Karel Zak [Wed, 27 May 2026 10:38:16 +0000 (12:38 +0200)]
libmount: add mount ID verification and man page TOCTOU note
Verify mount ID after re-opening the target fd to ensure the mount
landed on the expected target. The expected ID is set from fd_tree
in hook_create_mount() (new mount API only).
Add WARNING to mount.8 about the inherent TOCTOU limitation of the
legacy mount(2) syscall for non-superuser mounts.
Karel Zak [Wed, 27 May 2026 10:21:02 +0000 (12:21 +0200)]
libmount: use fd_target in hook_idmap for move_mount()
Use the pinned fd_target with MOVE_MOUNT_T_EMPTY_PATH for restricted
users instead of string-based move_mount(). Re-open the target fd
after mount to point to the mounted filesystem root.
Karel Zak [Wed, 27 May 2026 10:20:06 +0000 (12:20 +0200)]
libmount: restrict X-mount.subdir for non-root to Linux >= 6.15
The old-kernel subdir path uses namespace unsharing and string-based
move_mount() which is unsafe for restricted users (TOCTOU). The safe
detached subdir open requires Linux >= 6.15.
Karel Zak [Tue, 16 Jun 2026 09:15:19 +0000 (11:15 +0200)]
libmount: use fd-based fchownat/chmod in hook_owner
Replace path-based lchown()/chmod() with fd-based operations in the
X-mount.{owner,group,mode} post-mount hook.
For restricted users the fd_target is pinned in prepare_target() and
re-opened after mount in hook_attach_target() to point to the mounted
filesystem root. For root a local O_PATH fd is opened. Ownership is
changed via fchownat(fd, "", ..., AT_EMPTY_PATH), mode via
/proc/self/fd/N.
This prevents TOCTOU attacks where an ancestor directory is swapped
between mount and the chmod/chown operations.
CVE-2026-53612
Reported-by: Xinyao Hu <ctf_0x01@foxmail.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 16 Jun 2026 08:58:32 +0000 (10:58 +0200)]
libmount: fix SUID bypass via LIBMOUNT_FORCE_MOUNT2 and legacy mount path
Use safe_getenv() for LIBMOUNT_FORCE_MOUNT2 to ignore the variable
in SUID context, consistent with LIBMOUNT_FSTAB and other sensitive
environment variables.
Additionally, refuse multi-step mount(2) sequences (bind+remount and
propagation) for restricted (non-root) users in the legacy mount path.
The two-step approach has a window between syscalls where security
flags (nosuid, noexec, ...) are not yet applied. The new mount API
handles this atomically.
CVE-2026-53614
Reported-by: Xinyao Hu <ctf_0x01@foxmail.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 7 May 2026 10:50:48 +0000 (12:50 +0200)]
libblkid: fix use-after-free in nested partition probing
The partitions list stores partitions in a contiguous array grown by
reallocarray(). When the array is reallocated to a new address, all
existing blkid_partition pointers (tab->parent, ls->next_parent, local
parent variables in nested probers) become dangling.
Fix this by changing the storage from an array of structs to an array
of pointers, where each partition is individually allocated via
calloc(). This makes all blkid_partition pointers stable across
reallocations -- only the pointer array itself may move, which is
harmless since no code caches pointers into the pointer array.
This eliminates the need for callers to re-fetch parent pointers after
every blkid_partlist_add_partition() call.
Reported-by: Thai Duong <thaidn@gmail.com> Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Tue, 16 Jun 2026 07:24:40 +0000 (09:24 +0200)]
tests: handle ENOSYS in multiplexing syscall tests
On ppc64le, __NR_select is defined at compile time, so test_mkfds -W
lists "select" as available. However, the kernel returns ENOSYS at
runtime. The helper process prints its PID, then calls select() which
fails immediately with ENOSYS. This creates a race where the bash
script's kill -0 liveness check can succeed while the process is
still dying, causing lsfd to run against a dead process and produce
wrong output.
Exit with EXIT_ENOSYS (23) instead of EXIT_FAILURE when the
multiplexer syscall returns ENOSYS. This applies to both
DEFUN_WAIT_EVENT_SELECT and DEFUN_WAIT_EVENT_POLL macros.
In the bash test, check the wait exit code for 23 after the coproc
finishes and skip the subtest cleanly.
