openat() was available before - why they are blaming glibc?
openat() was available before - why they are blaming glibc?
Posted Nov 16, 2017 9:19 UTC (Thu) by jem (subscriber, #24231)In reply to: openat() was available before - why they are blaming glibc? by smcv
Parent article: The inherent fragility of seccomp()
Posted Nov 16, 2017 13:27 UTC (Thu)
by vadim (subscriber, #35271)
[Link]
1. Programmer writes code, wants more protection and decides on the use of seccomp.
The 'open' call doesn't go anywhere. Glibc just doesn't promise to do an exact 1 to 1 wrapper, or not to introduce internal usage of additional new syscalls for its own internal reasons. When you call glibc open(), glibc may actually invoke a new, more advanced syscall like openat instead, or use additional syscalls in the wrapper.
Posted Nov 16, 2017 14:09 UTC (Thu)
by corbet (editor, #1)
[Link]
openat() was available before - why they are blaming glibc?
2. Programmer looks at what the code needs, and comes up with the 'open' syscall. However the code doesn't call the syscall directly, but the wrapper glibc provides.
3. Code is finished, programmer moves on to the next project.
4. Kernel development goes on, and the 'openat' syscall gets created.
5. Glibc adds usage of openat, and makes it so that in some cases, the glibc provided open wrapper sometimes actually calls 'openat'.
6. In those cases, the previously written code ends up using the 'openat' syscall which is not whitelisted because it didn't exist when the code was written, or because the 'open' wrapper always used the 'open' syscall and nothing else, and this changed later.
This conversation confuses me a bit. Who is blaming glibc? The article is about a particular kernel functionality that is prone to breakage.
The term "fragility" in the title was applied to seccomp(), not glibc, after all.
I've not seen comments blaming glibc either...?
openat() was available before - why they are blaming glibc?