Received: by 2002:ab2:7407:0:b0:1f4:b336:87c4 with SMTP id e7csp50751lqn; Thu, 11 Apr 2024 13:30:28 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX1ygbcqgV0oY+dhIZ9rOeTy+bh/28M+Tw5IjloJPq44OwBOQOK19t+Eu7GbbkdWMxBe8tJha2bWUK7NsTyGPNEsXH/KyDi3IzVGkbsvA== X-Google-Smtp-Source: AGHT+IHStWeraRiL4QqUCitvMfXFUnLxP670Ax5tcAp0ZklCYXII8QOo2i9tsTe/yKeXnIRRm+Ph X-Received: by 2002:a17:903:183:b0:1e5:1867:d9fa with SMTP id z3-20020a170903018300b001e51867d9famr617399plg.44.1712867427904; Thu, 11 Apr 2024 13:30:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712867427; cv=pass; d=google.com; s=arc-20160816; b=WWnRlnLOkf+ci1Y7UeB3KarwPXL3hMSo7a4vfoqeYuA+mHtwf9NRmC6qczR23Ljrov iq+19UKLUqupyY9MAD1Xk5N0N8u12gU+yluywmMyRaKRvYLN8GqOckgoS2Xnlov59XV8 abDQjcTy6XfPm9rZDNE0wcNEMRoded5N+wf/LjAVk9pIz8z/r25hjsIahg+6AJQ5Ej5K PBDnYgQmXRBDkKga02u8X4eC6p5ztlea1udvOlxFqHkwdm4YSEmr8s6hLcxT1a75NAo7 PmEIVLFLGQq1e346uR3dWhv4c16lKLb8zZ++ySnWe4sRtKn6FvsAyJMOLRGcgqIutbwm nJrQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=15OsQdeGUPPIY8R4FO9J86rTE+tpV49YjQLRrYO/E4U=; fh=s3ZT70oS4veBxF3iZ6dfaujUzwoOc7dIV5OF/s12dow=; b=cxdLENLWSRjTJPf4q/IMQOe+4R+5R784QhWxc8zXUPt2WS79JlTDzG3G6lo2ChwfHV RLNkC9hBhCD6HqqCD+vHyWveQyTWzPq5nIveBWw0+OpOPUi+z8A1oA6o43g9bNfl628r syjx9QoF0xOK9npDSc1VhskpuA4RVWcuoT0+tbOnVhho+o8EkYvrGnGuxfNZWODv/pUX sbVHf44gA2ILxe31LeJbWi/unYJ9MPMQQYTEUGYNrcMMC5rfoFV9mQ12o017dvTxAeNh EXPlaBJH3Rmf4xws+57GqgjPst4xZKdO4od/la4jxMjXGYpo6GajqLSsi6DOLwk/m8v1 1bXA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZRLTKw3k; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141558-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141558-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id q16-20020a170902789000b001e4621295c7si1749763pll.344.2024.04.11.13.30.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 13:30:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-141558-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZRLTKw3k; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-141558-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-141558-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id CA4A6B23EB2 for ; Thu, 11 Apr 2024 20:08:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B086017C72; Thu, 11 Apr 2024 20:08:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZRLTKw3k" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19A8A17BCD for ; Thu, 11 Apr 2024 20:08:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712866116; cv=none; b=qEm49feKuP6M7u7hkeBeGSOvGfhiNOw0FQyB1BlDVMkaNiW/skx/O82T5/DDGyGb8Qbj/2Rb4Ya0cVfnHnO4AUC7Va3O5BVGhnVp1fKOR4gOBqTfxQL8sftUG7eW8yZ9j10es+5GX7944LN5zky5m4nD8ZLhj90qi2a2VRpu90s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712866116; c=relaxed/simple; bh=l+PB/X/jZM3qJjqtjIgT7OoU8QEgAnESwOLn2wQcnWg=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=t4UaIpVW54vxtMGoYAnqcwUULgztxTkA3GrE7jWj/N5ZpS+mH3lI28ilaLP8XiqpIT8w7ixnpZy4OEEFs5VGUL6P5o2hSrPxqNX90EpyGrM9wAI3i/NwoIctLCnXkZ69DuUsczC9L+FYcVFIWc89CtMoA7MdjldLiMOEX8lkup0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZRLTKw3k; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712866114; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=15OsQdeGUPPIY8R4FO9J86rTE+tpV49YjQLRrYO/E4U=; b=ZRLTKw3kZSB5rFgAf0m3TNEzY2ZqKaoVNoJzcZZkvMM27sihFul+w3xsuUvA4XZDAOegJH UwFn/0EcVnwngEAXCwwbb/ozQmfs6CISvjhgVF5G+JpbZHqPS0NP9GFr0WC7PBbAD7udMm JwbwCm4w3FlNdzh2rlwR2u9I3dWBqaY= Received: from mail-vk1-f200.google.com (mail-vk1-f200.google.com [209.85.221.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-h3S8uv_QMcqVPzWDpoKiXw-1; Thu, 11 Apr 2024 16:08:32 -0400 X-MC-Unique: h3S8uv_QMcqVPzWDpoKiXw-1 Received: by mail-vk1-f200.google.com with SMTP id 71dfb90a1353d-4dac0642ce5so61324e0c.3 for ; Thu, 11 Apr 2024 13:08:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712866112; x=1713470912; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=15OsQdeGUPPIY8R4FO9J86rTE+tpV49YjQLRrYO/E4U=; b=qSXt1G0nCAUxz0DoDNleI3j01MVbucDJ2gfInzZWoYriJXpTkrjRN5gk7U0zMdibI7 C7Cp9EDjcMVCAIKbvC1XvC5A/tRqFnrxxGEVXRijxbukY2qpZ6HVFQyxsbicRHJAr7ko g4m78vgGLjykmDCy9Ib32OvgNVPC5SCynk1+JN+3tCRr4jlTrebUqlnAu05KvahGTT/g ET4/jco9f6TGLplqApYpho1U6VNzlyA1MmYX5K0dFXQTHkB2pILGwijSq0CiX42ZdYuZ kwTTShH6p4D5NFrUon5QvNJ4umRNnnQAqGXIeCk/Lf+zk+xwaWUjPGauXyGXvmZxF7Gs QpWg== X-Forwarded-Encrypted: i=1; AJvYcCWdr1fNmga5z+gKkwuagCZAKph0W7W7pnMdYMB1nnJtA1BbrOcnG0g2OjW51Bzt2cioNXRs/nGPQcYjaVXuHFf5w2u48clMu7Iscd0L X-Gm-Message-State: AOJu0YwTCvb8+sL5HVupCBNDP2hsnbKHp9NjD0xy/RLZV8fEUaOOLUQc oQ0zDdgntCzObUjycjmf+bFtvYzgaMaWU1xgovVMa1dfEGP2heBfqxKnLejl5+EsQj1hp2HjySp yXU+PmHROsm9ldJUxefJIdYsyDuydqhuI0lxH2WnmzVeNOB8iR+zmaqCx813kwU9VD/VpAhdLF8 cP7f+VMscKp+gLprdCNNM0pP/WTbREylzoziLh X-Received: by 2002:a05:6122:d9d:b0:4d3:37d1:5a70 with SMTP id bc29-20020a0561220d9d00b004d337d15a70mr1015166vkb.7.1712866112008; Thu, 11 Apr 2024 13:08:32 -0700 (PDT) X-Received: by 2002:a05:6122:d9d:b0:4d3:37d1:5a70 with SMTP id bc29-20020a0561220d9d00b004d337d15a70mr1015153vkb.7.1712866111667; Thu, 11 Apr 2024 13:08:31 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240411001012.12513-1-torvalds@linux-foundation.org> <20240411-alben-kocht-219170e9dc99@brauner> In-Reply-To: From: Charles Mirabile Date: Thu, 11 Apr 2024 16:08:20 -0400 Message-ID: Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements To: Linus Torvalds Cc: Christian Brauner , Alexander Viro , Jan Kara , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Lutomirski , Peter Anvin Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 11, 2024 at 2:14=E2=80=AFPM Linus Torvalds wrote: > > On Thu, 11 Apr 2024 at 10:35, Charles Mirabile wrot= e: > > > > And a slightly dubious addition to bypass these checks for tmpfiles > > across the board. > > Does this make sense? > > I 100% agree that one of the primary reasons why people want flink() > is that "open tmpfile, finalize contents and permissions, then link > the final result into the filesystem". > > But I would expect that the "same credentials as open" check is the > one that really matters. Certainly. I think that in almost all cases, the pattern of preparing a file and then using linkat to give it its final name will occur without changing creds and as such your patch will fix it. When combined with making the CAP_DAC_READ_SEARCH override aware of namespaces, I think that covers almost all of the remaining edges cases (i.e. if the difference in creds was actually you becoming more privileged and not less, then sure you can do it). The only possibility that remains is a difference in creds where the new creds are not privileged. This is the maybe scary situation that has blocked flink in the past. All I am suggesting is that you can decompose this niche situation still further into the case where the file was opened "ordinarily" in some sense which is the case that is really concerning (oops, when I forked and dropped privileges before exec, I forgot to set cloexec on one of my fds that points to something important, and even though I opened it with O_RDONLY, the unprivileged code is able to make a new link to it in a directory they control and re-open with O_RDWR because the mode bits allow say o+w (extremely bizarre and honestly hypothetical in my opinion, but ok)) and other special situations. Those situations namely being O_PATH and O_TMPFILE where by specifying these special flags during open you are indicating that you intend to do something special with the file descriptor. I think if either of these flags are present in the file flags, then we are not in the concerning case, and I think it could be appropriate to bypass the matching creds check. > > And __O_TMPFILE is just a special case that might not even be used - > it's entirely possible to just do the same with a real file (ie > non-O_TMPFILE) and link it in place and remove the original. > > Not to mention that ->tmpfile() isn't necessarily even available, so > the whole concept of "use O_TMPFILE and then linkat" is actually > broken. It *has* to be able to fall back to a regular file to work at > all on NFS. > > So while I understand your motivation, I actually think it's actively > wrong to special-case __O_TMPFILE, because it encourages a pattern > that is bad. The problem with this is that another process might be able to access the file during via that name during the brief period before it is unlinked. If I am not using NFS, I am always going to prefer using O_TMPFILE. I would rather be able to do that without restriction even if it isn't the most robust solution by your definition. In my opinion I think it is more robust in the sense that it is truly atomic and making a named file is the kludge that you have to do to work around NFS limitations, but I agree that this is a tiny detail that I certainly do not want to block this patch over because it already solves the problem I was actually dealing with. Whether or not it solves this hypothetical problem is less important. > > Linus >