This flag indicates the path should be opened if it's a regular file.
This is useful to write secure programs that want to avoid being
tricked into opening device nodes with special semantics while thinking
they operate on regular files. This is a requested feature from the
uapi-group[1].
A corresponding error code EFTYPE has been introduced. For example, if
openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag
param, it will return -EFTYPE. EFTYPE is already used in BSD systems
like FreeBSD, macOS.
When used in combination with O_CREAT, either the regular file is
created, or if the path already exists, it is opened if it's a regular
file. Otherwise, -EFTYPE is returned.
When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned
as it doesn't make sense to open a path that is both a directory and a
regular file.
[1]: https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files
Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
---
arch/alpha/include/uapi/asm/errno.h | 2 ++
arch/alpha/include/uapi/asm/fcntl.h | 1 +
arch/mips/include/uapi/asm/errno.h | 2 ++
arch/parisc/include/uapi/asm/errno.h | 2 ++
arch/parisc/include/uapi/asm/fcntl.h | 1 +
arch/sparc/include/uapi/asm/errno.h | 2 ++
arch/sparc/include/uapi/asm/fcntl.h | 1 +
fs/ceph/file.c | 4 ++++
fs/gfs2/inode.c | 6 ++++++
fs/namei.c | 4 ++++
fs/nfs/dir.c | 4 ++++
fs/open.c | 4 +++-
fs/smb/client/dir.c | 14 +++++++++++++-
include/linux/fcntl.h | 2 ++
include/uapi/asm-generic/errno.h | 2 ++
include/uapi/asm-generic/fcntl.h | 4 ++++
tools/arch/alpha/include/uapi/asm/errno.h | 2 ++
tools/arch/mips/include/uapi/asm/errno.h | 2 ++
tools/arch/parisc/include/uapi/asm/errno.h | 2 ++
tools/arch/sparc/include/uapi/asm/errno.h | 2 ++
tools/include/uapi/asm-generic/errno.h | 2 ++
21 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/arch/alpha/include/uapi/asm/errno.h b/arch/alpha/include/uapi/asm/errno.h
index 6791f6508632..1a99f38813c7 100644
--- a/arch/alpha/include/uapi/asm/errno.h
+++ b/arch/alpha/include/uapi/asm/errno.h
@@ -127,4 +127,6 @@
#define EHWPOISON 139 /* Memory page has hardware error */
+#define EFTYPE 140 /* Wrong file type for the intended operation */
+
#endif
diff --git a/arch/alpha/include/uapi/asm/fcntl.h b/arch/alpha/include/uapi/asm/fcntl.h
index 50bdc8e8a271..fe488bf7c18e 100644
--- a/arch/alpha/include/uapi/asm/fcntl.h
+++ b/arch/alpha/include/uapi/asm/fcntl.h
@@ -34,6 +34,7 @@
#define O_PATH 040000000
#define __O_TMPFILE 0100000000
+#define OPENAT2_REGULAR 0200000000
#define F_GETLK 7
#define F_SETLK 8
diff --git a/arch/mips/include/uapi/asm/errno.h b/arch/mips/include/uapi/asm/errno.h
index c01ed91b1ef4..1835a50b69ce 100644
--- a/arch/mips/include/uapi/asm/errno.h
+++ b/arch/mips/include/uapi/asm/errno.h
@@ -126,6 +126,8 @@
#define EHWPOISON 168 /* Memory page has hardware error */
+#define EFTYPE 169 /* Wrong file type for the intended operation */
+
#define EDQUOT 1133 /* Quota exceeded */
diff --git a/arch/parisc/include/uapi/asm/errno.h b/arch/parisc/include/uapi/asm/errno.h
index 8cbc07c1903e..93194fbb0a80 100644
--- a/arch/parisc/include/uapi/asm/errno.h
+++ b/arch/parisc/include/uapi/asm/errno.h
@@ -124,4 +124,6 @@
#define EHWPOISON 257 /* Memory page has hardware error */
+#define EFTYPE 258 /* Wrong file type for the intended operation */
+
#endif
diff --git a/arch/parisc/include/uapi/asm/fcntl.h b/arch/parisc/include/uapi/asm/fcntl.h
index 03dee816cb13..d46812f2f0f4 100644
--- a/arch/parisc/include/uapi/asm/fcntl.h
+++ b/arch/parisc/include/uapi/asm/fcntl.h
@@ -19,6 +19,7 @@
#define O_PATH 020000000
#define __O_TMPFILE 040000000
+#define OPENAT2_REGULAR 0100000000
#define F_GETLK64 8
#define F_SETLK64 9
diff --git a/arch/sparc/include/uapi/asm/errno.h b/arch/sparc/include/uapi/asm/errno.h
index 4a41e7835fd5..71940ec9130b 100644
--- a/arch/sparc/include/uapi/asm/errno.h
+++ b/arch/sparc/include/uapi/asm/errno.h
@@ -117,4 +117,6 @@
#define EHWPOISON 135 /* Memory page has hardware error */
+#define EFTYPE 136 /* Wrong file type for the intended operation */
+
#endif
diff --git a/arch/sparc/include/uapi/asm/fcntl.h b/arch/sparc/include/uapi/asm/fcntl.h
index 67dae75e5274..bb6e9fa94bc9 100644
--- a/arch/sparc/include/uapi/asm/fcntl.h
+++ b/arch/sparc/include/uapi/asm/fcntl.h
@@ -37,6 +37,7 @@
#define O_PATH 0x1000000
#define __O_TMPFILE 0x2000000
+#define OPENAT2_REGULAR 0x4000000
#define F_GETOWN 5 /* for sockets. */
#define F_SETOWN 6 /* for sockets. */
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 66bbf6d517a9..6d8d4c7765e6 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -977,6 +977,10 @@ int ceph_atomic_open(struct inode *dir, struct dentry *dentry,
ceph_init_inode_acls(newino, &as_ctx);
file->f_mode |= FMODE_CREATED;
}
+ if ((flags & OPENAT2_REGULAR) && !d_is_reg(dentry)) {
+ err = -EFTYPE;
+ goto out_req;
+ }
err = finish_open(file, dentry, ceph_open);
}
out_req:
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8344040ecaf7..4604e2e8a9cc 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -738,6 +738,12 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
error = PTR_ERR(inode);
if (!IS_ERR(inode)) {
+ if (file && (file->f_flags & OPENAT2_REGULAR) && !S_ISREG(inode->i_mode)) {
+ iput(inode);
+ inode = NULL;
+ error = -EFTYPE;
+ goto fail_gunlock;
+ }
if (S_ISDIR(inode->i_mode)) {
iput(inode);
inode = NULL;
diff --git a/fs/namei.c b/fs/namei.c
index 58f715f7657e..2a47289262bd 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4651,6 +4651,10 @@ static int do_open(struct nameidata *nd,
