Add upgrade restrictions to openat2(). Extend struct open_how to allow
setting transitive restrictions on using file descriptors to open other
files. A use case for this feature is to block services or containers
from re-opening/upgrading an O_PATH file descriptor through e.g.
/proc/<pid>/fd/<nr> or OPENAT2_EMPTY_PATH (if upstreamed) as O_WRONLY.
The implementation idea is this: magic paths like /proc/<pid>/fd/<nr>
(currently the only one of its sort AFAIK) go through nd_jump_link() to
hard set current->nameidata. To include information about the fd
yielding the magic link, we add a new struct jump_how as a parameter.
This struct may include restictions or other metadata attached to the
magic link jump other than the struct path to jump to. So far it has
only one unsigned int field: allowed_upgrades. This is a flag int that
(for now) may be either READ_UPGRADABLE, WRITE_UPGRADABLE, or
DENY_UPGRADES.
The idea is that you can restrict what kind of open flags may be used
to open files in any way using this fd as a starting point
(transitively). The check is enforced in may_open_upgrade(), which is
just the old may_open() with an extra test. To keep this state attached
to the fds, we add a field f_allowed_upgrades to struct file. Then
in do_open(), after success, we compute:
file->f_allowed_upgrades =
op->allowed_upgrades & nd->allowed_upgrades;
where op is the struct open_flags that is build from open_how in
build_open_flags(), and nd->allowed_upgrades is set during path
traversal either in path_init() or nd_jump_link().
The implementation and the idea are a bit rough; it is the first bit of
less trivial work I have done on the kernel, hence the RFC status. I
include some selftests which this patch passes (on my machine at least),
and nothing seems to break on a fresh vng kernel. But obviously there
may be many things I am overlooking.
The original idea for this features comes form the UAPI group kernel
feature idea list [1].
[1]
https://github.com/uapi-group/kernel-features?tab=readme-ov-file#upgrade-masks-in-openat2
v2: includes tests and the related OPENAT2_EMPTY_PATH patch in a series.
Jori Koolstra (3):
vfs: add support for empty path to openat2(2)
vfs: transitive upgrade restrictions for fds
selftest: add tests for OPENAT2_EMPTY_PATH and allowed_upgrades
fs/fcntl.c | 4 +-
fs/file_table.c | 2 +
fs/internal.h | 1 +
fs/namei.c | 41 ++-
fs/open.c | 20 +-
fs/proc/base.c | 24 +-
fs/proc/fd.c | 6 +-
fs/proc/internal.h | 4 +-
include/linux/fcntl.h | 11 +-
include/linux/fs.h | 1 +
include/linux/namei.h | 15 +-
include/uapi/linux/openat2.h | 10 +
tools/include/uapi/linux/openat2.h | 53 ++++
tools/testing/selftests/openat2/Makefile | 4 +-
tools/testing/selftests/openat2/helpers.c | 2 +-
tools/testing/selftests/openat2/helpers.h | 40 +--
.../testing/selftests/openat2/upgrade_test.c | 242 ++++++++++++++++++
17 files changed, 417 insertions(+), 63 deletions(-)
create mode 100644 tools/include/uapi/linux/openat2.h
create mode 100644 tools/testing/selftests/openat2/upgrade_test.c
--
2.53.0