Karel Zak [Mon, 15 Jun 2026 11:15:01 +0000 (13:15 +0200)]
libmount: detect fanotify queue overflow in monitor
When the fanotify event queue overflows under sustained mount churn,
the kernel sends a FAN_Q_OVERFLOW event. The fanotify_next_fs() function
did not check for this, causing it to access invalid memory (the
overflow event carries no fanotify_event_info_mnt payload) and silently
drop the overflow notification. The consumer never learned that events
were lost, so its mount-unit view could permanently diverge from the
kernel.
Detect FAN_Q_OVERFLOW, discard the remaining buffered events (they are
unreliable after an overflow), and return -EOVERFLOW so the caller can
perform a full rescan.
Karel Zak [Mon, 15 Jun 2026 10:35:01 +0000 (12:35 +0200)]
Merge branch 'master' of https://github.com/ZephyrLi-pro/util-linux-c
* 'master' of https://github.com/ZephyrLi-pro/util-linux-c:
lscpu: add RISC-V MMU column support
lscpu: show RISC-V MMU mode
lscpu: free cputype ISA string
Karel Zak [Mon, 15 Jun 2026 09:54:11 +0000 (11:54 +0200)]
docs: setpriv: improve EXAMPLES section
Clarify that setpriv is not a 1:1 replacement for su/runuser/sudo,
add --inh-caps=-all to the basic example, and provide additional
examples for environment reset and restrictive privilege dropping.
Fixes: https://github.com/util-linux/util-linux/issues/4402 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Mon, 15 Jun 2026 09:36:10 +0000 (11:36 +0200)]
mkswap: use fd-based operations to avoid TOCTOU in open_device()
Replace path-based stat()+chmod() with open() first, then fstat()
and fchmod() on the file descriptor. This eliminates the race window
between checking and modifying the file.
Also skip fchmod() when permissions are already 0600.
aizu-m [Sun, 14 Jun 2026 07:43:26 +0000 (13:13 +0530)]
lslogins: bound lastlog2 tty/host copy to destination size
get_lastlog2() copies the TTY and host strings read from the lastlog2
database into heap buffers of sizeof(ut_line)+1 and sizeof(ut_host)+1
bytes, but passed strlen(value)+1 as the mem2strcpy() limit. mem2strcpy()
zero-fills and copies that many bytes regardless of the destination, so a
database value longer than the field overflows the buffer. Cap the limit
to the destination field size, matching the wtmp and plain-lastlog paths
in the same function.
When nsenter is executed with closed stdin, one pid_fd will be 0,
which is a valid file descriptor. But with current code namespace switch
is skipped, leading to incorrect results.
Fixes: f18be0ca5aa7 ("nsenter: use pidfd to enter target namespaces") Signed-off-by: Vladimir Riabchun <vladimir.riabchun@virtuozzo.com>
aizu-m [Wed, 10 Jun 2026 12:44:30 +0000 (18:14 +0530)]
fsck.minix: bound namelen guessed in get_dirsize
get_dirsize() guesses the directory name length from the on-disk root
directory: it doubles a candidate size from 16 up to 512 looking for the
".." entry and sets namelen = size - 2. A crafted image whose first ".."
match lands at offset 514 yields namelen 510, well past MINIX_NAME_MAX
(255). check_file() then does xstrncpy(name_list[name_depth], name,
namelen) into rows of only MINIX_NAME_MAX + 1 bytes, writing out of
bounds past name_list.
Stop the scan once size - 2 would exceed MINIX_NAME_MAX so the guessed
namelen stays within the buffers, falling back to the magic-derived
default.
Karel Zak [Wed, 10 Jun 2026 11:06:26 +0000 (13:06 +0200)]
asciidoctor: fix encoding error for non-ASCII translations
File.read without an explicit encoding uses Ruby's default external
encoding, which depends on the system locale. On systems where it
resolves to US-ASCII (e.g. some Debian configurations), reading
translated man page files with non-ASCII content (such as Arabic)
fails with "source is either binary or contains invalid Unicode data".
Specify encoding: 'UTF-8' explicitly so the string is correctly
tagged regardless of locale.
Fixes: https://github.com/util-linux/util-linux/issues/4409 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Wed, 10 Jun 2026 08:52:44 +0000 (10:52 +0200)]
fdisk: (resize) avoid redundant error on partnum failure
fdisk_ask_partnum() already prints its own diagnostics on failure,
so go directly to 'out' instead of 'err' which would print a
redundant "Could not resize partition" message with a meaningless
partition number.
