Hi Alyssa, Christian, Al,

On Sat, Dec 13, 2025 at 07:59:04PM +0100, Alyssa Ross wrote:

Alejandro Colomar [off-list ref] writes:

quoted

Hi Alyssa,

On Sat, Dec 13, 2025 at 06:58:53PM +0100, Alyssa Ross wrote:

quoted

I was surprised to discover than an O_PATH file descriptor was
insufficient.

How did you discover it?  Could you please link to relevant information
(or kernel sources)?

By trying it!

Presumably it's the fd_empty() check at the beginning of the syscall
implementation in nsproxy.c.

Hmm, thanks!  I don't see any documentation about this, neither in the
kernel Documentation/, nor in the commit messages that introduced this
code.  Christian, Al, would you mind checking if this is intended?  If
so, it would be useful to document why O_PATH is not accepted.  Is it
a security problem?

quoted

quoted

Since the mode of nsfs files is always 0444, tell
callers to always a file descriptor opened for reading.

Missing 'use'?

Yes.  Feel free to add it.

Thanks!


Cheers,
Alex

-- 
<https://www.alejandro-colomar.es>