From nobody Thu Apr 2 20:21:30 2026 Received: from ewsoutbound.kpnmail.nl (ewsoutbound.kpnmail.nl [195.121.94.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C7F53A2543 for ; Thu, 26 Mar 2026 18:20:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.121.94.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774549259; cv=none; b=JvNWBJcylXo7m7EJtjbYVnXCXXRj5qKgOHeRbeFgB1V8Iq7zQYDRxIFZPeHbuU4IXTvZSS9Dvwo1Nwh1pZGdN+HHVhK1X1qirg8bgS4T9Gkm8pHDZSJ1J2AIj1n0ALYGmWvA7Hs7yrTYU3yLVlO9xSrTpGopuc7LoPbiRGnQ6MU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774549259; c=relaxed/simple; bh=WNg46g3df6saNK5G2Aum2Ymkqna2qK01Rs4ISdgpQ1g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n5V3KqKuzNpSLGKrCS9mLJ5cTBQLKUGWzoZk1LH2WYnMoGP5SVn6U6AFoX2FL/IyWu4yDIGr2gq/mvCQnys9iFBIsB//bUT5Kot6UtFFXDSGsfR1hI9EQQ2DuEbHG47WnWhgGx8KlSeIXJznflZYLfYY3+cWkL8wrZ0YsXkqo9Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=xs4all.nl; spf=pass smtp.mailfrom=xs4all.nl; dkim=pass (2048-bit key) header.d=xs4all.nl header.i=@xs4all.nl header.b=slu1QTEX; arc=none smtp.client-ip=195.121.94.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=xs4all.nl Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=xs4all.nl Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=xs4all.nl header.i=@xs4all.nl header.b="slu1QTEX" X-KPN-MessageId: 879e0016-2940-11f1-8a9a-005056ab378f Received: from smtp.kpnmail.nl (unknown [10.31.155.40]) by ewsoutbound.so.kpn.org (Halon) with ESMTPS id 879e0016-2940-11f1-8a9a-005056ab378f; Thu, 26 Mar 2026 19:20:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xs4all.nl; s=xs4all01; h=mime-version:message-id:date:subject:to:from; bh=wp7ph0GxfocxZsIU1uEVImJtoPS/WVjNFCt1MEqrtvY=; b=slu1QTEXrHWgG05kimQmJ9a26FCWfbsOyhML+dzohYH8fNSkXm8pRLEZ2VvhQfuwiuEAg61K4BpzS qSIvFiM86lTl/ktyELtM2JHpMQJHh/vEs+TFi4NN6IgrBxNV8d2Bouem4atvxsIFrf2lyFLYOOhXZr aR3vPdz/nrzVTG2TGcgccw/323wPkurVKQhfZ09BRwHluMMkvjAluh1UyL0d1PLM6OHpexcDZ7PbpF PWaRr/ONARl3udu3YGEbTgJunbW4rQ/b6n3MrB+QtzyFVupmKCN3mlXjG0f322lBzIvSxCU/OEDL+2 AEoNSYtSqO172AibZ0we7BqzPcHjPZg== X-KPN-MID: 33|rH5hobd8/6jtUJ3oiLxHqIY7sIjORh1wdRl/NNNET8aIOoKQB9TYznHC+wzLkGu +57m2tu5xeMr3e4KDsxUsAsB1iiQISnb7AyjukJwtpRo= X-KPN-VerifiedSender: Yes X-CMASSUN: 33|Jpl9iEIpLwgdokdBnzNtFB93C9Cc3shXD4J32mEevdlmUSsVQQVYz1ReT71Tocx 0cfoCuOatNz/Nps0KCfm6yw== Received: from daedalus.home (unknown [178.231.230.142]) by smtp.xs4all.nl (Halon) with ESMTPSA id 872137e8-2940-11f1-b8e8-005056ab7584; Thu, 26 Mar 2026 19:20:55 +0100 (CET) From: Jori Koolstra To: Jeff Layton , Chuck Lever , Alexander Aring , Alexander Viro , Christian Brauner , Jan Kara , Shuah Khan , Greg Kroah-Hartman , Aleksa Sarai Cc: Jori Koolstra , Andrew Morton , Mike Rapoport , "Liam R . Howlett" , David Hildenbrand , Lorenzo Stoakes , Ethan Tidmore , NeilBrown , Oleg Nesterov , Penglei Jiang , Kees Cook , Suren Baghdasaryan , Vlastimil Babka , Amir Goldstein , Namjae Jeon , Mateusz Guzik , Wei Yang , Bala-Vignesh-Reddy , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [RFC PATCH v2 1/3] vfs: add support for empty path to openat2(2) Date: Thu, 26 Mar 2026 19:20:12 +0100 Message-ID: <20260326182033.1809567-2-jkoolstra@xs4all.nl> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260326182033.1809567-1-jkoolstra@xs4all.nl> References: <20260326182033.1809567-1-jkoolstra@xs4all.nl> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" To get an operable version of an O_PATH file descriptor, it is possible to use openat(fd, ".", O_DIRECTORY) for directories, but other files currently require going through open("/proc//fd/"), which depends on a functioning procfs. This patch adds the OPENAT2_EMPTY_PATH flag to openat2(2). If passed, LOOKUP_EMPTY is set at path resolve time. Note: This implies that you cannot rely anymore on disabling procfs from being