linux/arch/powerpc/kernel
Linus Torvalds 6aee4badd8 Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull openat2 support from Al Viro:
 "This is the openat2() series from Aleksa Sarai.

  I'm afraid that the rest of namei stuff will have to wait - it got
  zero review the last time I'd posted #work.namei, and there had been a
  leak in the posted series I'd caught only last weekend. I was going to
  repost it on Monday, but the window opened and the odds of getting any
  review during that... Oh, well.

  Anyway, openat2 part should be ready; that _did_ get sane amount of
  review and public testing, so here it comes"

From Aleksa's description of the series:
 "For a very long time, extending openat(2) with new features has been
  incredibly frustrating. This stems from the fact that openat(2) is
  possibly the most famous counter-example to the mantra "don't silently
  accept garbage from userspace" -- it doesn't check whether unknown
  flags are present[1].

  This means that (generally) the addition of new flags to openat(2) has
  been fraught with backwards-compatibility issues (O_TMPFILE has to be
  defined as __O_TMPFILE|O_DIRECTORY|[O_RDWR or O_WRONLY] to ensure old
  kernels gave errors, since it's insecure to silently ignore the
  flag[2]). All new security-related flags therefore have a tough road
  to being added to openat(2).

  Furthermore, the need for some sort of control over VFS's path
  resolution (to avoid malicious paths resulting in inadvertent
  breakouts) has been a very long-standing desire of many userspace
  applications.

  This patchset is a revival of Al Viro's old AT_NO_JUMPS[3] patchset
  (which was a variant of David Drysdale's O_BENEATH patchset[4] which
  was a spin-off of the Capsicum project[5]) with a few additions and
  changes made based on the previous discussion within [6] as well as
  others I felt were useful.

  In line with the conclusions of the original discussion of
  AT_NO_JUMPS, the flag has been split up into separate flags. However,
  instead of being an openat(2) flag it is provided through a new
  syscall openat2(2) which provides several other improvements to the
  openat(2) interface (see the patch description for more details). The
  following new LOOKUP_* flags are added:

  LOOKUP_NO_XDEV:

     Blocks all mountpoint crossings (upwards, downwards, or through
     absolute links). Absolute pathnames alone in openat(2) do not
     trigger this. Magic-link traversal which implies a vfsmount jump is
     also blocked (though magic-link jumps on the same vfsmount are
     permitted).

  LOOKUP_NO_MAGICLINKS:

     Blocks resolution through /proc/$pid/fd-style links. This is done
     by blocking the usage of nd_jump_link() during resolution in a
     filesystem. The term "magic-links" is used to match with the only
     reference to these links in Documentation/, but I'm happy to change
     the name.

     It should be noted that this is different to the scope of
     ~LOOKUP_FOLLOW in that it applies to all path components. However,
     you can do openat2(NO_FOLLOW|NO_MAGICLINKS) on a magic-link and it
     will *not* fail (assuming that no parent component was a
     magic-link), and you will have an fd for the magic-link.

     In order to correctly detect magic-links, the introduction of a new
     LOOKUP_MAGICLINK_JUMPED state flag was required.

  LOOKUP_BENEATH:

     Disallows escapes to outside the starting dirfd's
     tree, using techniques such as ".." or absolute links. Absolute
     paths in openat(2) are also disallowed.

     Conceptually this flag is to ensure you "stay below" a certain
     point in the filesystem tree -- but this requires some additional
     to protect against various races that would allow escape using
     "..".

     Currently LOOKUP_BENEATH implies LOOKUP_NO_MAGICLINKS, because it
     can trivially beam you around the filesystem (breaking the
     protection). In future, there might be similar safety checks done
     as in LOOKUP_IN_ROOT, but that requires more discussion.

  In addition, two new flags are added that expand on the above ideas:

  LOOKUP_NO_SYMLINKS:

     Does what it says on the tin. No symlink resolution is allowed at
     all, including magic-links. Just as with LOOKUP_NO_MAGICLINKS this
     can still be used with NOFOLLOW to open an fd for the symlink as
     long as no parent path had a symlink component.

  LOOKUP_IN_ROOT:

     This is an extension of LOOKUP_BENEATH that, rather than blocking
     attempts to move past the root, forces all such movements to be
     scoped to the starting point. This provides chroot(2)-like
     protection but without the cost of a chroot(2) for each filesystem
     operation, as well as being safe against race attacks that
     chroot(2) is not.

     If a race is detected (as with LOOKUP_BENEATH) then an error is
     generated, and similar to LOOKUP_BENEATH it is not permitted to
     cross magic-links with LOOKUP_IN_ROOT.

     The primary need for this is from container runtimes, which
     currently need to do symlink scoping in userspace[7] when opening
     paths in a potentially malicious container.

