O Wed, Aug 19, 2020 at 10:43:16AM -0600, Ross Zwisler wrote:
From: Mattias Nissler mnissler@chromium.org
For mounts that have the new "nosymfollow" option, don't follow symlinks when resolving paths. The new option is similar in spirit to the existing "nodev", "noexec", and "nosuid" options, as well as to the LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD variants have been supporting the "nosymfollow" mount option for a long time with equivalent implementations.
Note that symlinks may still be created on file systems mounted with the "nosymfollow" option present. readlink() remains functional, so user space code that is aware of symlinks can still choose to follow them explicitly.
Setting the "nosymfollow" mount option helps prevent privileged writers from modifying files unintentionally in case there is an unexpected link along the accessed path. The "nosymfollow" option is thus useful as a defensive measure for systems that need to deal with untrusted file systems in privileged contexts.
More information on the history and motivation for this patch can be found here:
https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-do...
Signed-off-by: Mattias Nissler mnissler@chromium.org Signed-off-by: Ross Zwisler zwisler@google.com Reviewed-by: Aleksa Sarai cyphar@cyphar.com
Changes since v7 [1]:
- Rebased onto v5.9-rc1.
- Added selftest in second patch.
- Added Aleska's Reviewed-By tag. Thank you for the review!
After this lands I will upstream changes to util-linux[2] and man-pages [3].
[3]: https://github.com/rzwisler/man-pages/commit/b8fe8079f64b5068940c0144586e580...
Friendly ping on this.
Al, now that the changes to fs/namei.c have landed and we're past the merge window for v5.9, what are your thoughts on this patch and the associated test?