Also removes the need for the i=0 initialization from the previous
commit, since 'i' is no longer used on the fdisk_ask_partnum()
error path.
Addresses: https://github.com/util-linux/util-linux/pull/4394 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Wed, 10 Jun 2026 07:47:21 +0000 (09:47 +0200)]
Merge branch 'PR/libmount-more-restrict' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-more-restrict' of https://github.com/karelzak/util-linux-work:
build: warn when libmount udev support is disabled
libmount: disable libblkid probing for non-root users
libblkid: add blkid_evaluate_tag2() with flags
umount: restrict non-root users to mountpoint paths only
aizu-m [Tue, 9 Jun 2026 19:24:04 +0000 (00:54 +0530)]
libfdisk: clamp out-of-range d_npartitions in bsd_readlabel
d_npartitions is a uint16 partition count read straight from an on-disk
BSD disklabel. bsd_readlabel() warns when it is larger than
BSD_MAXPARTITIONS but leaves the value untouched, so the bogus count
survives into the rest of the label handling.
bsd_dkcksum() walks the label up to &lp->d_partitions[d_npartitions]
when the label is written back. d_partitions[] holds 16 entries
(256 bytes); a crafted disklabel can set the count to 65535 and push
that end pointer about 1 MB past the array, an out-of-bounds read.
Clamp the count to BSD_MAXPARTITIONS in the block that already emits the
warning, the same upper bound sun/sgi/gpt enforce on their arrays.
Karel Zak [Tue, 9 Jun 2026 13:03:04 +0000 (15:03 +0200)]
tests: remove loop devices from lsblk bcachefs dump
The loop device infrastructure does not support sysfs dump-based data.
When lsblk runs with --sysroot, the ignore_empty() function calls
loopdev_has_backing_file() which operates on the real /dev/loopN
device rather than the sysroot data. This causes host-dependent test
results -- if the CI machine has a loop device with a backing file,
the device appears in the output despite having size 0 in the dump.
Remove loop0 and loop1 entries from the multi-devs-bcachefs sysfs
dump to avoid this false positive.
The setsid completion used the old manual COMP_WORDS/COMP_CWORD pattern
and never delegated to the sub-command's own completion. When typing e.g.
"setsid -f rm -<Tab>", completion would show setsid options instead of rm
options.
Rewrite to use _init_completion and _command_offset, matching the pattern
used by unshare and other wrapper commands. This correctly detects where
the sub-command begins and delegates completion to it.
The sub-command detection loop explicitly enumerates known options via
NOARGOPTS/NOARGOPTS_SHORT (pipe-separated for regex matching), ensuring that
short options like -f, -c, -w are properly skipped rather than being treated
as the sub-command start.
Fixes: #4073 Signed-off-by: Liu Zheng <liuzheng@uniontech.com>
Karel Zak [Tue, 2 Jun 2026 10:30:21 +0000 (12:30 +0200)]
build: warn when libmount udev support is disabled
Non-root tag resolution (LABEL=, UUID=) in mount/umount depends on
udev support in libmount. Without it, suid mount/umount cannot
resolve tags for unprivileged users since direct device probing
is disabled for security reasons.
Karel Zak [Tue, 2 Jun 2026 10:27:15 +0000 (12:27 +0200)]
libmount: disable libblkid probing for non-root users
Add noprobe flag to struct libmnt_cache that disables low-level
device probing via libblkid. When the mount context is restricted
(non-root user), the flag is set automatically on cache creation
and on externally provided caches.
With noprobe enabled:
- read_from_blkid() is skipped (device I/O blocked)
- mnt_resolve_tag() uses blkid_evaluate_tag2() with
BLKID_EVALUATE_NOPROBE, so tags are resolved only via
udev /dev/disk/by-* symlinks without device scanning
This minimizes the libblkid attack surface for suid mount/umount
binaries.
Karel Zak [Tue, 2 Jun 2026 10:25:27 +0000 (12:25 +0200)]
libblkid: add blkid_evaluate_tag2() with flags
Add blkid_evaluate_tag2() that accepts flags to control tag
evaluation behavior. The BLKID_EVALUATE_NOPROBE flag disables
low-level device scanning (evaluate_by_scan), while keeping
udev symlink-based evaluation (evaluate_by_udev) functional.
The original blkid_evaluate_tag() is now a thin wrapper around
the new function with flags=0.