     There is a long list of CVEs that could have bene mitigated by
     having RESOLVE_THIS_ROOT (such as CVE-2017-1002101,
     CVE-2017-1002102, CVE-2018-15664, and CVE-2019-5736, just to name a
     few).

  In order to make all of the above more usable, I'm working on
  libpathrs[8] which is a C-friendly library for safe path resolution.
  It features a userspace-emulated backend if the kernel doesn't support
  openat2(2). Hopefully we can get userspace to switch to using it, and
  thus get openat2(2) support for free once it's ready.

  Future work would include implementing things like
  RESOLVE_NO_AUTOMOUNT and possibly a RESOLVE_NO_REMOTE (to allow
  programs to be sure they don't hit DoSes though stale NFS handles)"

* 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  Documentation: path-lookup: include new LOOKUP flags
  selftests: add openat2(2) selftests
  open: introduce openat2(2) syscall
  namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution
  namei: LOOKUP_IN_ROOT: chroot-like scoped resolution
  namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution
  namei: LOOKUP_NO_XDEV: block mountpoint crossing
  namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution
  namei: LOOKUP_NO_SYMLINKS: block symlink resolution
  namei: allow set_root() to produce errors
  namei: allow nd_jump_link() to produce errors
  nsfs: clean-up ns_get_path() signature to return int
  namei: only return -ECHILD from follow_dotdot_rcu()
2020-01-29 11:20:24 -08:00
..
syscalls open: introduce openat2(2) syscall 2020-01-18 09:19:18 -05:00
trace powerpc/ftrace: Enable HAVE_FUNCTION_GRAPH_RET_ADDR_PTR 2019-09-18 12:24:55 +10:00
vdso32 powerpc: Fix vDSO clock_getres() 2019-12-05 00:13:55 +11:00
vdso64 powerpc: Fix vDSO clock_getres() 2019-12-05 00:13:55 +11:00
.gitignore powerpc: improve prom_init_check rule 2019-09-14 00:04:41 +10:00
align.c powerpc/spe: Mark expected switch fall-throughs 2019-07-31 00:19:34 +10:00
asm-offsets.c powerpc: Fix vDSO clock_getres() 2019-12-05 00:13:55 +11:00
audit.c
btext.c powerpc: Rework btext_find_display to use of_stdout and device_type helpers 2018-11-26 22:33:37 +11:00
cacheinfo.c powerpc updates for 5.3 2019-07-13 16:08:36 -07:00
cacheinfo.h powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild 2019-06-15 16:52:06 +10:00
compat_audit.c
cpu_setup_6xx.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cpu_setup_44x.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cpu_setup_fsl_booke.S powerpc/booke: Spelling s/date/data/ 2019-11-17 01:56:31 -06:00
cpu_setup_pa6t.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
cpu_setup_power.S powerpc/64s: Set reserved PCR bits 2019-09-21 08:36:53 +10:00
cpu_setup_ppc970.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
cputable.c powerpc/32s: get rid of CPU_FTR_601 feature 2019-08-28 23:19:33 +10:00
crash_dump.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 230 2019-06-19 17:09:06 +02:00
dawr.c powerpc/watchpoint: Fix length calculation for unaligned target 2019-11-13 16:58:03 +11:00
dbell.c KVM: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag 2019-09-24 12:46:26 +10:00
dma-iommu.c powerpc updates for 5.4 2019-09-20 11:48:06 -07:00
dma-mask.c dma-mapping, powerpc: simplify the arch dma_set_mask override 2019-02-18 22:41:03 +11:00
dma-swiotlb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
dt_cpu_ftrs.c powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9 2019-09-24 20:58:55 +10:00
early_32.c powerpc/fsl_booke/32: implement KASLR infrastructure 2019-11-13 19:27:40 +11:00
eeh_cache.c powerpc/eeh: Convert log messages to eeh_edev_* macros 2019-08-22 23:12:47 +10:00
eeh_dev.c powerpc/eeh: Add bdfn field to eeh_dev 2019-08-22 23:12:46 +10:00
eeh_driver.c powerpc/eeh: differentiate duplicate detection message 2019-11-13 16:58:10 +11:00
eeh_event.c powerpc/eeh: Fix build with STACKTRACE=n 2019-09-14 00:01:14 +10:00
eeh_pe.c powerpc/eeh: Clean up EEH PEs after recovery finishes 2019-09-05 14:22:37 +10:00
eeh_sysfs.c powerpc: Replace GPL boilerplate with SPDX identifiers 2019-11-13 16:58:07 +11:00
eeh.c powerpc/eeh: Fix eeh eeh_debugfs_break_device() with SRIOV devices 2019-09-27 09:04:17 +10:00
entry_32.S sched/rt, powerpc: Use CONFIG_PREEMPTION 2019-12-08 14:37:32 +01:00
entry_64.S sched/rt, powerpc: Use CONFIG_PREEMPTION 2019-12-08 14:37:32 +01:00
epapr_hcalls.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
