On Thu, 23 Feb 2017 09:02:39 -0600 Eric Blake <ebl...@redhat.com> wrote:
> On 02/20/2017 08:40 AM, Greg Kurz wrote: > > All operations dealing with extended attributes are vulnerable to symlink > > attacks because they use path-based syscalls which can traverse symbolic > > links while walking through the dirname part of the path. > > > > The solution is to introduce helpers based on opendir_nofollow(). This > > calls for "at" versions of the extended attribute syscalls, which don't > > exist unfortunately. This patch implement them by simulating the "at" > > behavior with fchdir(). Since the current working directory is process > > wide, and we don't want to confuse another thread in QEMU, all the work > > is done in a separate process. > > Can you emulate *at using /proc/fd/nnn/xyz? Coreutils was one of the > early adopters of the power of *at functions, and found that emulation > of *at via procfs was a LOT more efficient than emulation via fchdir > (although both emulations still exist in gnulib, since procfs is not > universal). > Yeah, Stefan suggested this on irc. I had also found a tentative patchset to implement genuine f*xattrat() calls in the kernel 3 yrs ago, that never got merged. The author, Florian Weimer, also told me /proc was the way to go. It looks like we have a consensus :)
pgpM17aNYwCrm.pgp
Description: OpenPGP digital signature
