Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

On 07/22/13 10:46, Peter Schiffer wrote:
> On 07/20/2013 10:56 PM, Michael Kerrisk wrote:
>> On 07/20/13 13:40, Al Viro wrote:
>>> On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
 Hello Al et al,

 Documenting O_PATH fell by the wayside last year
 (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
 with other tasks. A recent prod or two have reminded me restart this.
 I have the following patch queued to document O_PATH.

 Could you please review. I've provided the O_PATH doc both as
 formatted text, for ease of reviewing, and as a patch and entire file
 (attached).
>>>
>>> Seems to be mostly correct; the only thing missing is that F_GETFL is also
>>> allowed (and return value will contain O_PATH for such descriptors).  Had
>>> been there since the very beginning...
>>
>> Thanks, Al. I have added that piece.
>>
> 
> Michael,
> 
> there is a typo within added piece:

Thanks, Peter. Applied.

Cheers,

Michael



> diff --git a/man2/open.2 b/man2/open.2
> index c61ea7f..ef0f664 100644
> --- a/man2/open.2
> +++ b/man2/open.2
> @@ -489,7 +489,7 @@ and
>   .IP *
>   Retrieving open file status flags using the
>   .BR fcntl (2)
> -.BR F_GETFD
> +.BR F_GETFL
>   operation: the returned flags will include the bit
>   .BR O_PATH .
> 
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] open(2): document O_PATH

[Peter Schiffer]

On 07/20/2013 10:56 PM, Michael Kerrisk wrote:

On 07/20/13 13:40, Al Viro wrote:

On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:

Hello Al et al,

Documenting O_PATH fell by the wayside last year
(http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
with other tasks. A recent prod or two have reminded me restart this.
I have the following patch queued to document O_PATH.

Could you please review. I've provided the O_PATH doc both as
formatted text, for ease of reviewing, and as a patch and entire file
(attached).


Seems to be mostly correct; the only thing missing is that F_GETFL is also
allowed (and return value will contain O_PATH for such descriptors).  Had
been there since the very beginning...


Thanks, Al. I have added that piece.



Michael,

there is a typo within added piece:

diff --git a/man2/open.2 b/man2/open.2
index c61ea7f..ef0f664 100644
--- a/man2/open.2
+++ b/man2/open.2
@@ -489,7 +489,7 @@ and
 .IP *
 Retrieving open file status flags using the
 .BR fcntl (2)
-.BR F_GETFD
+.BR F_GETFL
 operation: the returned flags will include the bit
 .BR O_PATH .


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk]

On 07/20/13 13:40, Al Viro wrote:
> On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
>> Hello Al et al,
>>
>> Documenting O_PATH fell by the wayside last year
>> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
>> with other tasks. A recent prod or two have reminded me restart this.
>> I have the following patch queued to document O_PATH.
>>
>> Could you please review. I've provided the O_PATH doc both as
>> formatted text, for ease of reviewing, and as a patch and entire file
>> (attached).
> 
> Seems to be mostly correct; the only thing missing is that F_GETFL is also
> allowed (and return value will contain O_PATH for such descriptors).  Had
> been there since the very beginning...

Thanks, Al. I have added that piece.

Cheers,

Michael

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
> Hello Al et al,
> 
> Documenting O_PATH fell by the wayside last year
> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
> with other tasks. A recent prod or two have reminded me restart this.
> I have the following patch queued to document O_PATH.
> 
> Could you please review. I've provided the O_PATH doc both as
> formatted text, for ease of reviewing, and as a patch and entire file
> (attached).

Seems to be mostly correct; the only thing missing is that F_GETFL is also
allowed (and return value will contain O_PATH for such descriptors).  Had
been there since the very beginning...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

Hello Al et al,

Documenting O_PATH fell by the wayside last year
(http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
with other tasks. A recent prod or two have reminded me restart this.
I have the following patch queued to document O_PATH.

Could you please review. I've provided the O_PATH doc both as
formatted text, for ease of reviewing, and as a patch and entire file
(attached).

Thanks,

Michael


   O_PATH (since Linux 2.6.39)
  Obtain a file descriptor that can be used for  two  pur‐
  poses:  to  indicate  a location in the file-system tree
  and to perform operations that act purely  at  the  file
  descriptor  level.   The  file itself is not opened, and
  other file operations  (e.g.,  read(2),  write(2),  fch‐
  mod(2),  fchown(2),  fgetxattr(2))  fail  with the error
  EBADF.

  The following operations can be performed on the result‐
  ing file descriptor:

  *  close(2);   fchdir(2)  (since  Linux  3.5);  fstat(2)
 (since Linux 3.6).

  *  Duplicating the  file  descriptor  (dup(2),  fcntl(2)
 F_DUPFD, etc.).

  *  Getting  and  setting file descriptor flags (fcntl(2)
 F_GETFD and F_SETFD).

  *  Passing the file descriptor as the dirfd argument  of
 openat(2) and the other "*at()" system calls.

  *  Passing  the file descriptor to another process via a
 UNIX domain socket (see SCM_RIGHTS in unix(7)).

  When O_PATH is specified in flags, flag bits other  than
  O_DIRECTORY and O_NOFOLLOW are ignored.

