Page MenuHomeFreeBSD

open.2: describe O_RESOLVE_BENEATH errors correctly
ClosedPublic

Authored by val_packett.cool on Feb 19 2023, 8:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 16, 1:16 AM
Unknown Object (File)
Mon, Nov 11, 5:36 PM
Unknown Object (File)
Sun, Nov 10, 3:20 PM
Unknown Object (File)
Tue, Nov 5, 7:34 AM
Unknown Object (File)
Sep 12 2024, 12:08 AM
Unknown Object (File)
Sep 9 2024, 12:35 AM
Unknown Object (File)
Sep 8 2024, 1:09 AM
Unknown Object (File)
Sep 5 2024, 3:19 AM

Details

Summary

The behavior is the same as in capability mode, it does not actually
return EINVAL for absolute lookups:

openat(AT_FDCWD,"/tmp/test",O_RDONLY|O_DIRECTORY,00) = 3 (0x3)
openat(3,"../../",O_RDONLY|0x800000,00)          ERR#93 'Capabilities insufficient'
openat(3,"/etc/passwd",O_RDONLY|0x800000,00)     ERR#93 'Capabilities insufficient'

Fixes: 1f305be43 ("Document {O,AT}_RESOLVE_BENEATH...")
Sponsored by: https://www.patreon.com/valpackett

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 49895
Build 46787: arc lint + arc unit

Event Timeline

pauamma_gundo.com added inline comments.
lib/libc/sys/open.2
603–609

I'm not sure this is as clear as the previous version. "A, or B, and C or D" leaves me unsure whether the "C or D" restriction applies to B only, or to both A and B. I don't think the previous version had that ambiguity.

Hopefully more clear this way?

It helps. So (I think) does removing some of the commas. What do others think?

lib/libc/sys/open.2
603–609

The common practice in the error section of the man pages is to list each cause separately, repeating the error number (symbol). So your change would be better done in opposite direction, IMO: splitting the 'absolute path', 'dotdot', and 'dotdot' leading outside the root.

Note that allowance for dotdot presence is controlled by a sysctl knob.

Yeah, makes sense, let's try like this

Minor nits, fixable on commit.

lib/libc/sys/open.2
31

Remember to bump.

609
614

For tense consistency with "is"

617
This revision is now accepted and ready to land.Feb 20 2023, 9:31 PM