On Tue, Jul 08, 2014 at 05:54:24PM +0100, David Drysdale wrote:
> > How is this implemented in FreeBSD? I can't find any references to
> > O_BENEATH_ONLY except for your patchset.
>
> FreeBSD have the relative-only behaviour for openat() relative to a
> Capsicum capability dfd [1], and for a
On Tue, Jul 08, 2014 at 05:54:24PM +0100, David Drysdale wrote:
How is this implemented in FreeBSD? I can't find any references to
O_BENEATH_ONLY except for your patchset.
FreeBSD have the relative-only behaviour for openat() relative to a
Capsicum capability dfd [1], and for a process in
On Tue, Jul 8, 2014 at 1:03 PM, Christoph Hellwig wrote:
> On Mon, Jun 30, 2014 at 11:28:01AM +0100, David Drysdale wrote:
>> Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
>> provided path, rejecting (with -EACCES) paths that are not beneath
>> the provided dfd. In particular,
On Tue, Jul 08, 2014 at 02:04:45PM +0100, Meredydd Luff wrote:
> On 8 July 2014 13:51, Christoph Hellwig wrote:
> > Yeah, it won't work for an explicit directory - I was thinking of
> > working relative to $CWD.
>
> I think that would sacrifice far too much flexibility. Even without
> Capsicum,
On 8 July 2014 13:51, Christoph Hellwig wrote:
> Yeah, it won't work for an explicit directory - I was thinking of
> working relative to $CWD.
I think that would sacrifice far too much flexibility. Even without
Capsicum, it would be worthwhile to be able to wire up a static
seccomp-bpf filter to
On Tue, Jul 08, 2014 at 01:48:27PM +0100, Meredydd Luff wrote:
> How would that work? The directory beneath which openat is looking is
> conveyed in the dfd argument itself. If I'm understanding this right,
> you'd have to pass a different value for "open relative to fd#5" and
> "open relative to
On 8 July 2014 13:07, Christoph Hellwig wrote:
> There's two different AT_* namespaces. The flags that most *at syscalls
> has, and the the one for the dfd argument, which currently only contains
> AT_FDCWD, although a new constant has recently been proposed to it.
>
> Having an AT_BENEATH magic
On Mon, Jun 30, 2014 at 08:53:01AM -0700, Andy Lutomirski wrote:
> > Wouldn't it need to be both O_BENEATH_ONLY (for openat()) and
> > AT_BENEATH_ONLY (for other *at() functions), like O_NOFOLLOW and
> > AT_SYMLINK_NOFOLLOW? (I.e. aren't the AT_* flags in a different
> > numbering space than O_*
On Mon, Jun 30, 2014 at 11:28:01AM +0100, David Drysdale wrote:
> Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
> provided path, rejecting (with -EACCES) paths that are not beneath
> the provided dfd. In particular, reject:
> - paths that contain .. components
> - paths that
On Mon, Jun 30, 2014 at 11:28:01AM +0100, David Drysdale wrote:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths that contain .. components
- paths that begin
On Mon, Jun 30, 2014 at 08:53:01AM -0700, Andy Lutomirski wrote:
Wouldn't it need to be both O_BENEATH_ONLY (for openat()) and
AT_BENEATH_ONLY (for other *at() functions), like O_NOFOLLOW and
AT_SYMLINK_NOFOLLOW? (I.e. aren't the AT_* flags in a different
numbering space than O_* flags?)
On 8 July 2014 13:07, Christoph Hellwig h...@infradead.org wrote:
There's two different AT_* namespaces. The flags that most *at syscalls
has, and the the one for the dfd argument, which currently only contains
AT_FDCWD, although a new constant has recently been proposed to it.
Having an
On Tue, Jul 08, 2014 at 01:48:27PM +0100, Meredydd Luff wrote:
How would that work? The directory beneath which openat is looking is
conveyed in the dfd argument itself. If I'm understanding this right,
you'd have to pass a different value for open relative to fd#5 and
open relative to fd#5,
On 8 July 2014 13:51, Christoph Hellwig h...@infradead.org wrote:
Yeah, it won't work for an explicit directory - I was thinking of
working relative to $CWD.