if (unlikely(error))
return error;
}
+
+ if ((open_flag & OPENAT2_REGULAR) && !d_is_reg(nd->path.dentry))
+ return -EFTYPE;
+
if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
return -ENOTDIR;
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 2402f57c8e7d..d8037c119317 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2195,6 +2195,10 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
break;
case -EISDIR:
case -ENOTDIR:
+ if (open_flags & OPENAT2_REGULAR) {
+ err = -EFTYPE;
+ break;
+ }
goto no_open;
case -ELOOP:
if (!(open_flags & O_NOFOLLOW))
diff --git a/fs/open.c b/fs/open.c
index 4f0a76dc8993..026b59af6124 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1195,7 +1195,7 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op)
* values before calling build_open_flags(), but openat2(2) checks all
* of its arguments.
*/
- if (flags & ~VALID_OPEN_FLAGS)
+ if (flags & ~VALID_OPENAT2_FLAGS)
return -EINVAL;
if (how->resolve & ~VALID_RESOLVE_FLAGS)
return -EINVAL;
@@ -1234,6 +1234,8 @@ inline int build_open_flags(const struct open_how *how, struct open_flags *op)
return -EINVAL;
if (!(acc_mode & MAY_WRITE))
return -EINVAL;
+ } else if ((flags & O_DIRECTORY) && (flags & OPENAT2_REGULAR)) {
+ return -EINVAL;
}
if (flags & O_PATH) {
/* O_PATH only permits certain other flags to be set. */
diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c
index 953f1fee8cb8..355681ebacf1 100644
--- a/fs/smb/client/dir.c
+++ b/fs/smb/client/dir.c
@@ -222,6 +222,13 @@ static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned
goto cifs_create_get_file_info;
}
+ if ((oflags & OPENAT2_REGULAR) && !S_ISREG(newinode->i_mode)) {
+ CIFSSMBClose(xid, tcon, fid->netfid);
+ iput(newinode);
+ rc = -EFTYPE;
+ goto out;
+ }
+
if (S_ISDIR(newinode->i_mode)) {
CIFSSMBClose(xid, tcon, fid->netfid);
iput(newinode);
@@ -436,11 +443,16 @@ static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned
goto out_err;
}
- if (newinode)
+ if (newinode) {
+ if ((oflags & OPENAT2_REGULAR) && !S_ISREG(newinode->i_mode)) {
+ rc = -EFTYPE;
+ goto out_err;
+ }
if (S_ISDIR(newinode->i_mode)) {
rc = -EISDIR;
goto out_err;
}
+ }
d_drop(direntry);
d_add(direntry, newinode);
diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h
index d1bb87ff70e3..a6c692773af8 100644
--- a/include/linux/fcntl.h
+++ b/include/linux/fcntl.h
@@ -15,6 +15,8 @@
/* upper 32-bit flags (openat2(2) only) */ \
OPENAT2_EMPTY_PATH)
+#define VALID_OPENAT2_FLAGS (VALID_OPEN_FLAGS | OPENAT2_REGULAR)
+
/* List of all valid flags for the how->resolve argument: */
#define VALID_RESOLVE_FLAGS \
(RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS | \
diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h
index 92e7ae493ee3..bd78e69e0a43 100644
--- a/include/uapi/asm-generic/errno.h
+++ b/include/uapi/asm-generic/errno.h
@@ -122,4 +122,6 @@
#define EHWPOISON 133 /* Memory page has hardware error */
+#define EFTYPE 134 /* Wrong file type for the intended operation */
+
#endif
diff --git a/include/uapi/asm-generic/fcntl.h b/include/uapi/asm-generic/fcntl.h
index 613475285643..b2c2ddd0edc0 100644
--- a/include/uapi/asm-generic/fcntl.h
+++ b/include/uapi/asm-generic/fcntl.h
@@ -88,6 +88,10 @@
#define __O_TMPFILE 020000000
#endif
+#ifndef OPENAT2_REGULAR
+#define OPENAT2_REGULAR 040000000
+#endif
+
/* a horrid kludge trying to make sure that this will fail on old kernels */
#define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
diff --git a/tools/arch/alpha/include/uapi/asm/errno.h b/tools/arch/alpha/include/uapi/asm/errno.h
index 6791f6508632..1a99f38813c7 100644
--- a/tools/arch/alpha/include/uapi/asm/errno.h
+++ b/tools/arch/alpha/include/uapi/asm/errno.h
@@ -127,4 +127,6 @@
#define EHWPOISON 139 /* Memory page has hardware error */
+#define EFTYPE 140 /* Wrong file type for the intended operation */
+
#endif
diff --git a/tools/arch/mips/include/uapi/asm/errno.h b/tools/arch/mips/include/uapi/asm/errno.h
index c01ed91b1ef4..1835a50b69ce 100644
--- a/tools/arch/mips/include/uapi/asm/errno.h
+++ b/tools/arch/mips/include/uapi/asm/errno.h
@@ -126,6 +126,8 @@
#define EHWPOISON 168 /* Memory page has hardware error */
+#define EFTYPE 169 /* Wrong file type for the intended operation */
+
#define EDQUOT 1133 /* Quota exceeded */
diff --git a/tools/arch/parisc/include/uapi/asm/errno.h b/tools/arch/parisc/include/uapi/asm/errno.h
index 8cbc07c1903e..93194fbb0a80 100644
--- a/tools/arch/parisc/include/uapi/asm/errno.h
+++ b/tools/arch/parisc/include/uapi/asm/errno.h
@@ -124,4 +124,6 @@
#define EHWPOISON 257 /* Memory page has hardware error */
+#define EFTYPE 258 /* Wrong file type for the intended operation */
+
#endif
diff --git a/tools/arch/sparc/include/uapi/asm/errno.h b/tools/arch/sparc/include/uapi/asm/errno.h
index 4a41e7835fd5..71940ec9130b 100644
--- a/tools/arch/sparc/include/uapi/asm/errno.h
+++ b/tools/arch/sparc/include/uapi/asm/errno.h
@@ -117,4 +117,6 @@
#define EHWPOISON 135 /* Memory page has hardware error */
+#define EFTYPE 136 /* Wrong file type for the intended operation */
+
#endif
diff --git a/tools/include/uapi/asm-generic/errno.h b/tools/include/uapi/asm-generic/errno.h
index 92e7ae493ee3..bd78e69e0a43 100644
--- a/tools/include/uapi/asm-generic/errno.h
+++ b/tools/include/uapi/asm-generic/errno.h
@@ -122,4 +122,6 @@
#define EHWPOISON 133 /* Memory page has hardware error */
+#define EFTYPE 134 /* Wrong file type for the intended operation */
+
#endif
--
