• Andy Lutomirski's avatar
    fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink · bb2314b4
    Andy Lutomirski authored
    Every now and then someone proposes a new flink syscall, and this spawns
    a long discussion of whether it would be a security problem.  I think
    that this is missing the point: flink is *already* allowed without
    privilege as long as /proc is mounted -- it's called AT_SYMLINK_FOLLOW.
    
    Now that O_TMPFILE is here, the ability to create a file with O_TMPFILE,
    write it, and link it in is very convenient.  The only problem is that
    it requires that /proc be mounted so that you can do:
    
    linkat(AT_FDCWD, "/proc/self/fd/<tmpfd>", dfd, path, AT_SYMLINK_NOFOLLOW)
    
    This sucks -- it's much nicer to do:
    
    linkat(tmpfd, "", dfd, path, AT_EMPTY_PATH)
    
    Let's allow it.
    
    If this turns out to be excessively scary, it we could instead require
    that the inode in question be I_LINKABLE, but this seems pointless given
    the /proc situation
    Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    bb2314b4
namei.c 101 KB