Linux 7.2 Expected To Introduce "OPENAT2_REGULAR" To Avoid Tricking Secure Programs
([Linux Storage] 4 Hours Ago
OPENAT2_REGULAR)
- Reference: 0001634475
- News link: https://www.phoronix.com/news/Linux-7.2-OPENAT2_REGULAR
- Source link:
Among the VFS patches queued into "-next" branches ahead of next month's Linux 7.2 merge window is the code for introducing the new OPENAT2_REGULAR flag for the openat2 system call.
While "OPENAT2_REGULAR" may not sound too exciting, this new flag is important for helping secure programs from being tricked. What this flag does when passed is to only open the specified file if it's a regular file and not a special device file or other non-conventional file on the file-system.
The [1]patch queued last week into the "vfs-7.2.openat.regular" Git branch explains:
"This flag indicates the path should be opened if it's a regular file. This is useful to write secure programs that want to avoid being tricked into opening device nodes with special semantics while thinking they operate on regular files. This is a requested feature from the uapi-group.
The previously introduced EFTYPE error code is returned when the path doesn't refer to a regular file. For example, if openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag param, it will return -EFTYPE.
When used in combination with O_CREAT, either the regular file is created, or if the path already exists, it is opened if it's a regular file. Otherwise, -EFTYPE is returned.
When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned as it doesn't make sense to open a path that is both a directory and a regular file."
The UAPI Group detailed in [2]their request for such a kernel capability to only open regular files when desired:
"Use-Case: this would be very useful to write secure programs that want to avoid being tricked into opening device nodes with special semantics while thinking they operate on regular files. This is particularly relevant as many device nodes (or even FIFOs) come with blocking I/O (or even blocking open()!) by default, which is not expected from regular files backed by “fast” disk I/O. Consider implementation of a naive web browser which is pointed to file://dev/zero, not expecting an endless amount of data to read."
Quite logical and a bit surprising it's taken until 2026 to see such a flag added for when opening files on Linux.
Barring any issues or concerns from coming up in the next few weeks, with this in a "7.2" branch among other VFS changes, expect OPENAT2_REGULAR to be submitted for the Linux 7.2 merge window in mid-June.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git/commit/?h=vfs-7.2.openat.regular&id=442f39bd9a8f479f392275775f5197586822ffd0
[2] https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files
While "OPENAT2_REGULAR" may not sound too exciting, this new flag is important for helping secure programs from being tricked. What this flag does when passed is to only open the specified file if it's a regular file and not a special device file or other non-conventional file on the file-system.
The [1]patch queued last week into the "vfs-7.2.openat.regular" Git branch explains:
"This flag indicates the path should be opened if it's a regular file. This is useful to write secure programs that want to avoid being tricked into opening device nodes with special semantics while thinking they operate on regular files. This is a requested feature from the uapi-group.
The previously introduced EFTYPE error code is returned when the path doesn't refer to a regular file. For example, if openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag param, it will return -EFTYPE.
When used in combination with O_CREAT, either the regular file is created, or if the path already exists, it is opened if it's a regular file. Otherwise, -EFTYPE is returned.
When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned as it doesn't make sense to open a path that is both a directory and a regular file."
The UAPI Group detailed in [2]their request for such a kernel capability to only open regular files when desired:
"Use-Case: this would be very useful to write secure programs that want to avoid being tricked into opening device nodes with special semantics while thinking they operate on regular files. This is particularly relevant as many device nodes (or even FIFOs) come with blocking I/O (or even blocking open()!) by default, which is not expected from regular files backed by “fast” disk I/O. Consider implementation of a naive web browser which is pointed to file://dev/zero, not expecting an endless amount of data to read."
Quite logical and a bit surprising it's taken until 2026 to see such a flag added for when opening files on Linux.
Barring any issues or concerns from coming up in the next few weeks, with this in a "7.2" branch among other VFS changes, expect OPENAT2_REGULAR to be submitted for the Linux 7.2 merge window in mid-June.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git/commit/?h=vfs-7.2.openat.regular&id=442f39bd9a8f479f392275775f5197586822ffd0
[2] https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files