2.53.0On Sat, 2026-03-07 at 20:06 +0600, Dorjoy Chowdhury wrote: > This flag indicates the path should be opened if it's a regular file. > This is useful to write secure programs that want to avoid being > tricked into opening device nodes with special semantics while thinking > they operate on regular files. This is a requested feature from the > uapi-group[1]. > > A corresponding error code EFTYPE has been introduced. For example, if > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > like FreeBSD, macOS. > > When used in combination with O_CREAT, either the regular file is > created, or if the path already exists, it is opened if it's a regular > file. Otherwise, -EFTYPE is returned. > > When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned > as it doesn't make sense to open a path that is both a directory and a > regular file. > > [1]: https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files > > Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com> > --- > arch/alpha/include/uapi/asm/errno.h | 2 ++ > arch/alpha/include/uapi/asm/fcntl.h | 1 + > arch/mips/include/uapi/asm/errno.h | 2 ++ > arch/parisc/include/uapi/asm/errno.h | 2 ++ > arch/parisc/include/uapi/asm/fcntl.h | 1 + > arch/sparc/include/uapi/asm/errno.h | 2 ++ > arch/sparc/include/uapi/asm/fcntl.h | 1 + > fs/ceph/file.c | 4 ++++ > fs/gfs2/inode.c | 6 ++++++ > fs/namei.c | 4 ++++ > fs/nfs/dir.c | 4 ++++ > fs/open.c | 4 +++- > fs/smb/client/dir.c | 14 +++++++++++++- > include/linux/fcntl.h | 2 ++ > include/uapi/asm-generic/errno.h | 2 ++ > include/uapi/asm-generic/fcntl.h | 4 ++++ > tools/arch/alpha/include/uapi/asm/errno.h | 2 ++ > tools/arch/mips/include/uapi/asm/errno.h | 2 ++ > tools/arch/parisc/include/uapi/asm/errno.h | 2 ++ > tools/arch/sparc/include/uapi/asm/errno.h | 2 ++ > tools/include/uapi/asm-generic/errno.h | 2 ++ > 21 files changed, 63 insertions(+), 2 deletions(-) > > I pointed Claude at this patch and got this back. Both issues that it found will need to be fixed: Analysis Summary Commit: 7e7fa2653ca57 - openat2: new OPENAT2_REGULAR flag support This patch adds a new OPENAT2_REGULAR flag for openat2() that restricts opens to regular files only, returning a new EFTYPE errno for non-regular files. It adds filesystem-specific checks in ceph, gfs2, nfs, and cifs atomic_open paths, plus a VFS-level fallback in do_open(). Issues found: 1. OPENAT2_REGULAR leaks into f_flags - do_dentry_open() strips open-time-only flags (O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC) but does not strip OPENAT2_REGULAR. When a regular file is successfully opened via openat2() with this flag, the bit persists in file->f_flags and will be returned by fcntl(fd, F_GETFL). 2. BUILD_BUG_ON not updated - The compile-time guard checks upper_32_bits(VALID_OPEN_FLAGS) but the code now accepts VALID_OPENAT2_FLAGS. The guard should cover the expanded flag set. Verified correct: - All hex→octal conversions in MIPS and SPARC fcntl.h are numerically correct - Legacy open()/openat() properly strips OPENAT2_REGULAR via build_open_how() masking with VALID_OPEN_FLAGS - All filesystem cleanup paths (ceph, gfs2, nfs, cifs) properly handle resources when returning -EFTYPE - O_DIRECTORY + OPENAT2_REGULAR mutual exclusion is correct - O_PATH + OPENAT2_REGULAR is properly rejected by O_PATH_FLAGS check Ruled out: - NFS -ENOTDIR to -EFTYPE conversion: in atomic_open context, parent path is VFS-resolved, server errors relate to target - CIFS resource leak: out_err label properly closes server handle and calls iput() - OPENAT2_REGULAR + O_TMPFILE: silently accepted but tmpfiles are always regular, so harmless FINAL REGRESSIONS FOUND: 2 FINAL TOKENS USED: ~45000 False positives eliminated: NFS -ENOTDIR conversion, CIFS resource leak, O_TMPFILE interaction Cheers, -- Jeff Layton <jlayton@kernel.org>
On Mon, Mar 16, 2026 at 10:53 PM Jeff Layton <jlayton@kernel.org> wrote: > > On Sat, 2026-03-07 at 20:06 +0600, Dorjoy Chowdhury wrote: > > This flag indicates the path should be opened if it's a regular file. > > This is useful to write secure programs that want to avoid being > > tricked into opening device nodes with special semantics while thinking > > they operate on regular files. This is a requested feature from the > > uapi-group[1]. > > > > A corresponding error code EFTYPE has been introduced. For example, if > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > like FreeBSD, macOS. > > > > When used in combination with O_CREAT, either the regular file is > > created, or if the path already exists, it is opened if it's a regular > > file. Otherwise, -EFTYPE is returned. > > > > When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned > > as it doesn't make sense to open a path that is both a directory and a > > regular file. > > > > [1]: https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files > > > > Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com> > > --- > > arch/alpha/include/uapi/asm/errno.h | 2 ++ > > arch/alpha/include/uapi/asm/fcntl.h | 1 + > > arch/mips/include/uapi/asm/errno.h | 2 ++ > > arch/parisc/include/uapi/asm/errno.h | 2 ++ > > arch/parisc/include/uapi/asm/fcntl.h | 1 + > > arch/sparc/include/uapi/asm/errno.h | 2 ++ > > arch/sparc/include/uapi/asm/fcntl.h | 1 + > > fs/ceph/file.c | 4 ++++ > > fs/gfs2/inode.c | 6 ++++++ > > fs/namei.c | 4 ++++ > > fs/nfs/dir.c | 4 ++++ > > fs/open.c | 4 +++- > > fs/smb/client/dir.c | 14 +++++++++++++- > > include/linux/fcntl.h | 2 ++ > > include/uapi/asm-generic/errno.h | 2 ++ > > include/uapi/asm-generic/fcntl.h | 4 ++++ > > tools/arch/alpha/include/uapi/asm/errno.h | 2 ++ > > tools/arch/mips/include/uapi/asm/errno.h | 2 ++ > > tools/arch/parisc/include/uapi/asm/errno.h | 2 ++ > > tools/arch/sparc/include/uapi/asm/errno.h | 2 ++ > > tools/include/uapi/asm-generic/errno.h | 2 ++ > > 21 files changed, 63 insertions(+), 2 deletions(-) > > > > > > I pointed Claude at this patch and got this back. Both issues that it > found will need to be fixed: > > Analysis Summary > > Commit: 7e7fa2653ca57 - openat2: new OPENAT2_REGULAR flag support > > This patch adds a new OPENAT2_REGULAR flag for openat2() that restricts opens to regular files only, returning a new > EFTYPE errno for non-regular files. It adds filesystem-specific checks in ceph, gfs2, nfs, and cifs atomic_open paths, > plus a VFS-level fallback in do_open(). > > Issues found: > > 1. OPENAT2_REGULAR leaks into f_flags - do_dentry_open() strips open-time-only flags (O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC) > but does not strip OPENAT2_REGULAR. When a regular file is successfully opened via openat2() with this flag, the bit > persists in file->f_flags and will be returned by fcntl(fd, F_GETFL). > 2. BUILD_BUG_ON not updated - The compile-time guard checks upper_32_bits(VALID_OPEN_FLAGS) but the code now accepts > VALID_OPENAT2_FLAGS. The guard should cover the expanded flag set. > Good catches! I guess for issue 1 I need to modify the line in do_dentry_open implementation to f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC | OPENAT2_REGULAR); right? And for issue 2, I should change the VALID_OPEN_FLAGS to VALID_OPENAT2_FLAGS in both build_open_flags in fs/open.c and in fcntl_init in fs/fcntl.c, correct? Regards, Dorjoy
On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > This flag indicates the path should be opened if it's a regular file. > This is useful to write secure programs that want to avoid being > tricked into opening device nodes with special semantics while thinking > they operate on regular files. This is a requested feature from the > uapi-group[1]. > I think this needs a lot more clarification as to what "regular" means. If it's literally > A corresponding error code EFTYPE has been introduced. For example, if > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > like FreeBSD, macOS. I think this needs more clarification as to what "regular" means, since S_IFREG may not be sufficient. The UAPI group page says: Use-Case: this would be very useful to write secure programs that want to avoid being tricked into opening device nodes with special semantics while thinking they operate on regular files. This is particularly relevant as many device nodes (or even FIFOs) come with blocking I/O (or even blocking open()!) by default, which is not expected from regular files backed by “fast” disk I/O. Consider implementation of a naive web browser which is pointed to file://dev/zero, not expecting an endless amount of data to read. What about procfs? What about sysfs? What about /proc/self/fd/17 where that fd is a memfd? What about files backed by non-"fast" disk I/O like something on a flaky USB stick or a network mount or FUSE? Are we concerned about blocking open? (open blocks as a matter of course.) Are we concerned about open having strange side effects? Are we concerned about write having strange side effects? Are we concerned about cases where opening the file as root results in elevated privilege beyond merely gaining the ability to write to that specific path on an ordinary filesystem? --Andy
On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > > > This flag indicates the path should be opened if it's a regular file. > > This is useful to write secure programs that want to avoid being > > tricked into opening device nodes with special semantics while thinking > > they operate on regular files. This is a requested feature from the > > uapi-group[1]. > > > > I think this needs a lot more clarification as to what "regular" > means. If it's literally > > > A corresponding error code EFTYPE has been introduced. For example, if > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > like FreeBSD, macOS. > > I think this needs more clarification as to what "regular" means, > since S_IFREG may not be sufficient. The UAPI group page says: > > Use-Case: this would be very useful to write secure programs that want > to avoid being tricked into opening device nodes with special > semantics while thinking they operate on regular files. This is > particularly relevant as many device nodes (or even FIFOs) come with > blocking I/O (or even blocking open()!) by default, which is not > expected from regular files backed by “fast” disk I/O. Consider > implementation of a naive web browser which is pointed to > file://dev/zero, not expecting an endless amount of data to read. > > What about procfs? What about sysfs? What about /proc/self/fd/17 > where that fd is a memfd? What about files backed by non-"fast" disk > I/O like something on a flaky USB stick or a network mount or FUSE? > > Are we concerned about blocking open? (open blocks as a matter of > course.) Are we concerned about open having strange side effects? > Are we concerned about write having strange side effects? Are we > concerned about cases where opening the file as root results in > elevated privilege beyond merely gaining the ability to write to that > specific path on an ordinary filesystem? > Above the use-case, it also says: "O_REGULAR (inspired by the existing O_DIRECTORY flag for open()), which opens a file only if it is of type S_IFREG." Since we allow programs to open a directory under /proc or /sys using O_DIRECTORY, I don't think we should do anything different here. To the VFS, all of the examples you gave above are S_IFREG "regular files", even if they are backed by something quite irregular. -- Jeff Layton <jlayton@kernel.org>
