diff options
author | Mattias Nissler <mnissler@chromium.org> | 2020-08-27 19:09:46 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2020-08-27 22:06:47 +0200 |
commit | dab741e0e02bd3c4f5e2e97be74b39df2523fc6e (patch) | |
tree | 1203850bac7f0ee707271a2d8f8c0d7d9bf74c74 /tools | |
parent | Linux 5.9-rc1 (diff) | |
download | linux-dab741e0e02bd3c4f5e2e97be74b39df2523fc6e.tar.xz linux-dab741e0e02bd3c4f5e2e97be74b39df2523fc6e.zip |
Add a "nosymfollow" mount option.
For mounts that have the new "nosymfollow" option, don't follow symlinks
when resolving paths. The new option is similar in spirit to the
existing "nodev", "noexec", and "nosuid" options, as well as to the
LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD
variants have been supporting the "nosymfollow" mount option for a long
time with equivalent implementations.
Note that symlinks may still be created on file systems mounted with
the "nosymfollow" option present. readlink() remains functional, so
user space code that is aware of symlinks can still choose to follow
them explicitly.
Setting the "nosymfollow" mount option helps prevent privileged
writers from modifying files unintentionally in case there is an
unexpected link along the accessed path. The "nosymfollow" option is
thus useful as a defensive measure for systems that need to deal with
untrusted file systems in privileged contexts.
More information on the history and motivation for this patch can be
found here:
https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal
Signed-off-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Ross Zwisler <zwisler@google.com>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions