Thread (18 messages) 18 messages, 5 authors, 2026-03-16

Re: [PATCH v5 1/4] openat2: new OPENAT2_REGULAR flag support

From: Christian Brauner <brauner@kernel.org>
Date: 2026-03-09 08:58:07
Also in: ceph-devel, gfs2, linux-cifs, linux-fsdevel, linux-kselftest, linux-nfs, lkml, v9fs 

On Sun, Mar 08, 2026 at 10:10:05AM -0700, Andy Lutomirski wrote:
On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton [off-list ref] wrote:
quoted
On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote:
quoted
On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury [off-list ref] wrote:
quoted
This flag indicates the path should be opened if it's a regular file.
This is useful to write secure programs that want to avoid being
tricked into opening device nodes with special semantics while thinking
they operate on regular files. This is a requested feature from the
uapi-group[1].
I think this needs a lot more clarification as to what "regular"
means.  If it's literally
quoted
A corresponding error code EFTYPE has been introduced. For example, if
openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag
param, it will return -EFTYPE. EFTYPE is already used in BSD systems
like FreeBSD, macOS.
I think this needs more clarification as to what "regular" means,
since S_IFREG may not be sufficient.  The UAPI group page says:

Use-Case: this would be very useful to write secure programs that want
to avoid being tricked into opening device nodes with special
semantics while thinking they operate on regular files. This is
particularly relevant as many device nodes (or even FIFOs) come with
blocking I/O (or even blocking open()!) by default, which is not
expected from regular files backed by “fast” disk I/O. Consider
implementation of a naive web browser which is pointed to
file://dev/zero, not expecting an endless amount of data to read.

What about procfs?  What about sysfs?  What about /proc/self/fd/17
where that fd is a memfd?  What about files backed by non-"fast" disk
I/O like something on a flaky USB stick or a network mount or FUSE?

Are we concerned about blocking open?  (open blocks as a matter of
course.)  Are we concerned about open having strange side effects?
Are we concerned about write having strange side effects?  Are we
concerned about cases where opening the file as root results in
elevated privilege beyond merely gaining the ability to write to that
specific path on an ordinary filesystem?
I think this is opening up a barrage of question that I'm not sure are
all that useful. The ability to only open regular file isn't intended to
defend against hung FUSE or NFS servers or other random Linux
special-sauce murder-suicide file descriptor traps. For a lot of those
we have O_PATH which can easily function with the new extension. A lot
of the other special-sauce files (most anonymous inode fds) cannot even
be reopened via e.g., /proc.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help