On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton <jlayton@kernel.org> wrote: > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > > > > > This flag indicates the path should be opened if it's a regular file. > > > This is useful to write secure programs that want to avoid being > > > tricked into opening device nodes with special semantics while thinking > > > they operate on regular files. This is a requested feature from the > > > uapi-group[1]. > > > > > > > I think this needs a lot more clarification as to what "regular" > > means. If it's literally > > > > > A corresponding error code EFTYPE has been introduced. For example, if > > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > > like FreeBSD, macOS. > > > > I think this needs more clarification as to what "regular" means, > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > Use-Case: this would be very useful to write secure programs that want > > to avoid being tricked into opening device nodes with special > > semantics while thinking they operate on regular files. This is > > particularly relevant as many device nodes (or even FIFOs) come with > > blocking I/O (or even blocking open()!) by default, which is not > > expected from regular files backed by “fast” disk I/O. Consider > > implementation of a naive web browser which is pointed to > > file://dev/zero, not expecting an endless amount of data to read. > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > where that fd is a memfd? What about files backed by non-"fast" disk > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > Are we concerned about blocking open? (open blocks as a matter of > > course.) Are we concerned about open having strange side effects? > > Are we concerned about write having strange side effects? Are we > > concerned about cases where opening the file as root results in > > elevated privilege beyond merely gaining the ability to write to that > > specific path on an ordinary filesystem? > > > > Above the use-case, it also says: > > "O_REGULAR (inspired by the existing O_DIRECTORY flag for open()), > which opens a file only if it is of type S_IFREG." > > Since we allow programs to open a directory under /proc or /sys using > O_DIRECTORY, I don't think we should do anything different here. To the > VFS, all of the examples you gave above are S_IFREG "regular files", > even if they are backed by something quite irregular. That's certainly a valid and consistent way to define this, but is it useful? --Andy
On Sun, Mar 08, 2026 at 10:10:05AM -0700, Andy Lutomirski wrote: > On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton <jlayton@kernel.org> wrote: > > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > > > > > > > This flag indicates the path should be opened if it's a regular file. > > > > This is useful to write secure programs that want to avoid being > > > > tricked into opening device nodes with special semantics while thinking > > > > they operate on regular files. This is a requested feature from the > > > > uapi-group[1]. > > > > > > > > > > I think this needs a lot more clarification as to what "regular" > > > means. If it's literally > > > > > > > A corresponding error code EFTYPE has been introduced. For example, if > > > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > > > like FreeBSD, macOS. > > > > > > I think this needs more clarification as to what "regular" means, > > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > > > Use-Case: this would be very useful to write secure programs that want > > > to avoid being tricked into opening device nodes with special > > > semantics while thinking they operate on regular files. This is > > > particularly relevant as many device nodes (or even FIFOs) come with > > > blocking I/O (or even blocking open()!) by default, which is not > > > expected from regular files backed by “fast” disk I/O. Consider > > > implementation of a naive web browser which is pointed to > > > file://dev/zero, not expecting an endless amount of data to read. > > > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > > where that fd is a memfd? What about files backed by non-"fast" disk > > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > > > Are we concerned about blocking open? (open blocks as a matter of > > > course.) Are we concerned about open having strange side effects? > > > Are we concerned about write having strange side effects? Are we > > > concerned about cases where opening the file as root results in > > > elevated privilege beyond merely gaining the ability to write to that > > > specific path on an ordinary filesystem? I think this is opening up a barrage of question that I'm not sure are all that useful. The ability to only open regular file isn't intended to defend against hung FUSE or NFS servers or other random Linux special-sauce murder-suicide file descriptor traps. For a lot of those we have O_PATH which can easily function with the new extension. A lot of the other special-sauce files (most anonymous inode fds) cannot even be reopened via e.g., /proc.
