On Thu, Aug 27, 2020 at 09:08:01PM +0100, Al Viro wrote:
On Thu, Aug 27, 2020 at 11:09:46AM -0600, Ross Zwisler wrote:
From: Mattias Nissler mnissler@chromium.org
For mounts that have the new "nosymfollow" option, don't follow symlinks when resolving paths. The new option is similar in spirit to the existing "nodev", "noexec", and "nosuid" options, as well as to the LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD variants have been supporting the "nosymfollow" mount option for a long time with equivalent implementations.
Note that symlinks may still be created on file systems mounted with the "nosymfollow" option present. readlink() remains functional, so user space code that is aware of symlinks can still choose to follow them explicitly.
Setting the "nosymfollow" mount option helps prevent privileged writers from modifying files unintentionally in case there is an unexpected link along the accessed path. The "nosymfollow" option is thus useful as a defensive measure for systems that need to deal with untrusted file systems in privileged contexts.
More information on the history and motivation for this patch can be found here:
https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-do...
Signed-off-by: Mattias Nissler mnissler@chromium.org Signed-off-by: Ross Zwisler zwisler@google.com Reviewed-by: Aleksa Sarai cyphar@cyphar.com
Changes since v8 [1]:
- Look for MNT_NOSYMFOLLOW in link->mnt->mnt_flags so we are testing the link itself rather than the directory holding the link. (Al Viro)
- Rebased onto v5.9-rc2.
AFAICS, it applies clean to -rc1; what was the rebase about?
Applied (to -rc1) and pushed