From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by sourceware.org (Postfix) with ESMTPS id C19723894E6C for ; Thu, 30 Apr 2020 12:28:29 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C19723894E6C Received: by mail-qk1-x743.google.com with SMTP id g74so5375628qke.13 for ; Thu, 30 Apr 2020 05:28:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:autocrypt:subject:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+H4kHt1bs2WaWvTIOHUgH1lOz/oQSg8Y6rlhsdPZXTg=; b=RZqRlRxv3Ql0kCxH31nIziHit3DzezT0bdSMbDttUWi0P6dd57PZebaHNXBQ+PJbXD cTHGrt1Z+3abR186BCs+1Mr+13LU6VMpiQu7ATyvjyfthDZf202oi6xgnMCDXHoLeF9i 3+DvLz+R16yCrpH1ppj6NIZ/5axpmiaFkSCgDyeHhFxrPzSB6yEjjHbt/wxmeXuq6TwZ BOBF/r7X7eJTs2IeGiph6hLM83n7TousAf76gP3lIvhsa34B/kXlQ0+EkEzVXmwEGErz 2/Hl43H2AoZZAmPa9OkC8XRVElVUAqNVo8wBiJHs+9mKnN90KqKpsSkWXOqjViBMRkAP UaOQ== X-Gm-Message-State: AGi0PuZ4xvcnVjkBCdAtRX2HHZIEmGlhh/V1Bcvh4YgIQfhfxP9HCfgQ oV3tc58IhhkL8MqH+J0RXFFnKjfhfcHWwg== X-Google-Smtp-Source: APiQypKi+rWM79NfWqWVNgZTWV67yUsJ1Db4RZALvIhrUzsow6oH5G1/fBtlyW1jH3dA7sGKNg9snA== X-Received: by 2002:ae9:e604:: with SMTP id z4mr3343144qkf.12.1588249709125; Thu, 30 Apr 2020 05:28:29 -0700 (PDT) Received: from [192.168.1.4] ([177.194.48.209]) by smtp.googlemail.com with ESMTPSA id j9sm1713786qkk.99.2020.04.30.05.28.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Apr 2020 05:28:28 -0700 (PDT) To: libc-alpha@sourceware.org References: <20200428122019.26826-1-ahajkova@redhat.com> <87pnbpmdg9.fsf@oldenburg2.str.redhat.com> From: Adhemerval Zanella Autocrypt: addr=adhemerval.zanella@linaro.org; prefer-encrypt=mutual; keydata= mQINBFcVGkoBEADiQU2x/cBBmAVf5C2d1xgz6zCnlCefbqaflUBw4hB/bEME40QsrVzWZ5Nq 8kxkEczZzAOKkkvv4pRVLlLn/zDtFXhlcvQRJ3yFMGqzBjofucOrmdYkOGo0uCaoJKPT186L NWp53SACXguFJpnw4ODI64ziInzXQs/rUJqrFoVIlrPDmNv/LUv1OVPKz20ETjgfpg8MNwG6 iMizMefCl+RbtXbIEZ3TE/IaDT/jcOirjv96lBKrc/pAL0h/O71Kwbbp43fimW80GhjiaN2y WGByepnkAVP7FyNarhdDpJhoDmUk9yfwNuIuESaCQtfd3vgKKuo6grcKZ8bHy7IXX1XJj2X/ BgRVhVgMHAnDPFIkXtP+SiarkUaLjGzCz7XkUn4XAGDskBNfbizFqYUQCaL2FdbW3DeZqNIa nSzKAZK7Dm9+0VVSRZXP89w71Y7JUV56xL/PlOE+YKKFdEw+gQjQi0e+DZILAtFjJLoCrkEX w4LluMhYX/X8XP6/C3xW0yOZhvHYyn72sV4yJ1uyc/qz3OY32CRy+bwPzAMAkhdwcORA3JPb kPTlimhQqVgvca8m+MQ/JFZ6D+K7QPyvEv7bQ7M+IzFmTkOCwCJ3xqOD6GjX3aphk8Sr0dq3 4Awlf5xFDAG8dn8Uuutb7naGBd/fEv6t8dfkNyzj6yvc4jpVxwARAQABtElBZGhlbWVydmFs IFphbmVsbGEgTmV0dG8gKExpbmFybyBWUE4gS2V5KSA8YWRoZW1lcnZhbC56YW5lbGxhQGxp bmFyby5vcmc+iQI3BBMBCAAhBQJXFRpKAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ EKqx7BSnlIjv0e8P/1YOYoNkvJ+AJcNUaM5a2SA9oAKjSJ/M/EN4Id5Ow41ZJS4lUA0apSXW NjQg3VeVc2RiHab2LIB4MxdJhaWTuzfLkYnBeoy4u6njYcaoSwf3g9dSsvsl3mhtuzm6aXFH /Qsauav77enJh99tI4T+58rp0EuLhDsQbnBic/ukYNv7sQV8dy9KxA54yLnYUFqH6pfH8Lly sTVAMyi5Fg5O5/hVV+Z0Kpr+ZocC1YFJkTsNLAW5EIYSP9ftniqaVsim7MNmodv/zqK0IyDB GLLH1kjhvb5+6ySGlWbMTomt/or/uvMgulz0bRS+LUyOmlfXDdT+t38VPKBBVwFMarNuREU2 69M3a3jdTfScboDd2ck1u7l+QbaGoHZQ8ZNUrzgObltjohiIsazqkgYDQzXIMrD9H19E+8fw kCNUlXxjEgH/Kg8DlpoYJXSJCX0fjMWfXywL6ZXc2xyG/hbl5hvsLNmqDpLpc1CfKcA0BkK+ k8R57fr91mTCppSwwKJYO9T+8J+o4ho/CJnK/jBy1pWKMYJPvvrpdBCWq3MfzVpXYdahRKHI ypk8m4QlRlbOXWJ3TDd/SKNfSSrWgwRSg7XCjSlR7PNzNFXTULLB34sZhjrN6Q8NQZsZnMNs TX8nlGOVrKolnQPjKCLwCyu8PhllU8OwbSMKskcD1PSkG6h3r0AquQINBFcVGkoBEACgAdbR Ck+fsfOVwT8zowMiL3l9a2DP3Eeak23ifdZG+8Avb/SImpv0UMSbRfnw/N81IWwlbjkjbGTu oT37iZHLRwYUFmA8fZX0wNDNKQUUTjN6XalJmvhdz9l71H3WnE0wneEM5ahu5V1L1utUWTyh VUwzX1lwJeV3vyrNgI1kYOaeuNVvq7npNR6t6XxEpqPsNc6O77I12XELic2+36YibyqlTJIQ V1SZEbIy26AbC2zH9WqaKyGyQnr/IPbTJ2Lv0dM3RaXoVf+CeK7gB2B+w1hZummD21c1Laua +VIMPCUQ+EM8W9EtX+0iJXxI+wsztLT6vltQcm+5Q7tY+HFUucizJkAOAz98YFucwKefbkTp eKvCfCwiM1bGatZEFFKIlvJ2QNMQNiUrqJBlW9nZp/k7pbG3oStOjvawD9ZbP9e0fnlWJIsj 6c7pX354Yi7kxIk/6gREidHLLqEb/otuwt1aoMPg97iUgDV5mlNef77lWE8vxmlY0FBWIXuZ yv0XYxf1WF6dRizwFFbxvUZzIJp3spAao7jLsQj1DbD2s5+S1BW09A0mI/1DjB6EhNN+4bDB SJCOv/ReK3tFJXuj/HbyDrOdoMt8aIFbe7YFLEExHpSk+HgN05Lg5TyTro8oW7TSMTk+8a5M kzaH4UGXTTBDP/g5cfL3RFPl79ubXwARAQABiQIfBBgBCAAJBQJXFRpKAhsMAAoJEKqx7BSn lIjvI/8P/jg0jl4Tbvg3B5kT6PxJOXHYu9OoyaHLcay6Cd+ZrOd1VQQCbOcgLFbf4Yr+rE9l mYsY67AUgq2QKmVVbn9pjvGsEaz8UmfDnz5epUhDxC6yRRvY4hreMXZhPZ1pbMa6A0a/WOSt AgFj5V6Z4dXGTM/lNManr0HjXxbUYv2WfbNt3/07Db9T+GZkpUotC6iknsTA4rJi6u2ls0W9 1UIvW4o01vb4nZRCj4rni0g6eWoQCGoVDk/xFfy7ZliR5B+3Z3EWRJcQskip/QAHjbLa3pml xAZ484fVxgeESOoaeC9TiBIp0NfH8akWOI0HpBCiBD5xaCTvR7ujUWMvhsX2n881r/hNlR9g fcE6q00qHSPAEgGr1bnFv74/1vbKtjeXLCcRKk3Ulw0bY1OoDxWQr86T2fZGJ/HIZuVVBf3+ gaYJF92GXFynHnea14nFFuFgOni0Mi1zDxYH/8yGGBXvo14KWd8JOW0NJPaCDFJkdS5hu0VY 7vJwKcyHJGxsCLU+Et0mryX8qZwqibJIzu7kUJQdQDljbRPDFd/xmGUFCQiQAncSilYOcxNU EMVCXPAQTteqkvA+gNqSaK1NM9tY0eQ4iJpo+aoX8HAcn4sZzt2pfUB9vQMTBJ2d4+m/qO6+ cFTAceXmIoFsN8+gFN3i8Is3u12u8xGudcBPvpoy4OoG Subject: Re: [PATCH] Linux: Add execveat system call wrapper Message-ID: Date: Thu, 30 Apr 2020 09:28:26 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <87pnbpmdg9.fsf@oldenburg2.str.redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Apr 2020 12:28:32 -0000 On 30/04/2020 08:15, Florian Weimer via Libc-alpha wrote: > So it turns out that openat and execveat have totally different flags > arguments, and translation is needed. > > The execveat manual page says this: > > AT_EMPTY_PATH > If pathname is an empty string, operate on the file referred to > by dirfd (which