Re: [PATCH 01/13] devpts: Teach /dev/ptmx to find the associated devpts via path lookup
From: Eric W. Biederman
Date: Mon Apr 11 2016 - 19:48:47 EST
"H. Peter Anvin" <hpa@xxxxxxxxx> writes:
> On April 11, 2016 1:12:22 PM PDT, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>>On Sat, Apr 9, 2016 at 6:27 PM, Linus Torvalds
>><torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> On Apr 9, 2016 5:45 PM, "Andy Lutomirski" <luto@xxxxxxxxxxxxxx>
>>wrote:
>>>>
>>>>
>>>> What we *do* want to do, though, is to prevent the following:
>>>
>>> I don't see the point. Why do you bring up this insane scenario that
>>nobody
>>> can possibly care about?
>>>
>>> So you actually have any reason to believe somebody does that?
>>>
>>> I already asked about that earlier, and the silence was deafening.
>>
>>I have no idea, but I'm generally uncomfortable with magical things
>>that bypass normal security policy.
>>
>>That being said, here's an idea for fixing this, at least in the long
>>run. Add a new devpts mount option "no_ptmx_redirect" that turns off
>>this behavior for the super in question. That is, opening /dev/ptmx
>>if "pts/ptmx" points to something with no_ptmx_redirect set will fail.
>>Distros shipping new kernels could be encouraged to (finally!) make
>>/dev/ptmx a symlink and set this option.
>>
>>We just might be able to get away with spelling that option
>>"newinstance".
>
> What about the idea of making the bind mount automatic?
We could almost do that cleanly by playing with the /dev/ptmx dentry
and implementing a d_automount method. That still needs the crazy path
based lookup without permission checks.
Unfortunately the filesystem not the device owns the dentry operations.
My practical concern if we worked through the implementation details
would be how would it interact with people who bind mount /dev/pts/ptmx
on top of /dev/ptmx. We might get some strange new errors.
Eric