Revert "fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink"

This reverts commit bb2314b47996491bbc5add73633905c3120b6268. It wasn't necessarily wrong per se, but we're still busily discussing the exact details of this all, so I'm going to revert it for now. It's true that you can already do flink() through /proc and that flink() isn't new. But as Brad Spengler points out, some secure environments do not mount proc, and flink adds a new interface that can avoid path lookup of the source for those kinds of environments. We may re-do this (and even mark it for stable backporting back in 3.11 and possibly earlier) once the whole discussion about the interface is done. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Revert "fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink"
This reverts commit bb2314b47996491bbc5add73633905c3120b6268. It wasn't necessarily wrong per se, but we're still busily discussing the exact details of this all, so I'm going to revert it for now. It's true that you can already do flink() through /proc and that flink() isn't new. But as Brad Spengler points out, some secure environments do not mount proc, and flink adds a new interface that can avoid path lookup of the source for those kinds of environments. We may re-do this (and even mark it for stable backporting back in 3.11 and possibly earlier) once the whole discussion about the interface is done. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds
1 parent fa8218def1
Showing 1 changed file with 7 additions and 3 deletions Side-by-side Diff
fs/namei.c
@@ -3671,11 +3671,15 @@
 	if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
 		return -EINVAL;
 	/*
-	 * Using empty names is equivalent to using AT_SYMLINK_FOLLOW
-	 * on /proc/self/fd/<fd>.
+	 * To use null names we require CAP_DAC_READ_SEARCH
+	 * This ensures that not everyone will be able to create
+	 * handlink using the passed filedescriptor.
 	 */
-	if (flags & AT_EMPTY_PATH)
+	if (flags & AT_EMPTY_PATH) {
+		if (!capable(CAP_DAC_READ_SEARCH))
+			return -ENOENT;
 		how = LOOKUP_EMPTY;
+	}
  
 	if (flags & AT_SYMLINK_FOLLOW)
 		how |= LOOKUP_FOLLOW;
...	...	@@ -3671,11 +3671,15 @@
3671	3671	if ((flags & ~(AT_SYMLINK_FOLLOW \| AT_EMPTY_PATH)) != 0)
3672	3672	return -EINVAL;
3673	3673	/*
3674		- * Using empty names is equivalent to using AT_SYMLINK_FOLLOW
3675		- * on /proc/self/fd/<fd>.
	3674	+ * To use null names we require CAP_DAC_READ_SEARCH
	3675	+ * This ensures that not everyone will be able to create
	3676	+ * handlink using the passed filedescriptor.
3676	3677	*/
3677		- if (flags & AT_EMPTY_PATH)
	3678	+ if (flags & AT_EMPTY_PATH) {
	3679	+ if (!capable(CAP_DAC_READ_SEARCH))
	3680	+ return -ENOENT;
3678	3681	how = LOOKUP_EMPTY;
	3682	+ }
3679	3683
3680	3684	if (flags & AT_SYMLINK_FOLLOW)
3681	3685	how \|= LOOKUP_FOLLOW;