On 2026-03-09, Christian Brauner <brauner@kernel.org> wrote: > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > > > I think this needs more clarification as to what "regular" means, > > > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > > > > > Use-Case: this would be very useful to write secure programs that want > > > > to avoid being tricked into opening device nodes with special > > > > semantics while thinking they operate on regular files. This is > > > > particularly relevant as many device nodes (or even FIFOs) come with > > > > blocking I/O (or even blocking open()!) by default, which is not > > > > expected from regular files backed by “fast” disk I/O. Consider > > > > implementation of a naive web browser which is pointed to > > > > file://dev/zero, not expecting an endless amount of data to read. > > > > > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > > > where that fd is a memfd? What about files backed by non-"fast" disk > > > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > > > > > Are we concerned about blocking open? (open blocks as a matter of > > > > course.) Are we concerned about open having strange side effects? > > > > Are we concerned about write having strange side effects? Are we > > > > concerned about cases where opening the file as root results in > > > > elevated privilege beyond merely gaining the ability to write to that > > > > specific path on an ordinary filesystem? > > I think this is opening up a barrage of question that I'm not sure are > all that useful. The ability to only open regular file isn't intended to > defend against hung FUSE or NFS servers or other random Linux > special-sauce murder-suicide file descriptor traps. For a lot of those > we have O_PATH which can easily function with the new extension. A lot > of the other special-sauce files (most anonymous inode fds) cannot even > be reopened via e.g., /proc. Indeed, I see OPENAT2_REGULAR as a way of optimising the tedious checks that userspace does using O_PATH+/proc/self/fd/$n re-opening when dealing with regular files. For the problem of stuck NFS handles and so on, an idea I've had on my backlog for a long time was RESOLVE_NO_REMOTE that would block those kinds of things. IMHO it doesn't make sense to block those things with an O_* flag because (especially in the NFS example) directory components can also cause the syscall to block indefinitely and so RESOLVE_* flags make more sense for this anyway. But in my mind this is a separate problem to OPENAT2_REGULAR. -- Aleksa Sarai https://www.cyphar.com/
On Tue, Mar 10, 2026 at 9:49 PM Aleksa Sarai <cyphar@cyphar.com> wrote: > > On 2026-03-09, Christian Brauner <brauner@kernel.org> wrote: > > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > > > > I think this needs more clarification as to what "regular" means, > > > > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > > > > > > > Use-Case: this would be very useful to write secure programs that want > > > > > to avoid being tricked into opening device nodes with special > > > > > semantics while thinking they operate on regular files. This is > > > > > particularly relevant as many device nodes (or even FIFOs) come with > > > > > blocking I/O (or even blocking open()!) by default, which is not > > > > > expected from regular files backed by “fast” disk I/O. Consider > > > > > implementation of a naive web browser which is pointed to > > > > > file://dev/zero, not expecting an endless amount of data to read. > > > > > > > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > > > > where that fd is a memfd? What about files backed by non-"fast" disk > > > > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > > > > > > > Are we concerned about blocking open? (open blocks as a matter of > > > > > course.) Are we concerned about open having strange side effects? > > > > > Are we concerned about write having strange side effects? Are we > > > > > concerned about cases where opening the file as root results in > > > > > elevated privilege beyond merely gaining the ability to write to that > > > > > specific path on an ordinary filesystem? > > > > I think this is opening up a barrage of question that I'm not sure are > > all that useful. The ability to only open regular file isn't intended to > > defend against hung FUSE or NFS servers or other random Linux > > special-sauce murder-suicide file descriptor traps. For a lot of those > > we have O_PATH which can easily function with the new extension. A lot > > of the other special-sauce files (most anonymous inode fds) cannot even > > be reopened via e.g., /proc. > > Indeed, I see OPENAT2_REGULAR as a way of optimising the tedious checks > that userspace does using O_PATH+/proc/self/fd/$n re-opening when > dealing with regular files. Can you give a brief decription or a link to what these checks are and what problem they solve? --Andy
On 2026-03-11, Andy Lutomirski <luto@amacapital.net> wrote: > On Tue, Mar 10, 2026 at 9:49 PM Aleksa Sarai <cyphar@cyphar.com> wrote: > > > > On 2026-03-09, Christian Brauner <brauner@kernel.org> wrote: > > > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > > > > > I think this needs more clarification as to what "regular" means, > > > > > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > > > > > > > > > Use-Case: this would be very useful to write secure programs that want > > > > > > to avoid being tricked into opening device nodes with special > > > > > > semantics while thinking they operate on regular files. This is > > > > > > particularly relevant as many device nodes (or even FIFOs) come with > > > > > > blocking I/O (or even blocking open()!) by default, which is not > > > > > > expected from regular files backed by “fast” disk I/O. Consider > > > > > > implementation of a naive web browser which is pointed to > > > > > > file://dev/zero, not expecting an endless amount of data to read. > > > > > > > > > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > > > > > where that fd is a memfd? What about files backed by non-"fast" disk > > > > > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > > > > > > > > > Are we concerned about blocking open? (open blocks as a matter of > > > > > > course.) Are we concerned about open having strange side effects? > > > > > > Are we concerned about write having strange side effects? Are we > > > > > > concerned about cases where opening the file as root results in > > > > > > elevated privilege beyond merely gaining the ability to write to that > > > > > > specific path on an ordinary filesystem? > > > > > > I think this is opening up a barrage of question that I'm not sure are > > > all that useful. The ability to only open regular file isn't intended to > > > defend against hung FUSE or NFS servers or