Re: [RFC] Null Namespaces
From: John Ericson <hidden>
Date: 2026-06-26 16:26:31
Also in:
linux-arch, linux-fsdevel, lkml
On Thu, Jun 25, 2026, at 8:15 PM, Al Viro wrote:
On Wed, Jun 24, 2026 at 11:41:07PM -0400, John Ericson wrote:quoted
But I don't want that global state.Don't use it, then... out of curiosity, does that extend to stdout et.al.?
Good question; it turns out I like the standard streams much better! First of all, the standard streams are just an idiom --- there is nothing actually special about file descriptors 0, 1, and 2. That's a clean design --- the kernel doesn't need to know about userspace idioms. Second of all, if you don't want any of those, you can just close 'em! You can't do that with the cwd, however. It's stuck open. Ideally `*at` would have been with us from the beginning, and, say, file descriptor 3 would have been the "current working directory" merely by convention.
Would that kind of thing added kernel-side assist the development of such library? Maybe, but I wouldn't bet too much on that - if you start from scratch, you can trivially verify that you don't even attempt given set of syscalls and if you use libc as a starting point, you get to debug all the failure exits you've added...
First of all, I am trying to change what processes are allowed to do, and this includes programs I did not write. A libc-based solution is the program cooperating with its own sandboxing; this is not a solution for running arbitrary programs which may not be trusted in a restricted manner. Second of all, this would be very laborious in practice, because we're talking not about what syscalls the program uses, but about what data is passed in those syscalls. Any program that consumes arbitrary user input (like shell utilities) might receive an absolute or relative path, and so it would have to manually check for that, lest the user input "trick" the program into using the root dir and cwd it is trying to ignore. Making a tiny few edits in the kernel path resolution logic to allow for these null fields is much more practical than defending a much broader perimeter in userspace.
quoted
The programmer (or coding agent) is encouraged to do everything with file descriptors rather than path concatenations etc., because they need to use `*at` anyways, and then voilà, without browbeating anyone in security seminars or code review, a bunch of TOCTOU issues disappear simply because doing the right thing is now the path of least resistance.I'm sorry, but the path of least resistance is picking a snippet from google that will implement open(), etc., on top of your setup and using it. _Especially_ if coding agents are going to be involved, precisely because they'll do a convincing simulation of human duhveloper's behaviour, i.e. "cut'n'paste it from the net".
We agree! But this is precisely why it is important to make these things fail. Mindless Stack Overflow cut'n'pasters (human or agent) still run their program to make sure it works. Making the thing you don't want them to do *actually fail* creates sufficiently strong and incremental feedback that they will end up doing the right thing.
quoted
The current working directory, roughly, is *just* some global state holding a directory file descriptor.So's the descriptor table; what's the difference?
Now that I've responded to everything else, I can answer this in summary: - File descriptors can be closed; cwd and root cannot be. - File descriptors need to be explicitly used in syscalls. The cwd and root are implicitly used (in too many different syscalls to make syscall-level auditing practical) based on the sort of path string argument to the syscall, without the program's explicit consent. John