aboutsummaryrefslogtreecommitdiffstats
path: root/fs/namei.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2013-08-28 12:18:05 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2013-08-28 12:18:05 -0400
commitf0cc6ffb8ce8961db587e5072168cac0cbc25f05 (patch)
tree37a56fff4bf75d279fd5424f5da6889ac5ecf5d4 /fs/namei.c
parentfa8218def1b1a16f0a410e2c1c767b4738cc81fa (diff)
Revert "fs: Allow unprivileged linkat(..., AT_EMPTY_PATH) aka flink"
This reverts commit bb2314b47996491bbc5add73633905c3120b6268. It wasn't necessarily wrong per se, but we're still busily discussing the exact details of this all, so I'm going to revert it for now. It's true that you can already do flink() through /proc and that flink() isn't new. But as Brad Spengler points out, some secure environments do not mount proc, and flink adds a new interface that can avoid path lookup of the source for those kinds of environments. We may re-do this (and even mark it for stable backporting back in 3.11 and possibly earlier) once the whole discussion about the interface is done. Cc: Andy Lutomirski <luto@amacapital.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/namei.c')
-rw-r--r--fs/namei.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/fs/namei.c b/fs/namei.c
index 89a612e392eb..8b61d103a8a7 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3671,11 +3671,15 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
3671 if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0) 3671 if ((flags & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH)) != 0)
3672 return -EINVAL; 3672 return -EINVAL;
3673 /* 3673 /*
3674 * Using empty names is equivalent to using AT_SYMLINK_FOLLOW 3674 * To use null names we require CAP_DAC_READ_SEARCH
3675 * on /proc/self/fd/<fd>. 3675 * This ensures that not everyone will be able to create
3676 * handlink using the passed filedescriptor.
3676 */ 3677 */
3677 if (flags & AT_EMPTY_PATH) 3678 if (flags & AT_EMPTY_PATH) {
3679 if (!capable(CAP_DAC_READ_SEARCH))
3680 return -ENOENT;
3678 how = LOOKUP_EMPTY; 3681 how = LOOKUP_EMPTY;
3682 }
3679 3683
3680 if (flags & AT_SYMLINK_FOLLOW) 3684 if (flags & AT_SYMLINK_FOLLOW)
3681 how |= LOOKUP_FOLLOW; 3685 how |= LOOKUP_FOLLOW;