Re: [PATCH v2 resend] vfs: new O_NODE open flag

[Miklos Szeredi]

On Thu, 5 Nov 2009, Alan Cox wrote:
> >  - re-opening normally after checking file type (there's a debate
> >    whether this would have security issues, but currently we do allow
> >    re-opening with increased permissions thorugh /proc/*/fd)
> 
> Which has already been demonstrated to be an (unfixed) security hole.

No it hasn't :)  Jamie theorized that there *might* be a real world
situation where the application writer didn't anticipate this
behavior.  But as to actual demonstration, we have not seen one yet, I
think.

And as for reopening O_NODE files with increased permission: that's
feature people actually expressed interest in, so it's hardly a
security hole, is it?

> 
> > Filesystems which want to install special file operations for O_NODE
> > opens (e.g. ioctl) may set S_OPEN_NODE flag in the inode.  This will
> 
> Wrong way around. The defailt should be that O_NODE fails for any handle
> which has not specifically added support.

Why?  O_NODE can be nicely implemented without any filesystem support.

The only filesystems that need to do anything special is things like
AFS which for example want to implement special ioctls, which work on
the node itself.

> You also need to address the open with no permissions pinning a removable
> device question.

The whole point of O_NODE is that it doesn't do that, it only goes as
far as the mnt/dentry for the filesystem node and not further.  It
does not get to touch the device at all, so it can't pin it or have
any other side effect.

Thanks,
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/