may have been obtained using the open(2) O_PATH > flag). > > AT_SYMLINK_NOFOLLOW > If the file identified by dirfd and a non-NULL pathname is a > symbolic link, then the call fails with the error ELOOP. > > fs/exec.c in the kernel sources handles flags in the do_open_execat > function: > > if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0) > return ERR_PTR(-EINVAL); > if (flags & AT_SYMLINK_NOFOLLOW) > open_exec_flags.lookup_flags &= ~LOOKUP_FOLLOW; > if (flags & AT_EMPTY_PATH) > open_exec_flags.lookup_flags |= LOOKUP_EMPTY; > > file = do_filp_open(fd, name, &open_exec_flags); > > So the manual page is correct and there are only two flags to support. > > So I think we have to do this: > > * If there are more flags than just the two, fail with EINVAL. > > * To handle AT_EMPTY_PATH, do not open a new file descriptor (using > openat) if AT_EMPTY_PATH is specified *and* the file name is "". > > * To handle AT_SYMLINK_NOFOLLOW, openat needs to be called with > O_NOFOLLOW in that case (in addition to O_CLOEXEC). These will surely need to be on the testcase. > > The behavior with AT_EMPTY_PATH/"" and AT_SYMLINK_NOFOLLOW at the same > time is not immedately obvious from the kernel code, so I wrote a small > test program (/bin/sh is a symbolic link to /bin/bash on this system): > > #include > #include > #include > #include > > int > main (void) > { > int fd = open ("/bin/sh", O_PATH | O_NOFOLLOW); > if (fd < 0) > err (1, "open"); > static char *const argv[] = { "sh", "-c", "exit 0", NULL }; > static char *const envp[] = { NULL }; > syscall (SYS_execveat, fd, "", argv, envp, > AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); > err (1, "execveat"); > } > > This fails: > > openat(AT_FDCWD, "/bin/sh", O_RDONLY|O_NOFOLLOW|O_PATH) = 3 > execveat(3, "", ["sh", "-c", "exit 0"], 0x402040 /* 0 vars */, AT_SYMLINK_NOFOLLOW|AT_EMPTY_PATH) = -1 ELOOP (Too many levels of symbolic links) > […] > execveat-opath-symlink: execveat: Too many levels of symbolic links > > So I think for the AT_EMPTY_PATH/"" and AT_SYMLINK_NOFOLLOW case, we > need to call fstatat64 with AT_EMPTY_PATH and see if st_mode indicates > that the descriptor refers to a symbolic link. If it does, the function > needs to fail with ELOOP. I think execve would handle it: openat(AT_FDCWD, "/bin/sh", O_RDONLY|O_NOFOLLOW|O_PATH) = 3 execve("/proc/self/fd/3", ["sh", "-c", "echo test"], 0x556815e580a8 /* 0 vars */) = -1 ELOOP (Too many levels of symbolic links) > > AT_EMPTY_PATH without a "" file name does not need special treatment and > can use the regular openat path (with the conditional setting of > O_NOFOLLOW).