Karel Zak [Mon, 1 Jun 2026 13:22:53 +0000 (15:22 +0200)]
umount: restrict non-root users to mountpoint paths only
Non-root users should only specify mountpoints when calling umount.
Device names, tags (LABEL=, UUID=, etc.) and loop device resolution
are disabled for unprivileged users to avoid processing untrusted
input through tag resolution code paths before permission checks.
In umount.c, reject tag arguments and disable swapmatch for
restricted users. In libmount, skip source and loopdev swapmatch
lookups for restricted contexts as defense in depth.
Bash automatically unsets the MKFDS_PID variable when the coproc
terminates. If the multiplexer syscall is not available at runtime
(e.g., select on ppc64le with kernel 6.18 returns ENOSYS despite
__NR_select being defined at compile time), the coproc exits
immediately and MKFDS_PID becomes empty, causing:
wait: '': not a pid or valid job spec
Save MKFDS_PID to a regular variable (MKFDS_CPID) immediately after
starting the coproc.
Additionally, add a kill -0 liveness check after reading the PID to
detect when the multiplexer process died early (e.g., due to ENOSYS)
and skip the subtest cleanly.
Karel Zak [Mon, 8 Jun 2026 12:10:04 +0000 (14:10 +0200)]
Merge branch 'chcpu_tests' of https://github.com/cgoesche/util-linux-fork
* 'chcpu_tests' of https://github.com/cgoesche/util-linux-fork:
tests: (chcpu) add missing tests
chcpu: add a helper function to read the CPU 'online' bitmap
chcpu: add --sysroot option
Karel Zak [Mon, 8 Jun 2026 11:41:26 +0000 (13:41 +0200)]
man pages: avoid troff warning about undefined 'Aq' string
Asciidoctor's manpage backend places the .TH line (which references
\*(Aq for the apostrophe in "Programmer's Manual") before the .ds Aq
definition. This causes troff warning:
name 'Aq' not defined [-w mac]
Replace "Programmer's Manual" with "Library Calls" to avoid the
apostrophe. This also aligns with man(7) convention for section 3
and is consistent with how other sections already avoid possessives
(e.g. "User Commands", "System Administration").
Reported-by: Bjarni Ingi Gislason <bjarniig@simnet.is> Signed-off-by: Karel Zak <kzak@redhat.com>
Wang Yu [Tue, 2 Jun 2026 12:57:43 +0000 (20:57 +0800)]
lsblk: truncate long ID-LINK columns
The udev by-id link can be very long for some USB devices. Mark the ID
and ID-LINK columns as truncatable so extreme values do not stretch the
entire table.
This patch makes it possible to configure the CPUs on a Linux
system other than the one on which the chcpu command is called.
To achieve this users can simply define the root directory of
the sys/ directory with the --sysroot command line option. It
is also beneficial for regression tests, as these make use of
sysfs tar archive dumps.
To properly implement this new feature, the syspath initialization
had to be deferred until after all option arguments, especially
--sysroot, have been parsed, which simplified the path access check.
Along the way a small refactoring of the enable,disable,configure &
deconfigure option parsing had been done, more precisely the CPU list
option argument is now saved in a variable 'cpu_list_arg' to defer
the CPU list validity check until after all option arguments have
been parsed to simplify the logic. Lastly, getopt(3)'s 'optarg' variable
is used instead of argv[optind-1] to store the options argument, which
is more idiomatic and readable.
Signed-off-by: Christian Goeschel Ndjomouo <cgoesc2@wgu.edu>
Karel Zak [Tue, 2 Jun 2026 11:34:00 +0000 (13:34 +0200)]
Merge branch 'PR/hexdump-color-overflow' of https://github.com/karelzak/util-linux-work
* 'PR/hexdump-color-overflow' of https://github.com/karelzak/util-linux-work:
tests: (hexdump) use arrays for OPTS and ADDRFMT
hexdump: fix buffer overflow in color_cond()
Karel Zak [Tue, 2 Jun 2026 11:32:44 +0000 (13:32 +0200)]
Merge branch 'PR/lscpu-arm-nooverwrite' of https://github.com/karelzak/util-linux-work
* 'PR/lscpu-arm-nooverwrite' of https://github.com/karelzak/util-linux-work:
lscpu: set nooverwrite for Phytium ARM implementer
lscpu: add nooverwrite flag for ARM implementer table
lscpu: add find_implementer() for ARM implementer lookup
Liu Zheng [Tue, 2 Jun 2026 06:26:28 +0000 (14:26 +0800)]
hardlink: preserve timestamps when reflinking files
When using --reflink=always, the destination file gets the current
timestamp instead of preserving the original file's atime and mtime.