mounted (e.g. inside a container without procfs mounted and with CAP_SYS_ADMIN dropped) to prevent O_PATH fds from being re-opened read-write. Signed-off-by: Jori Koolstra Reviewed-by: Jeff Layton --- fs/fcntl.c | 4 ++-- fs/open.c | 11 +++++------ include/linux/fcntl.h | 5 ++++- include/uapi/linux/openat2.h | 4 ++++ 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index beab8080badf..d9ae3c71edfe 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -1169,8 +1169,8 @@ static int __init fcntl_init(void) * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY * is defined as O_NONBLOCK on some platforms and not on others. */ - BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ !=3D - HWEIGHT32( + BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=3D + HWEIGHT64( (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) | __FMODE_EXEC)); =20 diff --git a/fs/open.c b/fs/open.c index 91f1139591ab..e019ddecc73c 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1160,12 +1160,12 @@ struct file *kernel_file_open(const struct path *pa= th, int flags, EXPORT_SYMBOL_GPL(kernel_file_open); =20 #define WILL_CREATE(flags) (flags & (O_CREAT | __O_TMPFILE)) -#define O_PATH_FLAGS (O_DIRECTORY | O_NOFOLLOW | O_PATH | O_CLOEXEC) +#define O_PATH_FLAGS (O_DIRECTORY | O_NOFOLLOW | O_PATH | O_CLOEXEC | OPE= NAT2_EMPTY_PATH) =20 inline struct open_how build_open_how(int flags, umode_t mode) { struct open_how how =3D { - .flags =3D flags & VALID_OPEN_FLAGS, + .flags =3D ((unsigned int) flags) & VALID_OPEN_FLAGS, .mode =3D mode & S_IALLUGO, }; =20 @@ -1185,9 +1185,6 @@ inline int build_open_flags(const struct open_how *ho= w, struct open_flags *op) int lookup_flags =3D 0; int acc_mode =3D ACC_MODE(flags); =20 - BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS), - "struct open_flags doesn't yet handle flags > 32 bits"); - /* * Strip flags that aren't relevant in determining struct open_flags. */ @@ -1281,6 +1278,8 @@ inline int build_open_flags(const struct open_how *ho= w, struct open_flags *op) lookup_flags |=3D LOOKUP_DIRECTORY; if (!(flags & O_NOFOLLOW)) lookup_flags |=3D LOOKUP_FOLLOW; + if (flags & OPENAT2_EMPTY_PATH) + lookup_flags |=3D LOOKUP_EMPTY; =20 if (how->resolve & RESOLVE_NO_XDEV) lookup_flags |=3D LOOKUP_NO_XDEV; @@ -1362,7 +1361,7 @@ static int do_sys_openat2(int dfd, const char __user = *filename, if (unlikely(err)) return err; =20 - CLASS(filename, name)(filename); + CLASS(filename_flags, name)(filename, op.lookup_flags); return FD_ADD(how->flags, do_file_open(dfd, name, &op)); } =20 diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h index a332e79b3207..d1bb87ff70e3 100644 --- a/include/linux/fcntl.h +++ b/include/linux/fcntl.h @@ -7,10 +7,13 @@ =20 /* List of all valid flags for the open/openat flags argument: */ #define VALID_OPEN_FLAGS \ + /* lower 32-bit flags */ \ (O_RDONLY | O_WRONLY | O_RDWR | O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC | \ O_APPEND | O_NDELAY | O_NONBLOCK | __O_SYNC | O_DSYNC | \ FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \ - O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE) + O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE | \ + /* upper 32-bit flags (openat2(2) only) */ \ + OPENAT2_EMPTY_PATH) =20 /* List of all valid flags for the how->resolve argument: */ #define VALID_RESOLVE_FLAGS \ diff --git a/include/uapi/linux/openat2.h b/include/uapi/linux/openat2.h index a5feb7604948..c34f32e6fa96 100644 --- a/include/uapi/linux/openat2.h +++ b/include/uapi/linux/openat2.h @@ -40,4 +40,8 @@ struct open_how { return -EAGAIN if that's not possible. */ =20 +/* openat2(2) exclusive flags are defined in the upper 32 bits of + open_how->flags */ +#define OPENAT2_EMPTY_PATH 0x100000000 /* (1ULL << 32) */ + #endif /* _UAPI_LINUX_OPENAT2_H */ --=20 2.53.0