Message ID | 20141121101318.GG8866@infradead.org |
---|---|
State | Not applicable |
Headers |
Received: (qmail 2904 invoked by alias); 21 Nov 2014 10:13:21 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <libc-alpha.sourceware.org> List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org> List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org> List-Archive: <http://sourceware.org/ml/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs> Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 2894 invoked by uid 89); 21 Nov 2014 10:13:21 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.7 required=5.0 tests=AWL, BAYES_00, RCVD_IN_DNSWL_LOW, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: bombadil.infradead.org Date: Fri, 21 Nov 2014 02:13:18 -0800 From: Christoph Hellwig <hch@infradead.org> To: Rich Felker <dalias@aerifal.cx> Cc: David Drysdale <drysdale@google.com>, libc-alpha@sourceware.org, Andrew Morton <akpm@linux-foundation.org>, Christoph Hellwig <hch@infradead.org>, Linux API <linux-api@vger.kernel.org>, Andy Lutomirski <luto@amacapital.net>, musl@lists.openwall.com Subject: Re: [RFC] Possible new execveat(2) Linux syscall Message-ID: <20141121101318.GG8866@infradead.org> References: <CAHse=S8ccC2No5EYS0Pex=Ng3oXjfDB9woOBmMY_k+EgxtODZA@mail.gmail.com> <20141116195246.GX22465@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141116195246.GX22465@brightrain.aerifal.cx> User-Agent: Mutt/1.5.23 (2014-03-12) X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by bombadil.infradead.org See http://www.infradead.org/rpr.html |
Commit Message
Christoph Hellwig
Nov. 21, 2014, 10:13 a.m. UTC
On Sun, Nov 16, 2014 at 02:52:46PM -0500, Rich Felker wrote: > I've been following the discussions so far and everything looks mostly > okay. There are still issues to be resolved with the different > semantics between Linux O_PATH and what POSIX requires for O_EXEC (and > O_SEARCH) but as long as the intent is that, once O_EXEC is defined to > save the permissions at the time of open and cause them to be used in > place of the current file permissions at the time of execveat As far as I can tell we only need the little patch below to make Linux O_PATH a valid O_SEARCH implementation. Rich, you said you wanted to look over it? For O_EXEC my interpretation is that we basically just need this new execveat syscall + a patch to add FMODE_EXEC and enforce it. So we wouldn't even need the O_PATH|3 hack. But unless someone more familar with the arcane details of the Posix language verifies it I'm tempted to give up trying to help to implent these flags :(
Comments
On Fri, Nov 21, 2014 at 10:13 AM, Christoph Hellwig <hch@infradead.org> wrote: > On Sun, Nov 16, 2014 at 02:52:46PM -0500, Rich Felker wrote: >> I've been following the discussions so far and everything looks mostly >> okay. There are still issues to be resolved with the different >> semantics between Linux O_PATH and what POSIX requires for O_EXEC (and >> O_SEARCH) but as long as the intent is that, once O_EXEC is defined to >> save the permissions at the time of open and cause them to be used in >> place of the current file permissions at the time of execveat > > As far as I can tell we only need the little patch below to make Linux > O_PATH a valid O_SEARCH implementation. Rich, you said you wanted to > look over it? > > For O_EXEC my interpretation is that we basically just need this new > execveat syscall + a patch to add FMODE_EXEC and enforce it. So we > wouldn't even need the O_PATH|3 hack. But unless someone more familar > with the arcane details of the Posix language verifies it I'm tempted to > give up trying to help to implent these flags :( I'm not particularly familiar with POSIX details either, but I thought the O_PATH|3 hack would be needed for the interaction with O_ACCMODE -- just using FMODE_EXEC as O_EXEC would confuse existing code that examines (flags & O_ACCMODE). From [1]: "Applications shall specify exactly one of the ...five ... file access modes ... O_EXEC / O_RDONLY / O_RDWR / O_SEARCH / O_WRONLY" (and O_EXEC and O_SEARCH are allowed to be the same value, as one only applies to files and the other only applies to directories). As O_ACCMODE is 3, there are only 4 possible access modes that work with any existing code that checks (flags & O_ACCMODE), and 3 of the values are taken (0=O_RDONLY, 1=O_WRONLY, 2=O_RDWR). So I guess that's where the idea for the |3 hack comes from. [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
