1 .\" Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
3 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
4 .TH OPENAT2 2 2021-03-22 "Linux" "Linux Programmer's Manual"
6 openat2 \- open and possibly create a file (extended)
12 .BR "#include <fcntl.h>" \
13 " /* Definition of " O_* " and " S_* " constants */"
14 .BR "#include <linux/openat2.h>" " /* Definition of " RESOLVE_* " constants */"
15 .BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
16 .B #include <unistd.h>
18 .BI "long syscall(SYS_openat2, int " dirfd ", const char *" pathname ,
19 .BI " struct open_how *" how ", size_t " size );
23 glibc provides no wrapper for
25 necessitating the use of
30 system call is an extension of
32 and provides a superset of its functionality.
36 system call opens the file specified by
38 If the specified file does not exist, it may optionally (if
48 is a relative pathname, then it is interpreted relative to the
49 directory referred to by the file descriptor
51 (or the current working directory of the calling process, if
57 is an absolute pathname, then
65 is resolved relative to
68 Rather than taking a single
70 argument, an extensible structure (\fIhow\fP) is passed to allow for
74 argument must be specified as
75 .IR "sizeof(struct open_how)" .
77 .SS The open_how structure
80 argument specifies how
82 should be opened, and acts as a superset of the
88 This argument is a pointer to a structure of the following form:
93 u64 flags; /* O_* flags */
94 u64 mode; /* Mode for O_{CREAT,TMPFILE} */
95 u64 resolve; /* RESOLVE_* flags */
101 Any future extensions to
103 will be implemented as new fields appended to the above structure,
104 with a zero value in a new field resulting in the kernel behaving
105 as though that extension field was not present.
106 Therefore, the caller
108 zero-fill this structure on
110 (See the "Extensibility" section of the
112 for more detail on why this is necessary.)
116 structure are as follows:
120 the file creation and file status flags to use when opening the file.
131 ignores unknown bits in its
135 returns an error if unknown or conflicting flags are specified in
139 This field specifies the
140 mode for the new file, with identical semantics to the
147 ignores bits other than those in the range
155 contains bits other than
157 Similarly, an error is returned if
159 is called with a nonzero
169 This is a bit-mask of flags that modify the way in which
175 .BR path_resolution (7)
176 for background information.)
178 The primary use case for these flags is to allow trusted programs to restrict
179 how untrusted paths (or paths inside untrusted directories) are resolved.
186 .\" commit adb21d2b526f7f196b2f3fdca97d80ba05dd14a0
187 Do not permit the path resolution to succeed if any component of the resolution
188 is not a descendant of the directory indicated by
190 This causes absolute symbolic links (and absolute values of
194 Currently, this flag also disables magic-link resolution (see below).
195 However, this may change in the future.
196 Therefore, to ensure that magic links are not resolved,
197 the caller should explicitly specify
198 .BR RESOLVE_NO_MAGICLINKS .
201 .\" commit 8db52c7e7ee1bd861b6096fcafc0fe7d0f24a994
202 Treat the directory referred to by
204 as the root directory while resolving
206 Absolute symbolic links are interpreted relative to
208 If a prefix component of
212 then an immediately following
214 component likewise equates to
218 is traditionally equivalent to
222 is an absolute path, it is also interpreted relative to
225 The effect of this flag is as though the calling process had used
227 to (temporarily) modify its root directory (to the directory
232 (which changes the filesystem root permanently for a process),
234 allows a program to efficiently restrict path resolution on a per-open basis.
236 Currently, this flag also disables magic-link resolution.
237 However, this may change in the future.
238 Therefore, to ensure that magic links are not resolved,
239 the caller should explicitly specify
240 .BR RESOLVE_NO_MAGICLINKS .
242 .B RESOLVE_NO_MAGICLINKS
243 .\" commit 278121417a72d87fb29dd8c48801f80821e8f75a
244 Disallow all magic-link resolution during path resolution.
246 Magic links are symbolic link-like objects that are most notably found in
251 .IR /proc/[pid]/fd/* .
256 Unknowingly opening magic links can be risky for some applications.
257 Examples of such risks include the following:
260 If the process opening a pathname is a controlling process that
261 currently has no controlling terminal (see
262 .BR credentials (7)),
263 then opening a magic link inside
265 that happens to refer to a terminal
266 would cause the process to acquire a controlling terminal.
268 .\" From https://lwn.net/Articles/796868/:
269 .\" The presence of this flag will prevent a path lookup operation
270 .\" from traversing through one of these magic links, thus blocking
271 .\" (for example) attempts to escape from a container via a /proc
272 .\" entry for an open file descriptor.
273 In a containerized environment,
276 may refer to an object outside the container,
277 and thus may provide a means to escape from the container.
280 Because of such risks,
281 an application may prefer to disable magic link resolution using the
282 .BR RESOLVE_NO_MAGICLINKS
285 If the trailing component (i.e., basename) of
290 .BR RESOLVE_NO_MAGICLINKS ,
299 file descriptor referencing the magic link will be returned.
301 .B RESOLVE_NO_SYMLINKS
302 .\" commit 278121417a72d87fb29dd8c48801f80821e8f75a
303 Disallow resolution of symbolic links during path resolution.
305 .BR RESOLVE_NO_MAGICLINKS .
