summaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorMattias Nissler <mnissler@chromium.org>2020-08-27 19:09:46 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2020-08-27 22:06:47 +0200
commitdab741e0e02bd3c4f5e2e97be74b39df2523fc6e (patch)
tree1203850bac7f0ee707271a2d8f8c0d7d9bf74c74 /tools
parentLinux 5.9-rc1 (diff)
downloadlinux-dab741e0e02bd3c4f5e2e97be74b39df2523fc6e.tar.xz
linux-dab741e0e02bd3c4f5e2e97be74b39df2523fc6e.zip
Add a "nosymfollow" mount option.
For mounts that have the new "nosymfollow" option, don't follow symlinks when resolving paths. The new option is similar in spirit to the existing "nodev", "noexec", and "nosuid" options, as well as to the LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD variants have been supporting the "nosymfollow" mount option for a long time with equivalent implementations. Note that symlinks may still be created on file systems mounted with the "nosymfollow" option present. readlink() remains functional, so user space code that is aware of symlinks can still choose to follow them explicitly. Setting the "nosymfollow" mount option helps prevent privileged writers from modifying files unintentionally in case there is an unexpected link along the accessed path. The "nosymfollow" option is thus useful as a defensive measure for systems that need to deal with untrusted file systems in privileged contexts. More information on the history and motivation for this patch can be found here: https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal Signed-off-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Ross Zwisler <zwisler@google.com> Reviewed-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions