Re: [PATCH v4 1/2] vfs: add O_EMPTYPATH to openat(2)/openat2(2)

[Aleksa Sarai]

On 2026-04-19, Jori Koolstra <jkoolstra@xxxxxxxxx> wrote:
> To get an operable version of an O_PATH file descriptor, it is possible
> to use openat(fd, ".", O_DIRECTORY) for directories, but other files
> currently require going through open("/proc/<pid>/fd/<nr>"), which
> depends on a functioning procfs.
> 
> This patch adds the O_EMPTYPATH flag to openat(2)/openat2(2). If passed,
> LOOKUP_EMPTY is set at path resolution time.
> 
> Note: This implies that you cannot rely anymore on disabling procfs from
> being mounted (e.g. inside a container without procfs mounted and with
> CAP_SYS_ADMIN dropped) to prevent O_PATH fds from being re-opened
> read-write.

Well, you could just block O_EMPTYPATH with seccomp (yes, it'll give you
an unexpected error but people using strict sandboxes are usually fine
with that). You can't block it with openat2(2) but most people block
openat2(2) precisely because you cannot block individual flags with
seccomp (*yet* -- it's on my TODO list!)

I also suspect very few people are actually blocking this correctly in
general. Sadly, most programs don't work without access to /proc (even
glibc implicitly requires it for a lot of compatibility shims).

> Signed-off-by: Jori Koolstra <jkoolstra@xxxxxxxxx>
> ---
>  fs/fcntl.c                       | 2 +-
>  fs/open.c                        | 6 ++++--
>  include/linux/fcntl.h            | 2 +-
>  include/uapi/asm-generic/fcntl.h | 4 ++++
>  4 files changed, 10 insertions(+), 4 deletions(-)

> diff --git a/include/uapi/asm-generic/fcntl.h b/include/uapi/asm-generic/fcntl.h
> index 613475285643..db144851f57b 100644
> --- a/include/uapi/asm-generic/fcntl.h
> +++ b/include/uapi/asm-generic/fcntl.h
> @@ -88,6 +88,10 @@
>  #define __O_TMPFILE	020000000
>  #endif
>  
> +#ifndef O_EMPTYPATH
> +#define O_EMPTYPATH	040000000	/* allow empty path */
> +#endif
> +

This value clashes with values on alpha (O_PATH), sparc (__O_TMPFILE),
and parisc (O_SYNC) so you will need to add per-arch definitions for
those as well. You should eventually get a mail because of compilation
errors (thanks to the BUILD_BUG_ON in fs/fcntl.c that was added
specifically to detect this unfortunate quirk of O_* flags).

Actually, it might be nice to try to do what we did with syscall numbers
and just pick 1<<26 as the next bit, but we're getting quite close to
running out of bits. :/

-- 
Aleksa Sarai
https://www.cyphar.com/

Attachment: signature.asc
Description: PGP signature