307 If the trailing component (i.e., basename) of
312 .BR RESOLVE_NO_SYMLINKS ,
321 file descriptor referencing the symbolic link will be returned.
323 Note that the effect of the
324 .BR RESOLVE_NO_SYMLINKS
326 which affects the treatment of symbolic links in all of the components of
328 differs from the effect of the
330 file creation flag (in
332 which affects the handling of symbolic links only in the final component of
335 Applications that employ the
336 .BR RESOLVE_NO_SYMLINKS
337 flag are encouraged to make its use configurable
338 (unless it is used for a specific security purpose),
339 as symbolic links are very widely used by end-users.
340 Setting this flag indiscriminately\(emi.e.,
341 for purposes not specifically related to security\(emfor all uses of
343 may result in spurious errors on previously functional systems.
344 This may occur if, for example,
345 a system pathname that is used by an application is modified
346 (e.g., in a new distribution release)
347 so that a pathname component (now) contains a symbolic link.
350 .\" commit 72ba29297e1439efaa54d9125b866ae9d15df339
351 Disallow traversal of mount points during path resolution (including all bind
355 must either be on the same mount as the directory referred to by
357 or on the same mount as the current working directory if
362 Applications that employ the
364 flag are encouraged to make its use configurable (unless it is
365 used for a specific security purpose),
366 as bind mounts are widely used by end-users.
367 Setting this flag indiscriminately\(emi.e.,
368 for purposes not specifically related to security\(emfor all uses of
370 may result in spurious errors on previously functional systems.
371 This may occur if, for example,
372 a system pathname that is used by an application is modified
373 (e.g., in a new distribution release)
374 so that a pathname component (now) contains a bind mount.
377 Make the open operation fail unless all path components are already present
378 in the kernel's lookup cache.
379 If any kind of revalidation or I/O is needed to satisfy the lookup,
383 This is useful in providing a fast-path open that can be performed without
384 resorting to thread offload, or other mechanisms that an application might
385 use to offload slower operations.
388 If any bits other than those listed above are set in
390 an error is returned.
392 On success, a new file descriptor is returned.
393 On error, \-1 is returned, and
395 is set to indicate the error.
397 The set of errors returned by
399 includes all of the errors returned by
401 as well as the following additional errors:
404 An extension that this kernel does not support was specified in
406 (See the "Extensibility" section of
408 for more detail on how extensions are handled.)
415 .BR RESOLVE_BENEATH ,
416 and the kernel could not ensure that a ".." component didn't escape (due to a
417 race condition or potential attack).
418 The caller may choose to retry the
424 was set, and the open operation cannot be performed using only cached
426 The caller should retry without
432 An unknown flag or invalid value was specified in
446 was smaller than any known version of
447 .IR "struct open_how" .
452 .BR RESOLVE_NO_SYMLINKS ,
453 and one of the path components was a symbolic link (or magic link).
458 .BR RESOLVE_NO_MAGICLINKS ,
459 and one of the path components was a magic link.
466 .BR RESOLVE_BENEATH ,
467 and an escape from the root during path resolution was detected.
472 .BR RESOLVE_NO_XDEV ,
473 and a path component crosses a mount point.
476 first appeared in Linux 5.6.
477 .\" commit fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179
479 This system call is Linux-specific.
483 were modeled after FreeBSD's
487 In order to allow for future extensibility,
489 requires the user-space application to specify the size of the
491 structure that it is passing.
492 By providing this information, it is possible for
494 to provide both forwards- and backwards-compatibility, with
496 acting as an implicit version number.
497 (Because new extension fields will always
498 be appended, the structure size will always increase.)
499 This extensibility design is very similar to other system calls such as
500 .BR sched_setattr (2),
501 .BR perf_event_open (2),
507 be the size of the structure as specified by the user-space application, and
509 be the size of the structure which the kernel supports, then there are
510 three cases to consider:
516 then there is no version mismatch and
518 can be used verbatim.
524 then there are some extension fields that the kernel supports
525 which the user-space application
527 Because a zero value in any added extension field signifies a no-op,
529 treats all of the extension fields not provided by the user-space application
530 as having zero values.
531 This provides backwards-compatibility.
537 then there are some extension fields which the user-space application
538 is aware of but which the kernel does not support.
539 Because any extension field must have its zero values signify a no-op,
541 safely ignore the unsupported extension fields if they are all-zero.
542 If any unsupported extension fields are nonzero, then \-1 is returned and
546 This provides forwards-compatibility.
548 Because the definition of
550 may change in the future (with new fields being added when system headers are
551 updated), user-space applications should zero-fill
553 to ensure that recompiling the program with new headers will not result in
554 spurious errors at runtime.
555 The simplest way is to use a designated
560 struct open_how how = { .flags = O_RDWR,
561 .resolve = RESOLVE_IN_ROOT };
572 memset(&how, 0, sizeof(how));
574 how.resolve = RESOLVE_IN_ROOT;
578 A user-space application that wishes to determine which extensions
579 the running kernel supports can do so by conducting a binary search on
581 with a structure which has every byte nonzero (to find the largest value
582 which doesn't produce an error of
586 .BR path_resolution (7),