By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
to do the necessary "partial lookups", Open(at)InRoot now does less work
for both implementations (resulting in a many-fold decrease in the number of
operations for openat2, and a modest improvement for non-openat2) and is
far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
behaviour.
We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
effectively just means that we no longer risk getting spurious errors during
rename races. However, for our hardened procfs handler, this in theory should
prevent mount attacks from tricking us when doing magic-link readlinks (even
when using the unsafe host /proc handle). Unfortunately Reopen is still
potentially vulnerable to those kinds of somewhat-esoteric attacks.
Several improvements were made to the errors returned by Open(at)InRoot and
MkdirAll when dealing with invalid paths under the emulated (ie.
non-openat2) implementation. Previously, some paths would return the wrong
error (ENOENT when the last component was a non-directory), and other paths
would be returned as though they were acceptable (trailing-slash components
after a non-directory would be ignored by Open(at)InRoot).
These changes were done to match openat2's behaviour and purely is a
consistency fix (most users are going to be using openat2 anyway).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the go-modules group with 1 update: github.com/cyphar/filepath-securejoin.
Updates
github.com/cyphar/filepath-securejoinfrom 0.3.0 to 0.3.1Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
Changelog
Sourced from github.com/cyphar/filepath-securejoin's changelog.
Commits
ce7b28aVERSION: release v0.3.1a2c14f8CHANGELOG: add readlinkat(fd, "") shout-out4ea279fmerge #22 into cyphar/filepath-securejoin:main16e1becCHANGELOG: add initial changelog with current history2404ffbmerge #21 into cyphar/filepath-securejoin:mainf29b7a4lookup: handle // and trailing slash components correctlyecd61camerge #19 into cyphar/filepath-securejoin:main38b1220procfs: refactor statx mnt_id logic45c4415procfs: use readlink(fd, "") for magic-linksedab538merge #17 into cyphar/filepath-securejoin:mainDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show