epapr_paravirt.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 266 2019-06-05 17:30:28 +02:00
exceptions-64e.S powerpc: unify definition of M_IF_NEEDED 2019-11-13 19:27:24 +11:00
exceptions-64s.S powerpc/64s/exception: Fix kaup -> kuap typo 2019-11-13 16:58:08 +11:00
fadump.c powerpc/fadump: when fadump is supported register the fadump sysfs files. 2019-11-13 16:58:11 +11:00
firmware.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
fpu.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
fsl_booke_entry_mapping.S powerpc/fsl_booke/32: implement KASLR infrastructure 2019-11-13 19:27:40 +11:00
head_8xx.S powerpc/8xx: set STACK_END_MAGIC earlier on the init_stack 2019-08-28 11:31:18 +10:00
head_32.h powerpc/32: replace LOAD_MSR_KERNEL() by LOAD_REG_IMMEDIATE() 2019-08-27 13:03:36 +10:00
head_32.S powerpc/32s: use CONFIG_PPC_BOOK3S_601 instead of reading PVR 2019-08-28 23:19:33 +10:00
head_40x.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
head_44x.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
head_64.S powerpc/prom: convert PROM_BUG() to standard trap 2019-08-28 11:31:18 +10:00
head_booke.h powerpc/32: fix build failure on book3e with KVM 2019-06-16 00:03:38 +10:00
head_fsl_booke.S powerpc/kasan: Fix boot failure with RELOCATABLE && FSL_BOOKE 2019-12-05 00:11:43 +11:00
hw_breakpoint.c powerpc/watchpoint: Don't ignore extraneous exceptions blindly 2019-11-13 16:58:03 +11:00
idle_6xx.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
idle_book3e.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
idle_book3s.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
idle_e500.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
idle_power4.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
idle.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ima_arch.c powerpc/ima: Indicate kernel modules appended signatures are enforced 2019-11-12 12:25:50 +11:00
io-workarounds.c powerpc/mm: rework io-workaround invocation. 2019-08-27 13:03:34 +10:00
io.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
iomap.c
iommu.c Merge branch 'topic/ppc-kvm' into next 2019-08-30 09:52:57 +10:00
irq.c powerpc/irq: fix stack overflow verification 2019-12-14 07:59:36 +11:00
isa-bridge.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
jump_label.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
kgdb.c powerpc: Activate CONFIG_THREAD_INFO_IN_TASK 2019-02-23 22:31:40 +11:00
kprobes-ftrace.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
kprobes.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
kvm_emul.S powerpc/kvm: Add ifdefs around template code 2019-09-14 00:04:40 +10:00
kvm.c powerpc/kvm: Explicitly mark kvm guest code as __init 2019-09-14 00:04:40 +10:00
l2cr_6xx.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
legacy_serial.c tty/serial: Migrate 8250_fsl to use has_sysrq 2019-12-18 15:04:42 +01:00
Makefile powerpc/prom_init: Use -ffreestanding to avoid a reference to bcmp 2019-11-25 21:45:43 +11:00
mce_power.c powerpc/mm/mce: Keep irqs disabled during lockless page table walk 2019-09-19 21:24:59 +10:00
mce.c powerpc/64s/pseries: machine check convert to use common event code 2019-08-30 10:32:35 +10:00
misc_32.S powerpc/32: Split kexec low level code out of misc_32.S 2019-11-21 15:41:34 +11:00
misc_64.S Merge branch 'topic/kaslr-book3e32' into next 2019-11-14 19:23:33 +11:00
misc.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
module_32.c powerpc updates for 5.3 2019-07-13 16:08:36 -07:00
module_64.c powerpc updates for 5.3 2019-07-13 16:08:36 -07:00
module.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
module.lds
msi.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
note.S powerpc: Add PowerPC Capabilities ELF note 2019-08-30 09:40:15 +10:00
nvram_64.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
of_platform.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
optprobes_head.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
optprobes.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
paca.c powerpc/pseries/svm: Use shared memory for LPPACA structures 2019-08-30 09:55:40 +10:00
pci_32.c powerpc/64: Adjust order in pcibios_init() 2019-08-22 23:11:48 +10:00
pci_64.c powerpc/64: Adjust order in pcibios_init() 2019-08-22 23:11:48 +10:00
pci_dn.c powerpc/eeh: Fix race when freeing PDNs 2019-09-05 14:22:37 +10:00
pci_of_scan.c powerpc/of/pci: Rewrite pci_parse_of_flags 2019-08-29 20:24:05 +10:00
