On Sat, Aug 24, 2024 at 09:14:30AM GMT, Linus Torvalds wrote:
On Sat, Aug 24, 2024 at 5:13 AM Luis Chamberlain mcgrof@kernel.org wrote:
I'm all for this, however a strong rejection outright for the first kernel release is bound to end up with some angry user with some oddball driver that had this for whatever stupid reason.
I can't actually see a reason why a firmware file would have a ".." component in it, so I think the immediate rejection is fine - particularly since it has a warning printout, so you see what happened and why.
I do wonder if we should just have a LOOKUP_NO_DOTDOT flag, and just use that.
[ Christian - the issue is the firmware loading path not wanting to have ".." in the pathname so that you can't load outside the normal firmware tree. We could also use LOOKUP_BENEATH, except kernel_read_file_from_path_initns() just takes one long path rather than "here's the base, and here's the path". ]
There might be other people who want LOOKUP_NO_DOTDOT for similar reasons. In fact, some people might want an even stronger "normalized path" validation, where empty components or just "." is invalid, just because that makes pathnames ambiguous.
I think LOOKUP_NO_DOTDOT is potentially interesting for userspace as RESOLVE_NO_DOTDOT. Though Jann's reply made me wonder: If some userspace project wants to make sure that there are no ".." in the path while allowing symlinks and ".." in symlinks then wouldn't it be easier and cheaper for userspace to just manually check for ".." in the path themselves? I mean RESOLVE_NO_SYMLINKS and RESOLVE_NO_MAGICLINKS alleviate some proper pain. Not just because an appropariate userspace algorithm is very costly but also because it's hard to get right. But with RESOLVE_NO_DOTOT it feels like a pretty mundane string-parsing excercise that could be done in userspace. Although I may just lack imagination.
As long as we only have this very limited in-kernel user I think just using Jann's helper in this patch is probably good enough.