other random Linux > > > special-sauce murder-suicide file descriptor traps. For a lot of those > > > we have O_PATH which can easily function with the new extension. A lot > > > of the other special-sauce files (most anonymous inode fds) cannot even > > > be reopened via e.g., /proc. > > > > Indeed, I see OPENAT2_REGULAR as a way of optimising the tedious checks > > that userspace does using O_PATH+/proc/self/fd/$n re-opening when > > dealing with regular files. > > Can you give a brief decription or a link to what these checks are and > what problem they solve? There are a few variations, but in this particular case they are just doing fstat() and then checking whether the file is a regular file (i.e., S_IFREG) or not. A container rootfs can contain arbitrary files (because container images are just tar archives, usually with no restrictions on inodes -- a fair few container runtimes assume that the devices cgroup is sufficient to protect against the container overwriting your rootfs). The S_IFREG check avoids an administrative process from being tricked into opening a block device or an endlessly-streaming FIFO -- if you also use RESOLVE_NO_XDEV you can also make sure that you don't land on procfs or sysfs by accident. I will say that in a previous version of this patchset I said that I would prefer this be done with an allow-bitmask of S_IFMT rather than a single O_REGULAR toggle -- this would allow for usecases such as "only open a regular file or directory" (inode_type_can_chattr() from systemd is a practical example of this kind of usage) or "anything except for block/char devices", but the definition of S_IFBLK (S_IFCHR|S_IFDIR) makes this a little too ugly. :/ -- Aleksa Sarai https://www.cyphar.com/
On Mon, Mar 9, 2026 at 1:58 AM Christian Brauner <brauner@kernel.org> wrote: > > On Sun, Mar 08, 2026 at 10:10:05AM -0700, Andy Lutomirski wrote: > > On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton <jlayton@kernel.org> wrote: > > > > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote: > > > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > > > > > > > > > This flag indicates the path should be opened if it's a regular file. > > > > > This is useful to write secure programs that want to avoid being > > > > > tricked into opening device nodes with special semantics while thinking > > > > > they operate on regular files. This is a requested feature from the > > > > > uapi-group[1]. > > > > > > > > > > > > > I think this needs a lot more clarification as to what "regular" > > > > means. If it's literally > > > > > > > > > A corresponding error code EFTYPE has been introduced. For example, if > > > > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > > > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > > > > like FreeBSD, macOS. > > > > > > > > I think this needs more clarification as to what "regular" means, > > > > since S_IFREG may not be sufficient. The UAPI group page says: > > > > > > > > Use-Case: this would be very useful to write secure programs that want > > > > to avoid being tricked into opening device nodes with special > > > > semantics while thinking they operate on regular files. This is > > > > particularly relevant as many device nodes (or even FIFOs) come with > > > > blocking I/O (or even blocking open()!) by default, which is not > > > > expected from regular files backed by “fast” disk I/O. Consider > > > > implementation of a naive web browser which is pointed to > > > > file://dev/zero, not expecting an endless amount of data to read. > > > > > > > > What about procfs? What about sysfs? What about /proc/self/fd/17 > > > > where that fd is a memfd? What about files backed by non-"fast" disk > > > > I/O like something on a flaky USB stick or a network mount or FUSE? > > > > > > > > Are we concerned about blocking open? (open blocks as a matter of > > > > course.) Are we concerned about open having strange side effects? > > > > Are we concerned about write having strange side effects? Are we > > > > concerned about cases where opening the file as root results in > > > > elevated privilege beyond merely gaining the ability to write to that > > > > specific path on an ordinary filesystem? > > I think this is opening up a barrage of question that I'm not sure are > all that useful. The ability to only open regular file isn't intended to > defend against hung FUSE or NFS servers or other random Linux > special-sauce murder-suicide file descriptor traps. For a lot of those > we have O_PATH which can easily function with the new extension. A lot > of the other special-sauce files (most anonymous inode fds) cannot even > be reopened via e.g., /proc. On the flip side, /proc itself can certainly be opened. Should O_REGULAR be able to open the more magical /proc and /sys files? Are there any that are problematic? --Andy
On Mon, Mar 09, 2026 at 09:50:18AM -0700, Andy Lutomirski wrote:
> On Mon, Mar 9, 2026 at 1:58 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Sun, Mar 08, 2026 at 10:10:05AM -0700, Andy Lutomirski wrote:
> > > On Sun, Mar 8, 2026 at 4:40 AM Jeff Layton <jlayton@kernel.org> wrote:
> > > >
> > > > On Sat, 2026-03-07 at 10:56 -0800, Andy Lutomirski wrote:
> > > > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote:
> > > > > >
> > > > > > This flag indicates the path should be opened if it's a regular file.
> > > > > > This is useful to write secure programs that want to avoid being
> > > > > > tricked into opening device nodes with special semantics while thinking
> > > > > > they operate on regular files. This is a requested feature from the
> > > > > > uapi-group[1].
> > > > > >
> > > > >
> > > > > I think this needs a lot more clarification as to what "regular"
> > > > > means. If it's literally
> > > > >
> > > > > > A corresponding error code EFTYPE has been introduced. For example, if
> > > > > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag
> > > > > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems
> > > > > > like FreeBSD, macOS.
> > > > >
> > > > > I think this needs more clarification as to what "regular" means,
> > > > > since S_IFREG may not be sufficient. The UAPI group page says:
> > > > >
> > > > > Use-Case: this would be very useful to write secure programs that want
> > > > > to avoid being tricked into opening device nodes with special
> > > > > semantics while thinking they operate on regular files. This is
> > > > > particularly relevant as many device nodes (or even FIFOs) come with
> > > > > blocking I/O (or even blocking open()!) by default, which is not
> > > > > expected from regular files backed by “fast” disk I/O. Consider
> > > > > implementation of a naive web browser which is pointed to
> > > > > file://dev/zero, not expecting an endless amount of data to read.
