From patchwork Fri Dec 20 14:03:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksa Sarai X-Patchwork-Id: 1214132 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-108253-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cyphar.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="GpL+THcV"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47fVqW03dhz9sPJ for ; Sat, 21 Dec 2019 01:04:38 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; q=dns; s= default; b=CxHzN3gWYaqW+YPHZbEZIPgZSMNJtJeh78xrZ3wmacmwZoAxWD4Bh j0dBlJx+rJ6kMUuGEEPw8ntG0lS1Z9FzVCT5kU4pfFl7/mE79bkgSqTC9h+Z7H0X WJhj691mfxyRHQxzb9SZKvyXA/OxCseCgxief8SFPsv8n3GjVl4L4I= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; s=default; bh=+KcCW3s2+WBYMJljDcjwmXPXqVc=; b=GpL+THcVr1fcpsV4gfcATXjgDBHH EimcVHKUxQ7Ey1vdAN0h01vHSFbfL0E1pxpu/pERHkPnaG/UwSTlHfd8AbuqkBu0 i2Pu8V4suN49HcLS2nkxkO6yg0PPzNcymMrYCqPOICj4m7MXgO+MON//Kt5X8uIp raZPVKM/0H9bk5A= Received: (qmail 19460 invoked by alias); 20 Dec 2019 14:04:31 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 19403 invoked by uid 89); 20 Dec 2019 14:04:30 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-24.3 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.1 spammy= X-HELO: mout-p-102.mailbox.org From: Aleksa Sarai To: Alexander Viro , Jeff Layton , "J. Bruce Fields" , Shuah Khan Cc: Aleksa Sarai , Christian Brauner , David Laight , Florian Weimer , dev@opencontainers.org, containers@lists.linux-foundation.org, libc-alpha@sourceware.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 1/2] openat2: drop open_how->__padding field Date: Sat, 21 Dec 2019 01:03:27 +1100 Message-Id: <20191220140328.20907-2-cyphar@cyphar.com> In-Reply-To: <20191220140328.20907-1-cyphar@cyphar.com> References: <20191220140328.20907-1-cyphar@cyphar.com> MIME-Version: 1.0 The purpose of explicit padding was to allow us to use the space in the future (C provides no guarantee about the value of padding bytes and thus userspace could've provided garbage). However, the downside of explicit padding is that any extension we wish to add should fit the space exactly (otherwise we may end up with a u16 which will never be used). In addition, the correct error to return for non-zero padding is not clear (-EINVAL doesn't imply "you're using an extension field unsupported by this kernel", but -E2BIG seems a bit odd if the structure size isn't different). The simplest solution is to just match the design of clone3(2) -- use u64s for all fields. The extra few-bytes cost of extra fields is not significant (it's unlikely configuration structs will ever be extremely large) and it allows for more flag space if necessary. There is also no need to align the u64s because we will not permit any padding in the structure. As openat2(2) is not yet in Linus's tree, we can iron out these minor warts before we commit to this as a stable ABI. Acked-by: Christian Brauner Suggested-by: David Laight Signed-off-by: Aleksa Sarai --- fs/open.c | 2 -- include/uapi/linux/fcntl.h | 17 +++++++------ tools/testing/selftests/openat2/helpers.h | 7 +++--- .../testing/selftests/openat2/openat2_test.c | 24 +++++++------------ 4 files changed, 19 insertions(+), 31 deletions(-) diff --git a/fs/open.c b/fs/open.c index 50a46501bcc9..8cdb2b675867 100644 --- a/fs/open.c +++ b/fs/open.c @@ -993,8 +993,6 @@ static inline int build_open_flags(const struct open_how *how, return -EINVAL; if (how->resolve & ~VALID_RESOLVE_FLAGS) return -EINVAL; - if (memchr_inv(how->__padding, 0, sizeof(how->__padding))) - return -EINVAL; /* Deal with the mode. */ if (WILL_CREATE(flags)) { diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index d886bdb585e4..5aaadfd79dd5 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -101,22 +101,21 @@ #define AT_RECURSIVE 0x8000 /* Apply to the entire subtree */ /* - * Arguments for how openat2(2) should open the target path. If @resolve is - * zero, then openat2(2) operates very similarly to openat(2). + * Arguments for how openat2(2) should open the target path. If only @flags and + * @mode are non-zero, then openat2(2) operates very similarly to openat(2). * - * However, unlike openat(2), unknown bits in @flags result in -EINVAL rather - * than being silently ignored. @mode must be zero unless one of {O_CREAT, - * O_TMPFILE} are set. + * However, unlike openat(2), unknown or invalid bits in @flags result in + * -EINVAL rather than being silently ignored. @mode must be zero unless one of + * {O_CREAT, O_TMPFILE} are set. * * @flags: O_* flags. * @mode: O_CREAT/O_TMPFILE file mode. * @resolve: RESOLVE_* flags. */ struct open_how { - __aligned_u64 flags; - __u16 mode; - __u16 __padding[3]; /* must be zeroed */ - __aligned_u64 resolve; + __u64 flags; + __u64 mode; + __u64 resolve; }; #define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ diff --git a/tools/testing/selftests/openat2/helpers.h b/tools/testing/selftests/openat2/helpers.h index 43ca5ceab6e3..a6ea27344db2 100644 --- a/tools/testing/selftests/openat2/helpers.h +++ b/tools/testing/selftests/openat2/helpers.h @@ -36,10 +36,9 @@ * @resolve: RESOLVE_* flags. */ struct open_how { - __aligned_u64 flags; - __u16 mode; - __u16 __padding[3]; /* must be zeroed */ - __aligned_u64 resolve; + __u64 flags; + __u64 mode; + __u64 resolve; }; #define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ diff --git a/tools/testing/selftests/openat2/openat2_test.c b/tools/testing/selftests/openat2/openat2_test.c index 0b64fedc008b..b386367c606b 100644 --- a/tools/testing/selftests/openat2/openat2_test.c +++ b/tools/testing/selftests/openat2/openat2_test.c @@ -40,7 +40,7 @@ struct struct_test { int err; }; -#define NUM_OPENAT2_STRUCT_TESTS 10 +#define NUM_OPENAT2_STRUCT_TESTS 7 #define NUM_OPENAT2_STRUCT_VARIATIONS 13 void test_openat2_struct(void) @@ -57,20 +57,6 @@ void test_openat2_struct(void) .arg.inner.flags = O_RDONLY, .size = sizeof(struct open_how_ext) }, - /* Normal struct with broken padding. */ - { .name = "normal struct (non-zero padding[0])", - .arg.inner.flags = O_RDONLY, - .arg.inner.__padding = {0xa0, 0x00, 0x00}, - .size = sizeof(struct open_how_ext), .err = -EINVAL }, - { .name = "normal struct (non-zero padding[1])", - .arg.inner.flags = O_RDONLY, - .arg.inner.__padding = {0x00, 0x1a, 0x00}, - .size = sizeof(struct open_how_ext), .err = -EINVAL }, - { .name = "normal struct (non-zero padding[2])", - .arg.inner.flags = O_RDONLY, - .arg.inner.