This differs from both hardlink behavior and "cp -p --reflink=always".
Add futimens() call after successful reflink to restore the original
timestamps from the target file's stat data.
Commit ded434a63f3eee7fd7805b18d6c9bb912016c3c8 ("include/mount-api-utils:
add statmount and listmount") introduce a fallback definition for the
LSMT_ROOT defined, but a small typo makes this fallback definition
ineffective:
Karel Zak [Mon, 1 Jun 2026 09:23:57 +0000 (11:23 +0200)]
readprofile: replace popen() with fork/exec for .gz map files
Security scanners repeatedly flag the popen("zcat %s", name) pattern
as a command injection vulnerability (CWE-78). While this is a false
positive -- readprofile is not installed with elevated privileges and
the filename comes from the user's own command line -- the reports are
a recurring nuisance.
The root cause is that popen() passes the command through /bin/sh,
which makes scanners flag it regardless of whether the input is
actually untrusted. Replace popen() with fork()/execlp() to invoke
zcat directly without shell interpretation. This eliminates the
shell from the execution path and silences the scanners without
adding any new dependencies.
Also use ul_endswith() for the .gz suffix check, and handle fdopen()
failure after fork to avoid fd leak and zombie process.
Karel Zak [Mon, 1 Jun 2026 11:52:33 +0000 (13:52 +0200)]
tests: (hexdump) use arrays for OPTS and ADDRFMT
Convert OPTS and ADDRFMT from plain strings to bash arrays and use
proper "${…[@]}" expansion to fix shellcheck SC2090/SC2086 warnings
about unquoted variables containing quotes/backslashes.
Karel Zak [Thu, 28 May 2026 12:01:53 +0000 (14:01 +0200)]
fstrim: resolve non-device sources to real block devices
When fstrim reads fstab entries (--fstab, --listed-in), bind mount
entries use directory paths as sources (e.g. /data/ssd/ldap) rather
than device names. Source de-duplication compares path strings, so
these never match the real device paths (e.g. /dev/mapper/foo),
causing the same filesystem to be trimmed multiple times.
Use statmount(STATMOUNT_SB_SOURCE) to resolve directory source paths
to their real block device before de-duplication. Fall back to the
original source when statmount() is unavailable.
Addresses: https://github.com/util-linux/util-linux/issues/857 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 14:09:20 +0000 (16:09 +0200)]
hexdump: fix buffer overflow in color_cond()
Widen the color condition value from int (4 bytes) to int64_t (8 bytes)
to accommodate format strings with 8-byte conversion units (e.g.,
1/8 "%016x"). The memcpy() in color_cond() copies clr->range bytes
into a local variable, and for 8-byte units this overflows a 4-byte
int.
Also switch strtoul() to strtoll() in the color format parser to
correctly parse 64-bit values into the widened int64_t field.
Change hexdump_clr.range from int to size_t (a byte count should never
be negative), add a defensive guard against memcpy overflow in
color_cond(), and add an 8-byte color condition regression test.
Reported-by: Michał Majchrowicz (AFINE Team) Reported-by: Marcin Wyczechowski (AFINE Team) Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 10:03:28 +0000 (12:03 +0200)]
lscpu: add nooverwrite flag for ARM implementer table
Add a nooverwrite flag to struct hw_impl. When set, vendor and model
name already provided by the kernel in /proc/cpuinfo are preserved
rather than being overwritten by the hardcoded lookup tables. The
tables serve as a fallback when the kernel does not provide the
information.
This approach keeps all implementer entries in the table, which is
also required for "lscpu --arm-id" to list all known vendors and
part IDs.
Addresses: https://github.com/util-linux/util-linux/pull/4362 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Mon, 1 Jun 2026 10:15:53 +0000 (12:15 +0200)]
Merge branch 'PR/libmount-no-symlinks' of https://github.com/karelzak/util-linux-work
* 'PR/libmount-no-symlinks' of https://github.com/karelzak/util-linux-work:
loopdev: use openat2(RESOLVE_NO_SYMLINKS) for backing file
lib/fileutils: add ul_open_no_symlinks()
Furkan Caliskan [Sun, 31 May 2026 08:36:58 +0000 (11:36 +0300)]
uclampset: fix lost-update race in set_uclamp_one()
The function unconditionally sets both SCHED_FLAG_UTIL_CLAMP_MIN and
SCHED_FLAG_UTIL_CLAMP_MAX in sa.sched_flags regardless of which values
the user actually requested to change.
