Hi Aleksa, On Mon, Jul 21, 2025 at 11:55:36AM +1000, Aleksa Sarai wrote: > While RESOLVE_BENEATH was based on FreeBSD's O_BENEATH, there was a > well-known safety issue in O_BENEATH that we explicitly avoided > replicating -- FreeBSD would only verify whether the lookup escaped the > dirfd *at the end of the path lookup*. > > This meant that even with O_BENEATH, an attacker could gain information > about the structure of the filesystem outside of the dirfd through > timing attacks or other side-channels. > > Once Linux had RESOLVE_BENEATH, FreeBSD implemented O_RESOLVE_BENEATH to > mimic the same behaviour[1] and eventually removed O_BENEATH entirely > from their system[2]. It seems prudent to provide this epilogue in the > HISTORY section of the openat2(2) man page (the FreeBSD man page does > for open(2) not reference this historical connection with Linux at all, > as far as I can tell). > > [1]: https://reviews.freebsd.org/D25886 > [2]: https://reviews.freebsd.org/D28907 > > Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx> Thanks! CI detected a few minor issues: remote: an.tmac:.tmp/man/man2/openat2.2:485: style: .BR expects at least 2 arguments, got 1 remote: an.tmac:.tmp/man/man2/openat2.2:491: style: .BR expects at least 2 arguments, got 1 remote: an.tmac:.tmp/man/man2/openat2.2:493: style: .BR expects at least 2 arguments, got 1 I've fixed them with the following amendment: diff --git a/man/man2/openat2.2 b/man/man2/openat2.2 index 53687e676..9d0b58777 100644 --- a/man/man2/openat2.2 +++ b/man/man2/openat2.2 @@ -482,15 +482,15 @@ .SH HISTORY but avoided a well-known correctness bug in FreeBSD's implementation that rendered it effectively insecure. Later, FreeBSD 13 introduced -.BR O_RESOLVE_BENEATH +.B O_RESOLVE_BENEATH to replace the insecure .BR O_BENEATH . .\" https://reviews.freebsd.org/D25886 .\" https://reviews.freebsd.org/D28907 FreeBSD's -.BR O_RESOLVE_BENEATH +.B O_RESOLVE_BENEATH semantics are based on Linux's -.BR RESOLVE_BENEATH +.B RESOLVE_BENEATH and the two are now functionally equivalent. .SH NOTES .SS Extensibility I've applied the amended commit (which also includes some tweaks in the commit message): <https://www.alejandro-colomar.es/src/alx/linux/man-pages/man-pages.git/commit/?h=contrib&id=671e1b8cbeee5e81ff1e10d10586521e0ce82cf9> Have a lovely day! Alex > --- > man/man2/openat2.2 | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/man/man2/openat2.2 b/man/man2/openat2.2 > index e7d400920049..53687e676ae5 100644 > --- a/man/man2/openat2.2 > +++ b/man/man2/openat2.2 > @@ -478,7 +478,20 @@ Linux 5.6. > The semantics of > .B RESOLVE_BENEATH > were modeled after FreeBSD's > +.BR O_BENEATH , > +but avoided a well-known correctness bug in FreeBSD's implementation that > +rendered it effectively insecure. > +Later, FreeBSD 13 introduced > +.BR O_RESOLVE_BENEATH > +to replace the insecure > .BR O_BENEATH . > +.\" https://reviews.freebsd.org/D25886 > +.\" https://reviews.freebsd.org/D28907 > +FreeBSD's > +.BR O_RESOLVE_BENEATH > +semantics are based on Linux's > +.BR RESOLVE_BENEATH > +and the two are now functionally equivalent. > .SH NOTES > .SS Extensibility > In order to allow for future extensibility, > > --- > base-commit: 5d53969e60c484673745ed47d6015a1f09c8641e > change-id: 20250721-openat2-history-2a8f71c9e3b0 > > Best regards, > -- > Aleksa Sarai <cyphar@xxxxxxxxxx> > > -- <https://www.alejandro-colomar.es/>
Attachment:
signature.asc
Description: PGP signature