__padding = {0x00, 0x00, 0xef}, - .size = sizeof(struct open_how_ext), .err = -EINVAL }, - /* TODO: Once expanded, check zero-padding. */ /* Smaller than version-0 struct. */ @@ -169,7 +155,7 @@ struct flag_test { int err; }; -#define NUM_OPENAT2_FLAG_TESTS 21 +#define NUM_OPENAT2_FLAG_TESTS 23 void test_openat2_flags(void) { @@ -214,9 +200,15 @@ void test_openat2_flags(void) { .name = "invalid how.mode and O_CREAT", .how.flags = O_CREAT, .how.mode = 0xFFFF, .err = -EINVAL }, + { .name = "invalid (very large) how.mode and O_CREAT", + .how.flags = O_CREAT, + .how.mode = 0xC000000000000000ULL, .err = -EINVAL }, { .name = "invalid how.mode and O_TMPFILE", .how.flags = O_TMPFILE | O_RDWR, .how.mode = 0x1337, .err = -EINVAL }, + { .name = "invalid (very large) how.mode and O_TMPFILE", + .how.flags = O_TMPFILE | O_RDWR, + .how.mode = 0x0000A00000000000ULL, .err = -EINVAL }, /* ->resolve must only contain RESOLVE_* flags. */ { .name = "invalid how.resolve and O_RDONLY", From patchwork Fri Dec 20 14:03:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksa Sarai X-Patchwork-Id: 1214133 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-108254-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cyphar.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="elQO50gv"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47fVqh5Cmlz9sP3 for ; Sat, 21 Dec 2019 01:04:48 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; q=dns; s= default; b=WtC0cI448iORNZYP/LEyRP2/u5DIwWmiYp4pWmyEQrUJtq29IsV3A A6+Ro0CRdN9v3bvHDnW+irsAtT0zvt8nW9T3EB2hL8ZZsbJImfiA9D7k77yY1L5d jN0jJB4F1RHEXLDKsMI0nFjgkDqyuCgV+Gg4jrmKKZXfAs4rIrbBSc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; s=default; bh=hHlGcLwezJBoZ5Bf5penWEfBpNs=; b=elQO50gvIMuwxGqaV+umrzNZqf0V Ry6QAfCceggld993F55S0Y3ytCsvM03XeZPOxzAZaV7zZP+8bgeUoVTjPb5TVk6Z ecX0o4DoSzuL8PJoViYIV84bmn6gC16fDWIzKI+RdAGdThRGZwkWrCPQD+qjEcxH cOoWIOENfYlyQJs= Received: (qmail 20084 invoked by alias); 20 Dec 2019 14:04:36 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 20006 invoked by uid 89); 20 Dec 2019 14:04:35 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-24.3 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.1 spammy= X-HELO: mout-p-101.mailbox.org From: Aleksa Sarai To: Alexander Viro , Jeff Layton , "J. Bruce Fields" , Shuah Khan Cc: Aleksa Sarai , Florian Weimer , David Laight , Christian Brauner , dev@opencontainers.org, containers@lists.linux-foundation.org, libc-alpha@sourceware.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH v2 2/2] uapi: split openat2(2) definitions from fcntl.h Date: Sat, 21 Dec 2019 01:03:28 +1100 Message-Id: <20191220140328.20907-3-cyphar@cyphar.com> In-Reply-To: <20191220140328.20907-1-cyphar@cyphar.com> References: <20191220140328.20907-1-cyphar@cyphar.com> MIME-Version: 1.0 Florian mentioned that glibc doesn't use fcntl.h because it has some issues with namespace cleanliness, and that we should have a separate header for openat2(2) if possible. In addition, userspace has no real use for the OPEN_HOW_SIZE_* constants so move them to the in-kernel headers. Suggested-by: Florian Weimer Signed-off-by: Aleksa Sarai --- MAINTAINERS | 1 + include/linux/fcntl.h | 4 ++++ include/uapi/linux/fcntl.h | 36 +-------------------------------- include/uapi/linux/openat2.h | 39 ++++++++++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 35 deletions(-) create mode 100644 include/uapi/linux/openat2.h diff --git a/MAINTAINERS b/MAINTAINERS index bd5847e802de..737ada377ac3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -6397,6 +6397,7 @@ F: fs/* F: include/linux/fs.h F: include/linux/fs_types.h F: include/uapi/linux/fs.h +F: include/uapi/linux/openat2.h FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER M: Riku Voipio diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h index f2eb05bd3af3..7bcdcf4f6ab2 100644 --- a/include/linux/fcntl.h +++ b/include/linux/fcntl.h @@ -21,6 +21,10 @@ (RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS | \ RESOLVE_BENEATH | RESOLVE_IN_ROOT) +/* List of all open_how "versions". */ +#define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ +#define OPEN_HOW_SIZE_LATEST OPEN_HOW_SIZE_VER0 + #ifndef force_o_largefile #define force_o_largefile() (!IS_ENABLED(CONFIG_ARCH_32BIT_OFF_T)) #endif diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 5aaadfd79dd5..ca88b7bce553 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -3,6 +3,7 @@ #define _UAPI_LINUX_FCNTL_H #include +#include #define F_SETLEASE (F_LINUX_SPECIFIC_BASE + 0) #define F_GETLEASE (F_LINUX_SPECIFIC_BASE + 1) @@ -100,39 +101,4 @@ #define AT_RECURSIVE 0x8000 /* Apply to the entire subtree */ -/* - * Arguments for how openat2(2) should open the target path. If only @flags and - * @mode are non-zero, then openat2(2) operates very similarly to openat(2). - * - * However, unlike openat(2), unknown or invalid bits in @flags result in - * -EINVAL rather than being silently ignored. @mode must be zero unless one of - * {O_CREAT, O_TMPFILE} are set. - * - * @flags: O_* flags. - * @mode: O_CREAT/O_TMPFILE file mode. - * @resolve: RESOLVE_* flags. - */ -struct open_how { - __u64 flags; - __u64 mode; - __u64 resolve; -}; - -#define OPEN_HOW_SIZE_VER0 24 /* sizeof first published struct */ -#define OPEN_HOW_SIZE_LATEST OPEN_HOW_SIZE_VER0 - -/* how->resolve flags for openat2(2). */ -#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings - (includes bind-mounts). */ -#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style - "magic-links". */ -#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks - (implies OEXT_NO_MAGICLINKS) */ -#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like - "..", symlinks, and absolute - paths which escape the dirfd. */ -#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." - be scoped inside the dirfd - (similar to chroot(2)). */ - #endif /* _UAPI_LINUX_FCNTL_H */ diff --git a/include/uapi/linux/openat2.h b/include/uapi/linux/openat2.h new file mode 100644 index 000000000000..58b1eb711360 --- /dev/null +++ b/include/uapi/linux/openat2.h @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _UAPI_LINUX_OPENAT2_H +#define _UAPI_LINUX_OPENAT2_H + +#include + +/* + * Arguments for how openat2(2) should open the target path. If only @flags and + * @mode are non-zero, then openat2(2) operates very similarly to openat(2). + * + * However, unlike openat(2), unknown or invalid bits in @flags result in + * -EINVAL rather than being silently ignored. @mode must be zero unless one of + * {O_CREAT, O_TMPFILE} are set. + * + * @flags: O_* flags. + * @mode: O_CREAT/O_TMPFILE file mode. + * @resolve: RESOLVE_* flags. + */ +struct open_how { + __u64 flags; + __u64 mode; + __u64 resolve; +}; + +/* how->resolve flags for openat2(2). */ +#define RESOLVE_NO_XDEV 0x01 /* Block mount-point crossings + (includes bind-mounts). */ +#define RESOLVE_NO_MAGICLINKS 0x02 /* Block traversal through procfs-style + "magic-links". */ +#define RESOLVE_NO_SYMLINKS 0x04 /* Block traversal through all symlinks + (implies OEXT_NO_MAGICLINKS) */ +#define RESOLVE_BENEATH 0x08 /* Block "lexical" trickery like + "..", symlinks, and absolute + paths which escape the dirfd. */ +#define RESOLVE_IN_ROOT 0x10 /* Make all jumps to "/" and ".." + be scoped inside the dirfd + (similar to chroot(2)). */ + +#endif /* _UAPI_LINUX_OPENAT2_H */