pci-common.c powerpc/64: Adjust order in pcibios_init() 2019-08-22 23:11:48 +10:00
pci-hotplug.c powerpc/eeh: Fix race when freeing PDNs 2019-09-05 14:22:37 +10:00
pmc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ppc32.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ppc_save_regs.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
proc_powerpc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
process.c powerpc/watchpoint: Fix length calculation for unaligned target 2019-11-13 16:58:03 +11:00
prom_init_check.sh powerpc/prom_init: Undo relocation before entering secure mode 2019-10-29 15:12:17 +11:00
prom_init.c powerpc/pseries: Enable support for ibm,drc-info property 2019-11-13 16:58:00 +11:00
prom_parse.c
prom.c powerpc/fadump: add support to preserve crash data on FADUMP disabled kernel 2019-09-14 00:04:45 +10:00
ptrace32.c
ptrace.c powerpc/watchpoint: Fix ptrace code that muck around with address/len 2019-11-13 16:58:03 +11:00
reloc_32.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
reloc_64.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
rtas_flash.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
rtas_pci.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
rtas-proc.c powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
rtas-rtc.c
rtas.c powerpc/rtas: allow rescheduling while changing cpu states 2019-08-20 21:22:27 +10:00
rtasd.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
secure_boot.c powerpc: Detect the trusted boot state of the system 2019-11-12 12:25:49 +11:00
security.c powerpc updates for 5.5 2019-11-30 14:35:43 -08:00
secvar-ops.c powerpc/powernv: Add OPAL API interface to access secure variable 2019-11-13 00:33:22 +11:00
secvar-sysfs.c powerpc: expose secure variables to userspace via sysfs 2019-11-13 00:33:22 +11:00
setup_32.c powerpc: Add support for GENERIC_EARLY_IOREMAP 2019-11-19 19:38:38 +11:00
setup_64.c powerpc: Add support for GENERIC_EARLY_IOREMAP 2019-11-19 19:38:38 +11:00
setup-common.c arch/powerpc/setup: Drop dummy_con initialization 2020-01-14 15:29:17 +01:00
setup.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
signal_32.c powerpc/tm: Fix oops on sigreturn on systems without TM 2019-07-22 13:05:23 +10:00
signal_64.c powerpc/tm: Fix oops on sigreturn on systems without TM 2019-07-22 13:05:23 +10:00
signal.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
signal.h
smp-tbsync.c
smp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
stacktrace.c powerpc/ftrace: Enable HAVE_FUNCTION_GRAPH_RET_ADDR_PTR 2019-09-18 12:24:55 +10:00
suspend.c PM: hibernate: powerpc: Expose pfn_is_nosave() prototype 2019-06-14 10:48:56 +02:00
swsusp_32.S powerpc/32s: fix suspend/resume when IBATs 4-7 are used 2019-06-19 20:05:07 +10:00
swsusp_64.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 505 2019-06-19 17:11:22 +02:00
swsusp_asm64.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 505 2019-06-19 17:11:22 +02:00
swsusp_booke.S
swsusp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sys_ppc32.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
syscalls.c y2038: syscalls: change remaining timeval to __kernel_old_timeval 2019-11-15 14:38:29 +01:00
sysfs.c powerpc/pseries/svm: Export guest SVM status to user space via sysfs 2019-08-30 09:55:41 +10:00
systbl_chk.sh treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
systbl.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
tau_6xx.c
time.c powerpc: Fix vDSO clock_getres() 2019-12-05 00:13:55 +11:00
tm.S powerpc/tm: update comment about interrupt re-entrancy 2019-07-02 21:39:49 +10:00
traps.c powerpc/book3s/mm: Update Oops message to print the correct translation in use 2019-11-13 16:58:07 +11:00
ucall.S powerpc/kernel: Add ucall_norets() ultravisor call handler 2019-08-30 09:40:15 +10:00
udbg_16550.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
udbg.c powerpc/udbg: Make it safe to call udbg_printf() always 2019-10-11 19:33:25 +11:00
uprobes.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
vdso.c powerpc/32s: drop CPU_FTR_USE_RTC feature 2019-08-28 23:19:33 +10:00
vecemu.c
vector.S powerpc/64: Don't trace code that runs with the soft irq mask unreconciled 2019-05-03 01:58:11 +10:00
vmlinux.lds.S powerpc: Move EXCEPTION_TABLE to RO_DATA segment 2019-11-04 18:30:13 +01:00
watchdog.c powerpc/watchdog: Use hrtimers for per-CPU heartbeat 2019-04-30 11:31:02 +10:00