This creates a lost-update race: sched_getattr() fetches the current
clamp values, but between that call and sched_setattr(), another thread
may legitimately update the value we did not intend to touch. Because
both flags are always set, sched_setattr() forces the kernel to apply
the stale cached value, silently overwriting the concurrent update.
Brian Mak [Thu, 28 May 2026 19:08:04 +0000 (12:08 -0700)]
dmesg: fix off-by-one read buffer size
PRINTK_MESSAGE_MAX is 2048 in the kernel. In a formatted record that is
exactly 2048 bytes, reading /proc/kmsg with a size of PRINTK_MESSAGE_MAX
- 1 (2047) will result in the read syscall returning -EINVAL.
We see such a case when using a large initrd, for which the kernel
outputs loading spinner characters, based on the size of the initrd. For
a large enough initrd, there will be enough spinner characters to create
several formatted records of size 2048.
We fix this by increasing the kmsg_buf size by 1, which increases the
size used by the read syscall to PRINTK_MESSAGE_MAX (2048).
Karel Zak [Thu, 28 May 2026 10:01:01 +0000 (12:01 +0200)]
lscpu: add find_implementer() for ARM implementer lookup
Refactor ARM implementer lookup into a dedicated find_implementer()
function and use it in is_arm() and arm_ids_decode() to simplify
the code and avoid open-coded linear searches.
Addresses: https://github.com/util-linux/util-linux/pull/4362 Signed-off-by: Karel Zak <kzak@redhat.com>
Karel Zak [Thu, 28 May 2026 09:05:55 +0000 (11:05 +0200)]
tests: use tar --no-same-owner for sysfs dump extraction
Use --no-same-owner when extracting sysfs dump tarballs so that
extracted files are owned by the current user rather than preserving
the original (often root) ownership from the archive.
This allows chmem tests to run without root since they only operate
on a local sysfs dump via --sysroot. The valid_zones file (0444 in
real sysfs) needs an explicit chmod u+w before the test can write
to it. Apply --no-same-owner to lsblk, lscpu, lsmem, and hardlink
tests for consistency.
Karel Zak [Thu, 28 May 2026 08:54:33 +0000 (10:54 +0200)]
chmem: simplify have_mem_blk_zones()
Use ul_path_accessf() instead of manual ul_strconcat() + ul_path_access()
+ free(). This avoids a potential NULL dereference if ul_strconcat() fails
on memory allocation.
Karel Zak [Thu, 28 May 2026 08:52:28 +0000 (10:52 +0200)]
Merge branch 'chmem_tests' of https://github.com/cgoesche/util-linux-fork
* 'chmem_tests' of https://github.com/cgoesche/util-linux-fork:
tests: (chmem) add tests for aarch64 16K 16G memory layout
chmem: add helper function to sensibly detect the 'valid_zones' attribute
tests: (chmem) add missing tests
chmem: add a new --sysroot command line option
Karel Zak [Wed, 27 May 2026 13:15:22 +0000 (15:15 +0200)]
loopdev: use openat2(RESOLVE_NO_SYMLINKS) for backing file
Use ul_open_no_symlinks() instead of open(O_NOFOLLOW) when
LOOPDEV_FL_NOFOLLOW is set. O_NOFOLLOW only rejects symlinks at the
last path component, but TOCTOU attacks swap intermediate components.
openat2(RESOLVE_NO_SYMLINKS) rejects symlinks at any component.
Karel Zak [Wed, 27 May 2026 08:35:39 +0000 (10:35 +0200)]
lib/fileutils: add ul_open_no_symlinks()
Add a helper that opens a path rejecting symlinks at any component,
not just the last one. Uses openat2(RESOLVE_NO_SYMLINKS) when
available (Linux >= 5.6), falls back to open(O_NOFOLLOW).
Karel Zak [Thu, 28 May 2026 08:14:29 +0000 (10:14 +0200)]
Merge branch 'PR/getino-op-types' of https://github.com/karelzak/util-linux-work
* 'PR/getino-op-types' of https://github.com/karelzak/util-linux-work:
getino: cleanup whitespace
getino: rename GETINO_*_NAMESPACE to GETINO_NS_*
getino: split operation type and namespace type
projects / thirdparty / util-linux.git / log