On Fri, Nov 21, 2014 at 02:13:18AM -0800, Christoph Hellwig wrote: > On Sun, Nov 16, 2014 at 02:52:46PM -0500, Rich Felker wrote: > > I've been following the discussions so far and everything looks mostly > > okay. There are still issues to be resolved with the different > > semantics between Linux O_PATH and what POSIX requires for O_EXEC (and > > O_SEARCH) but as long as the intent is that, once O_EXEC is defined to > > save the permissions at the time of open and cause them to be used in > > place of the current file permissions at the time of execveat > > As far as I can tell we only need the little patch below to make Linux > O_PATH a valid O_SEARCH implementation. Rich, you said you wanted to > look over it? I think the below looks correct, but it's not complete. The *at functions also need to use FMODE_EXEC rather than rechecking +x permissions at the time of the operation. > For O_EXEC my interpretation is that we basically just need this new > execveat syscall + a patch to add FMODE_EXEC and enforce it. So we > wouldn't even need the O_PATH|3 hack. But unless someone more familar > with the arcane details of the Posix language verifies it I'm tempted to > give up trying to help to implent these flags :( O_EXEC/O_SEARCH cannot be equal to O_PATH, because of differing semantics on open. With O_NOFOLLOW, O_PATH yields a file descriptor referring to the symlink itself. With O_EXEC or O_SEARCH, O_NOFOLLOW is required to make open fail if the target is a symlink. It would be a serious regression to eliminate the ability of O_PATH to open symlinks like this. Note that enforcing O_NOFOLLOW failure on symlinks can be implemented in userspace instead of (or in addition to, for better behavior with old kernels) kernelspace, but it still requires a different value from O_PATH or userspace would be eliminating access to an important O_PATH feature. Further, O_PATH|3 was the best value I could find to yield nearly reasonable fallback behavior on most old kernels. Simply using 3 fails to open directories and files to which the caller does not have write permission (mode 3 is a nearly-undocumented hack for opening devices for ioctl-only read-write access, it seems). On pre-O_PATH kernels, using O_PATH|3 would fallback to this failing case, yielding spurious failure-to-open for all O_SEARCH and some O_EXEC operations, but those kernels are old enough to be irrelevant to most users anyway. On kernels that do have O_PATH, using O_PATH|3 ignores the 3 and yields the current O_PATH semantics, which are nearly correct. Of course O_PATH|1 or O_PATH|2 would also work in principle, as would adding a completely new bit in addition to O_PATH, but these all seem less desirable. Rich
On Fri, Nov 21, 2014 at 01:49:35PM +0000, David Drysdale wrote: > On Fri, Nov 21, 2014 at 10:13 AM, Christoph Hellwig <hch@infradead.org> wrote: > > On Sun, Nov 16, 2014 at 02:52:46PM -0500, Rich Felker wrote: > >> I've been following the discussions so far and everything looks mostly > >> okay. There are still issues to be resolved with the different > >> semantics between Linux O_PATH and what POSIX requires for O_EXEC (and > >> O_SEARCH) but as long as the intent is that, once O_EXEC is defined to > >> save the permissions at the time of open and cause them to be used in > >> place of the current file permissions at the time of execveat > > > > As far as I can tell we only need the little patch below to make Linux > > O_PATH a valid O_SEARCH implementation. Rich, you said you wanted to > > look over it? > > > > For O_EXEC my interpretation is that we basically just need this new > > execveat syscall + a patch to add FMODE_EXEC and enforce it. So we > > wouldn't even need the O_PATH|3 hack. But unless someone more familar > > with the arcane details of the Posix language verifies it I'm tempted to > > give up trying to help to implent these flags :( > > I'm not particularly familiar with POSIX details either, but I thought the > O_PATH|3 hack would be needed for the interaction with O_ACCMODE -- just > using FMODE_EXEC as O_EXEC would confuse existing code that examines > (flags & O_ACCMODE). To conform to POSIX, O_ACCMODE needs to contain all the bits of O_RDONLY|O_WRONLY|O_RDWR|O_SEARCH|O_EXEC. Certainly it's possible that code compiled with an old definition of O_ACCMODE as 3 could inherit (or otherwise obtain) a file descriptor in O_SEARCH/O_EXEC mode, so it's preferable to have the low 2 bits be distinct from the existing access modes, but O_ACCMODE's definition (at least in userspace) really does need to be updated to equal O_PATH|3. > >From [1]: > "Applications shall specify exactly one of the ...five ... file access > modes ... O_EXEC / O_RDONLY / O_RDWR / O_SEARCH / O_WRONLY" > (and O_EXEC and O_SEARCH are allowed to be the same value, > as one only applies to files and the other only applies to directories). > > As O_ACCMODE is 3, there are only 4 possible access modes that work > with any existing code that checks (flags & O_ACCMODE), and 3 of the > values are taken (0=O_RDONLY, 1=O_WRONLY, 2=O_RDWR). So I > guess that's where the idea for the |3 hack comes from. 3 is also "taken" too, but it's a mostly-undocumented hack. Rich
diff --git a/fs/open.c b/fs/open.c index d6fd3ac..ee24720 100644 --- a/fs/open.c +++ b/fs/open.c @@ -512,7 +512,7 @@ out_unlock: SYSCALL_DEFINE2(fchmod, unsigned int, fd, umode_t, mode) { - struct fd f = fdget(fd); + struct fd f = fdget_raw(fd); int err = -EBADF; if (f.file) { @@ -633,7 +633,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group) { - struct fd f = fdget(fd); + struct fd f = fdget_raw(fd); int error = -EBADF; if (!f.file)