I think that would sacrifice far too much flexibility. Even without
Capsicum, it would be worthwhile to be able to wire up a static
On Tue, Jul 08, 2014 at 02:04:45PM +0100, Meredydd Luff wrote:
On 8 July 2014 13:51, Christoph Hellwig h...@infradead.org wrote:
Yeah, it won't work for an explicit directory - I was thinking of
working relative to $CWD.
I think that would sacrifice far too much flexibility. Even without
On Tue, Jul 8, 2014 at 1:03 PM, Christoph Hellwig h...@infradead.org wrote:
On Mon, Jun 30, 2014 at 11:28:01AM +0100, David Drysdale wrote:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In
On Tue, Jul 1, 2014 at 1:53 PM, David Drysdale wrote:
> On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote:
>> David Drysdale writes:
>>
>> > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
>> > provided path, rejecting (with -EACCES) paths that are not beneath
>> > the
On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote:
> David Drysdale writes:
>
> > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
> > provided path, rejecting (with -EACCES) paths that are not beneath
> > the provided dfd. In particular, reject:
> > - paths that
On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote:
David Drysdale drysd...@google.com writes:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths
On Tue, Jul 1, 2014 at 1:53 PM, David Drysdale drysd...@google.com wrote:
On Mon, Jun 30, 2014 at 01:40:40PM -0700, Andi Kleen wrote:
David Drysdale drysd...@google.com writes:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that
On Mon, Jun 30, 2014 at 1:40 PM, Andi Kleen wrote:
> David Drysdale writes:
>
>> Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
>> provided path, rejecting (with -EACCES) paths that are not beneath
>> the provided dfd. In particular, reject:
>> - paths that contain ..
David Drysdale writes:
> Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
> provided path, rejecting (with -EACCES) paths that are not beneath
> the provided dfd. In particular, reject:
> - paths that contain .. components
> - paths that begin with /
> - symlinks that have
On Mon, Jun 30, 2014 at 8:49 AM, David Drysdale wrote:
> On Mon, Jun 30, 2014 at 07:49:41AM -0700, Andy Lutomirski wrote:
>> On Jun 30, 2014 3:36 AM, "David Drysdale" wrote:
>> >
>> > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
>> > provided path, rejecting (with -EACCES)
On Mon, Jun 30, 2014 at 07:49:41AM -0700, Andy Lutomirski wrote:
> On Jun 30, 2014 3:36 AM, "David Drysdale" wrote:
> >
> > Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
> > provided path, rejecting (with -EACCES) paths that are not beneath
> > the provided dfd. In particular,
On Jun 30, 2014 3:36 AM, "David Drysdale" wrote:
>
> Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
> provided path, rejecting (with -EACCES) paths that are not beneath
> the provided dfd. In particular, reject:
> - paths that contain .. components
> - paths that begin with /
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths that contain .. components
- paths that begin with /
- symlinks that have paths as above.
Signed-off-by: David
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths that contain .. components
- paths that begin with /
- symlinks that have paths as above.
Signed-off-by: David
On Jun 30, 2014 3:36 AM, David Drysdale drysd...@google.com wrote:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths that contain .. components
- paths that
On Mon, Jun 30, 2014 at 07:49:41AM -0700, Andy Lutomirski wrote:
On Jun 30, 2014 3:36 AM, David Drysdale drysd...@google.com wrote:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In
On Mon, Jun 30, 2014 at 8:49 AM, David Drysdale drysd...@google.com wrote:
On Mon, Jun 30, 2014 at 07:49:41AM -0700, Andy Lutomirski wrote:
On Jun 30, 2014 3:36 AM, David Drysdale drysd...@google.com wrote:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path,
David Drysdale drysd...@google.com writes:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
- paths that contain .. components
- paths that begin with /
- symlinks
On Mon, Jun 30, 2014 at 1:40 PM, Andi Kleen a...@firstfloor.org wrote:
David Drysdale drysd...@google.com writes:
Add a new O_BENEATH_ONLY flag for openat(2) which restricts the
provided path, rejecting (with -EACCES) paths that are not beneath
the provided dfd. In particular, reject:
-
32 matches
Mail list logo