by 2002:a50:d516:0:b0:56d:fc3a:2039 with SMTP id u22-20020a50d516000000b0056dfc3a2039mr2790011edi.8.1712803208399; Wed, 10 Apr 2024 19:40:08 -0700 (PDT) Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com. [209.85.218.50]) by smtp.gmail.com with ESMTPSA id i29-20020a0564020f1d00b0056fe8a3d7d3sm112650eda.8.2024.04.10.19.40.06 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Apr 2024 19:40:07 -0700 (PDT) Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-a5213f0f85dso133966266b.3 for ; Wed, 10 Apr 2024 19:40:06 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCXtqisnkoai8BRpJhO9dU5OlMMuXEEExLNbQCAplgwx8w/aSiWWtCyKGBaRdjyh7IpMBNtEXrA66JEzhkGMw/UfVf/ufOtuLzrfaAnO X-Received: by 2002:a17:906:184a:b0:a52:882:abaa with SMTP id w10-20020a170906184a00b00a520882abaamr2382187eje.76.1712803205798; Wed, 10 Apr 2024 19:40:05 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240411001012.12513-1-torvalds@linux-foundation.org> In-Reply-To: <20240411001012.12513-1-torvalds@linux-foundation.org> From: Linus Torvalds Date: Wed, 10 Apr 2024 19:39:49 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements To: Alexander Viro , Christian Brauner , Jan Kara Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Lutomirski , Peter Anvin Content-Type: text/plain; charset="UTF-8" On Wed, 10 Apr 2024 at 17:10, Linus Torvalds wrote: > > + if (flags & LOOKUP_DFD_MATCH_CREDS) { > + if (f.file->f_cred != current_cred() && > + !capable(CAP_DAC_READ_SEARCH)) { > + fdput(f); > + return ERR_PTR(-ENOENT); > + } > + } Side note: I suspect that this could possibly be relaxed further, by making the rule be that if something has been explicitly opened to be used as a path (ie O_PATH was used at open time), we can link to it even across different credentials. IOW, the above could perhaps even be + if (flags & LOOKUP_DFD_MATCH_CREDS) { + if (!(f.file->f_mode & FMODE_PATH) && + f.file->f_cred != current_cred() && + !capable(CAP_DAC_READ_SEARCH)) { + fdput(f); + return ERR_PTR(-ENOENT); + } + } which would _allow_ people to pass in paths as file descriptors if they actually wanted to. After all, the only thing you can do with an O_PATH file descriptor is to use it as a path - there would be no other reason to use O_PATH in the first place. So if you now pass it to somebody else, clearly you are intentionally trying to make it available *as* a path. So you could imagine doing something like this: // Open path as root int fd = open('filename", O_PATH); // drop privileges // setresuid(..) or chmod() or enter new namespace or whatever linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH); and it would open the path with one set of privileges, but then intentionally go into a more restricted mode and create a link to the source within that restricted environment. Sensible? Who knows. I'm just throwing this out as another "this may be the solution to our historical flink() issues". Linus