Linux 7.2 Adds Ability To Limit Programs To Only Open Regular Files, Avoid Being Tricked Or Doing Silly Things
Merged as part of the many VFS changes for Linux 7.2 is the new OPENAT2_REGULAR flag for the openat2 system call. This can be used to limit programs to only open regular file-systems and avoid accidentally or intentionally opening up device files or other non-conventional data files on the file-system.
OPENAT2_REGULAR can be used with Linux 7.2+ for user-space programs wanting to only interact with regular files on the file-system and avoid opening up device nodes or other special files. Such as there should be no reason a web browser or text editor would need to open /dev/zero or /dev/random for an endless stream of data...
This is useful for security purposes and just avoiding the potential of opening files the program may not expect or have any use in interacting with.
When the OPENAT2_REGULAR is set for openat2, any non-regular file will return an "EFTYPE" error code.
This useful addition was merged for Linux 7.2 as part of this VFS pull. That same pull request also adds O_EMPTYPATH for openat/openat2 to get an operable file descriptor from an O_PATH file descriptor.
OPENAT2_REGULAR can be used with Linux 7.2+ for user-space programs wanting to only interact with regular files on the file-system and avoid opening up device nodes or other special files. Such as there should be no reason a web browser or text editor would need to open /dev/zero or /dev/random for an endless stream of data...
This is useful for security purposes and just avoiding the potential of opening files the program may not expect or have any use in interacting with.
When the OPENAT2_REGULAR is set for openat2, any non-regular file will return an "EFTYPE" error code.
This useful addition was merged for Linux 7.2 as part of this VFS pull. That same pull request also adds O_EMPTYPATH for openat/openat2 to get an operable file descriptor from an O_PATH file descriptor.