  If  the O_NOFOLLOW flag is also specified, then the call
  returns a file  descriptor  referring  to  the  symbolic
  link.   This  file  descriptor  can be used as the dirfd
  argument in calls to fchownat(2), fstatat(2), linkat(2),
  and  readlinkat(2)  with  an  empty pathname to have the
  calls operate on the symbolic link.


diff --git a/man2/open.2 b/man2/open.2
index e518c1f..c27be8f 100644
--- a/man2/open.2
+++ b/man2/open.2
@@ -424,6 +423,9 @@ If \fIpathname\fP is a symbolic link, then the open fails.
 This is a FreeBSD extension, which was added to Linux in version 2.1.126.
 Symbolic links in earlier components of the pathname will still be
 followed.
+See also
+.BR O_NOPATH
+below.
 .\" The headers from glibc 2.0.100 and later include a
 .\" definition of this flag; \fIkernels before 2.1.126 will ignore it if
 .\" used\fP.
@@ -441,6 +443,89 @@ For a discussion of the effect of
 in conjunction with mandatory file locks and with file leases, see
 .BR fcntl (2).
 .TP
+.BR O_PATH " (since Linux 2.6.39)"
+.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
+.\" commit 326be7b484843988afe57566b627fb7a70beac56
+.\" commit 65cfc6722361570bfe255698d9cd4dccaf47570d
+.\"
+.\" http://thread.gmane.org/gmane.linux.man/2790/focus=3496
+.\"Subject: Re: [PATCH] open(2): document O_PATH
+.\"Newsgroups: gmane.linux.man, gmane.linux.kernel
+.\"
+Obtain a file descriptor that can be used for two purposes:
+to indicate a location in the file-system tree and
+to perform operations that act purely at the file descriptor level.
+The file itself is not opened, and other file operations (e.g.,
+.BR read (2),
+.BR write (2),
+.BR fchmod (2),
+.BR fchown (2),
+.BR fgetxattr (2))
+fail with the error
+.BR EBADF .
+
+The following operations
+.I can
+be performed on the resulting file descriptor:
+.RS
+.IP * 3
+.BR close (2);
+.BR fchdir (2)
+(since Linux 3.5);
+.\" commit 332a2e1244bd08b9e3ecd378028513396a004a24
+.BR fstat (2)
+(since Linux 3.6).
+.\" fstat(): commit 55815f70147dcfa3ead5738fd56d3574e2e3c1c2
+.IP *
+Duplicating the file descriptor
+.RB ( dup (2),
+.BR fcntl (2)
+.BR F_DUPFD ,
+etc.).
+.IP *
+Getting and setting file descriptor flags
+.RB ( fcntl (2)
+.BR F_GETFD
+and
+.BR F_SETFD ).
+.IP *
+Passing the file descriptor as the
+.IR dirfd
+argument of
+.BR openat (2)
+and the other "*at()" system calls.
+.IP *
+Passing the file descriptor to another process via a UNIX domain socket
+(see
+.BR SCM_RIGHTS
+in
+.BR unix (7)).
+.RE
+.IP
+When
+.B O_PATH
+is specified in
+.IR flags ,
+flag bits other than
+.BR O_DIRECTORY
+and
+.BR O_NOFOLLOW
+are ignored.
+
+If the
+.BR O_NOFOLLOW
+flag is also specified,
+then the call returns a file descriptor referring to the symbolic link.
+This file descriptor can be used as the
+.I dirfd
+argument in calls to
+.BR fchownat (2),
+.BR fstatat (2),
+.BR linkat (2),
+and
+.BR readlinkat (2)
+with an empty pathname to have the calls operate on the symbolic link.
+.TP
 .B O_SYNC
 The file is opened for synchronous I/O.
 Any
@@ -631,8 +716,9 @@ SVr4, 4.3BSD, POSIX.1-2001.
 The
 .BR O_DIRECTORY ,
 .BR 

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, May 03, 2012 at 03:11:56PM +0100, Al Viro wrote:
> On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:
> 
> > I looked at dnotify_flush, they remove markers on an inode.
> > But then it also checks for filp to match. So I am not sure
> > whether skipping dnotify_flush for O_PATH descriptor have any impact. We
> > can't use O_PATH descriptor for dnotify fcntl any way. So in
> > dnotify_flush we will not match the filp.
> > 
> > Viro,
> > 
> > Any reason why we skip dnotify_flush  ?
> 
> See your last sentence above - why bother finding the mark, scanning the
> list, etc. when we know that there won't be any matches?

[Apologies for replying to the wrong posting, but this is the closest thing
thread-wise to what I wanted to reply to that I've got sitting in my mailbox]

The rules are:
* syscalls acting purely on descriptor level are allowed - close(),
dup(), dup2(), dup3(), fcntl(F_DUPFD{,_CLOEXEC}), fcntl(F_[SG]ETFD),
fcntl(F_GETFL), passing descriptors in SCM_RIGHTS datagrams)
* syscalls using the descriptor just to indicate a location in
the tree - *at() family, fchdir(), fstat()
The list might get expanded - for example, fstatfs() arguably belongs to the
second group.  The approach had been conservative - the second group gets
expanded on per-case basis.  E.g. anything requiring the file to have
been opened for write is *not* a candidate, so it really has to be reviewed
separately for each syscall of that sort.

As far as dnotify and POSIX locks go, close() (and replacing dup2(), etc.)
are irrelevant - the rules are exactly as usual.  All dnotify watches or
POSIX locks associated with that opened file get evicted; it's just that
there is no way to *set* them on O_PATH descriptors in the first place.
We might eventually allow fcntl(F_NOTIFY) on them, but I'm not sure there's
any good reason to do so; allowing to use them for setting POSIX locks is
almost certainly a bad idea wrt security.

The test in filp_close() is just an optimization - if/when we allow F_NOTIFY
on O_PATH descriptors, the same commit will need to make the call of
dnotify_flush() in filp_open() unconditional.  All there is to it...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/