Skip to content

Move mkXXXat_fd and upgrade mask for openat2() to in-progress #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LATENTBOUNCE wants to merge 2 commits into
base: main
Choose a base branch
from
+33 −33
Open

Move mkXXXat_fd and upgrade mask for openat2() to in-progress #55

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7119e1
Move mkXYZat_fd to in-progress
LATENTBOUNCE Mar 14, 2026
5af47b6
Add upgrade mask for openat2() to in-progress
LATENTBOUNCE Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 33 additions & 33 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,39 @@ similar functions have `AT_EMPTY_PATH`.
**Use-Case:** When dealing with `O_PATH` file descriptors, allow
re-opening an operable version without the need of `procfs`.

### Race-free creation and opening of non-file inodes

A way to race-freely create an (non-file) inode and immediately
open it. For regular files we have open(O_CREAT) for creating a
new file inode, and returning a pinning fd to it. This is missing
for other inode types, such as directories, device nodes,
FIFOs. The lack of such functionality means that when populating a
directory tree there's always a race involved: the inodes first
need to be created, and then opened to adjust their
permissions/ownership/labels/timestamps/acls/xattrs/…, but in the
time window between the creation and the opening they might be
replaced by something else. Addressing this race without proper
APIs is possible (by immediately fstat()ing what was opened, to
verify that it has the right inode type), but difficult to get
right. Hence, mkdirat_fd() that creates a directory *and* returns
an O_DIRECTORY fd to it would be great. As would be mknodeat_fd()
that creates a device node, FIFO or (dead) socket and returns an
O_PATH fd to it. And of course symlinkat_fd() that creates a
symlink and returns an O_PATH fd to it.

**Use-Case:** any program that creates/unpacks not just files, but
directories, device nodes, fifos, and wants to ensure that they
safely get the right attributes applied, even if other code might
simultaneously have access to the same directory tree.

### Upgrade masks in `openat2()`

Add upgrade masks to `openat2()`. Extend `struct open_how` to allow
restrict re-opening of file descriptors.

**Use-Case:** block services or containers from re-opening/upgrading an
`O_PATH` file descriptor through e.g. `/proc/<pid>/fd/<nr` as `O_WRONLY`.

---

### TODO
Expand Down Expand Up @@ -483,14 +516,6 @@ whose attributes cannot be changed by the caller don't want
`mount_settattr()` to fail on the first mount it failed to convert. Give
them a flag to request changes ignoring failures.

### Upgrade masks in `openat2()`

Add upgrade masks to `openat2()`. Extend `struct open_how` to allow
restrict re-opening of file descriptors.

**Use-Case:** block services or containers from re-opening/upgrading an
`O_PATH` file descriptor through e.g. `/proc/<pid>/fd/<nr` as `O_WRONLY`.

### Make quotas work with user namespaces

The quota codepaths in the kernel currently broken and inconsistent
Expand Down Expand Up @@ -546,31 +571,6 @@ usecases it would be good to be able to opt-in or opt-out
dynamically from coredumps for specific services, at runtime
without restarting them.

### Race-free creation and opening of non-file inodes

A way to race-freely create an (non-file) inode and immediately
open it. For regular files we have open(O_CREAT) for creating a
new file inode, and returning a pinning fd to it. This is missing
for other inode types, such as directories, device nodes,
FIFOs. The lack of such functionality means that when populating a
directory tree there's always a race involved: the inodes first
need to be created, and then opened to adjust their
permissions/ownership/labels/timestamps/acls/xattrs/…, but in the
time window between the creation and the opening they might be
replaced by something else. Addressing this race without proper
APIs is possible (by immediately fstat()ing what was opened, to
verify that it has the right inode type), but difficult to get
right. Hence, mkdirat_fd() that creates a directory *and* returns
an O_DIRECTORY fd to it would be great. As would be mknodeat_fd()
that creates a device node, FIFO or (dead) socket and returns an
O_PATH fd to it. And of course symlinkat_fd() that creates a
symlink and returns an O_PATH fd to it.

**Use-Case:** any program that creates/unpacks not just files, but
directories, device nodes, fifos, and wants to ensure that they
safely get the right attributes applied, even if other code might
simultaneously have access to the same directory tree.

### Extend `io_uring` with classic synchronous system calls

The `io_uring` subsystem is open to adding classic existing synchronous
Expand Down
Loading