From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fweimer@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120])
 by sourceware.org (Postfix) with ESMTP id E80FA395CC19
 for <libc-alpha@sourceware.org>; Thu, 30 Apr 2020 12:55:56 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E80FA395CC19
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-257-J5OPWOPLM6yl6FEDxk-Qiw-1; Thu, 30 Apr 2020 08:55:55 -0400
X-MC-Unique: J5OPWOPLM6yl6FEDxk-Qiw-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1ACC2100CCC4;
 Thu, 30 Apr 2020 12:55:54 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (ovpn-113-72.ams2.redhat.com
 [10.36.113.72])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 67F3A1001920;
 Thu, 30 Apr 2020 12:55:53 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: Adhemerval Zanella via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH] Linux: Add execveat system call wrapper
References: <20200428122019.26826-1-ahajkova@redhat.com>
 <87pnbpmdg9.fsf@oldenburg2.str.redhat.com>
 <b5af6b41-7bd8-3ff6-cf29-56bddd0ddd45@linaro.org>
Date: Thu, 30 Apr 2020 14:55:51 +0200
In-Reply-To: <b5af6b41-7bd8-3ff6-cf29-56bddd0ddd45@linaro.org> (Adhemerval
 Zanella via Libc-alpha's message of "Thu, 30 Apr 2020 09:28:26 -0300")
Message-ID: <87y2qdku94.fsf@oldenburg2.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-9.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 12:55:58 -0000

* Adhemerval Zanella via Libc-alpha:

>> So I think we have to do this:
>>=20
>> * If there are more flags than just the two, fail with EINVAL.
>>=20
>> * To handle AT_EMPTY_PATH, do not open a new file descriptor (using
>>   openat) if AT_EMPTY_PATH is specified *and* the file name is "".
>>=20
>> * To handle AT_SYMLINK_NOFOLLOW, openat needs to be called with
>>   O_NOFOLLOW in that case (in addition to O_CLOEXEC).
>
> These will surely need to be on the testcase.

Yes, these permutations need to be tested.

>> The behavior with AT_EMPTY_PATH/"" and AT_SYMLINK_NOFOLLOW at the same
>> time is not immedately obvious from the kernel code, so I wrote a small
>> test program (/bin/sh is a symbolic link to /bin/bash on this system):
>>=20
>> #include <err.h>
>> #include <fcntl.h>
>> #include <sys/syscall.h>
>> #include <unistd.h>
>>=20
>> int
>> main (void)
>> {
>>   int fd =3D open ("/bin/sh", O_PATH | O_NOFOLLOW);
>>   if (fd < 0)
>>     err (1, "open");
>>   static char *const argv[] =3D { "sh", "-c", "exit 0", NULL };
>>   static char *const envp[] =3D { NULL };
>>   syscall (SYS_execveat, fd, "", argv, envp,
>>            AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
>>   err (1, "execveat");
>> }
>>=20
>> This fails:
>>=20
>> openat(AT_FDCWD, "/bin/sh", O_RDONLY|O_NOFOLLOW|O_PATH) =3D 3
>> execveat(3, "", ["sh", "-c", "exit 0"], 0x402040 /* 0 vars */, AT_SYMLIN=
K_NOFOLLOW|AT_EMPTY_PATH) =3D -1 ELOOP (Too many levels of symbolic links)
>> [=E2=80=A6]
>> execveat-opath-symlink: execveat: Too many levels of symbolic links
>>=20
>> So I think for the AT_EMPTY_PATH/"" and AT_SYMLINK_NOFOLLOW case, we
>> need to call fstatat64 with AT_EMPTY_PATH and see if st_mode indicates
>> that the descriptor refers to a symbolic link.  If it does, the function
>> needs to fail with ELOOP.
>
> I think execve would handle it:
>
> openat(AT_FDCWD, "/bin/sh", O_RDONLY|O_NOFOLLOW|O_PATH) =3D 3
> execve("/proc/self/fd/3", ["sh", "-c", "echo test"], 0x556815e580a8 /* 0 =
vars */) =3D -1 ELOOP (Too many levels of symbolic   links)

And execveat fails even without AT_SYMLINK_NOFOLLOW:

openat(AT_FDCWD, "/bin/sh", O_RDONLY|O_NOFOLLOW|O_PATH) =3D 3
execveat(3, "", ["sh", "-c", "exit 0"], 0x402040 /* 0 vars */, AT_EMPTY_PAT=
H) =3D -1 ELOOP (Too many levels of symbolic links)

Does this mean we do not need a special case for an O_PATH|O_NOFOLLOW
open of a symbolic link?

Thanks,
Florian