> > > > >
> > > > > What about procfs? What about sysfs? What about /proc/self/fd/17
> > > > > where that fd is a memfd? What about files backed by non-"fast" disk
> > > > > I/O like something on a flaky USB stick or a network mount or FUSE?
> > > > >
> > > > > Are we concerned about blocking open? (open blocks as a matter of
> > > > > course.) Are we concerned about open having strange side effects?
> > > > > Are we concerned about write having strange side effects? Are we
> > > > > concerned about cases where opening the file as root results in
> > > > > elevated privilege beyond merely gaining the ability to write to that
> > > > > specific path on an ordinary filesystem?
> >
> > I think this is opening up a barrage of question that I'm not sure are
> > all that useful. The ability to only open regular file isn't intended to
> > defend against hung FUSE or NFS servers or other random Linux
> > special-sauce murder-suicide file descriptor traps. For a lot of those
> > we have O_PATH which can easily function with the new extension. A lot
> > of the other special-sauce files (most anonymous inode fds) cannot even
> > be reopened via e.g., /proc.
>
> On the flip side, /proc itself can certainly be opened. Should
> O_REGULAR be able to open the more magical /proc and /sys files? Are
> there any that are problematic?
If procfs job isn't to provide problematic files to userspace I'm not
sure what it is. Joking aside, I think in general you are of course
right that procfs is full of files that under a very strict
interpretation of "regular file" should absolutely not count as a
regular file. sysfs probably as well and let's ignore debugfs and
tracefs and all the other magic filesystems or files.
In general, Linux has been so loosey-goosey with "regular file" for such
a long-time that making OPENAT2_REGULAR come up with some strict
definition of "this is a regular file - no really, pinky-promise a
regular one" - is just doomed to fail.
The other problem is that we cannot reasonably determine what odd file
the user really wanted to defend against opening with OPENAT2_REGULAR.
A caller may really want to open /proc/kmsg and just be sure that
someone didn't overmount it with a fifo (systemd does that in containers
iirc).
My personal "hot take" is that adding an api built around a regular file
with immediate irreversible side-effects for the caller on VFS
syscall-based open [1] is a bug. Such broken semantics is what ioctl()s
are for.
[1]: I mean specifically open(), openat2() etc. I'm excluding all
dedicated APIs that return file descriptors that cannot be reopened
via regular lookup.
From my pov, what would help is if one had a flexible way to scope opens
on e.g., filesystem. But imo, that is not policy the kernel can
reasonably express at the syscall api layer - it would look fugly as
hell and how many other knobs would we have to add to satisfy all needs.
I think that is best left to an lsm hooking into security_file_open()
which can maintain a map of files and filesystems to allow or deny - a
bpf lsm can do this quite nicely.
* Andy Lutomirski: > On the flip side, /proc itself can certainly be opened. Should > O_REGULAR be able to open the more magical /proc and /sys files? Are > there any that are problematic? It seems reading from /proc/kmsg is destructive. The file doesn't have an end, either. It's more like a character device. Apparently, /sys/kernel/tracing/trace_pipe is similar in that regard. Maybe that's sufficient reason for blocking access? Although the side effect does not happen on open. The other issue is the incorrect size reporting in stat, which affects most (all?) files under /proc and /sys. Userspace has already to around that, though. Thanks, Florian
On Sun, Mar 8, 2026 at 12:56 AM Andy Lutomirski <luto@amacapital.net> wrote: > > On Sat, Mar 7, 2026 at 6:09 AM Dorjoy Chowdhury <dorjoychy111@gmail.com> wrote: > > > > This flag indicates the path should be opened if it's a regular file. > > This is useful to write secure programs that want to avoid being > > tricked into opening device nodes with special semantics while thinking > > they operate on regular files. This is a requested feature from the > > uapi-group[1]. > > > > I think this needs a lot more clarification as to what "regular" > means. If it's literally > > > A corresponding error code EFTYPE has been introduced. For example, if > > openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag > > param, it will return -EFTYPE. EFTYPE is already used in BSD systems > > like FreeBSD, macOS. > > I think this needs more clarification as to what "regular" means, > since S_IFREG may not be sufficient. The UAPI group page says: > > Use-Case: this would be very useful to write secure programs that want > to avoid being tricked into opening device nodes with special > semantics while thinking they operate on regular files. This is > particularly relevant as many device nodes (or even FIFOs) come with > blocking I/O (or even blocking open()!) by default, which is not > expected from regular files backed by “fast” disk I/O. Consider > implementation of a naive web browser which is pointed to > file://dev/zero, not expecting an endless amount of data to read. > > What about procfs? What about sysfs? What about /proc/self/fd/17 > where that fd is a memfd? What about files backed by non-"fast" disk > I/O like something on a flaky USB stick or a network mount or FUSE? > > Are we concerned about blocking open? (open blocks as a matter of > course.) Are we concerned about open having strange side effects? > Are we concerned about write having strange side effects? Are we > concerned about cases where opening the file as root results in > elevated privilege beyond merely gaining the ability to write to that > specific path on an ordinary filesystem? > Good questions. I had assumed regular file means S_IFREG when implementing this as mentioned in the UAPI page: "O_REGULAR (inspired by the existing O_DIRECTORY flag for open()), which opens a file only if it is of type S_IFREG" I think Christian Brauner (cc-d) can better answer your above questions. Regards, Dorjoy
© 2016 - 2026 Red Hat, Inc.