On Sat, 2026-03-28 at 23:22 +0600, Dorjoy Chowdhury wrote:
> This flag indicates the path should be opened if it's a regular file.
> This is useful to write secure programs that want to avoid being
> tricked into opening device nodes with special semantics while thinking
> they operate on regular files. This is a requested feature from the
> uapi-group[1].
>
> A corresponding error code EFTYPE has been introduced. For example, if
> openat2 is called on path /dev/null with OPENAT2_REGULAR in the flag
> param, it will return -EFTYPE. EFTYPE is already used in BSD systems
> like FreeBSD, macOS.
>
> When used in combination with O_CREAT, either the regular file is
> created, or if the path already exists, it is opened if it's a regular
> file. Otherwise, -EFTYPE is returned.
>
> When OPENAT2_REGULAR is combined with O_DIRECTORY, -EINVAL is returned
> as it doesn't make sense to open a path that is both a directory and a
> regular file.
>
> [1]:
> https://uapi-group.org/kernel-features/#ability-to-only-open-regular-files
>
> Signed-off-by: Dorjoy Chowdhury <[email protected]>
> ---
> arch/alpha/include/uapi/asm/errno.h | 2 ++
> arch/alpha/include/uapi/asm/fcntl.h | 1 +
> arch/mips/include/uapi/asm/errno.h | 2 ++
> arch/parisc/include/uapi/asm/errno.h | 2 ++
> arch/parisc/include/uapi/asm/fcntl.h | 1 +
> arch/sparc/include/uapi/asm/errno.h | 2 ++
> arch/sparc/include/uapi/asm/fcntl.h | 1 +
> fs/ceph/file.c | 4 ++++
> fs/fcntl.c | 4 ++--
> fs/gfs2/inode.c | 6 ++++++
> fs/namei.c | 4 ++++
> fs/nfs/dir.c | 4 ++++
> fs/open.c | 8 +++++---
> fs/smb/client/dir.c | 14 +++++++++++++-
> include/linux/fcntl.h | 2 ++
> include/uapi/asm-generic/errno.h | 2 ++
> include/uapi/asm-generic/fcntl.h | 4 ++++
> tools/arch/alpha/include/uapi/asm/errno.h | 2 ++
> tools/arch/mips/include/uapi/asm/errno.h | 2 ++
> tools/arch/parisc/include/uapi/asm/errno.h | 2 ++
> tools/arch/sparc/include/uapi/asm/errno.h | 2 ++
> tools/include/uapi/asm-generic/errno.h | 2 ++
> 22 files changed, 67 insertions(+), 6 deletions(-)
>
> diff --git a/arch/alpha/include/uapi/asm/errno.h
> b/arch/alpha/include/uapi/asm/errno.h
> index 6791f6508632..1a99f38813c7 100644
> --- a/arch/alpha/include/uapi/asm/errno.h
> +++ b/arch/alpha/include/uapi/asm/errno.h
> @@ -127,4 +127,6 @@
>
> #define EHWPOISON 139 /* Memory page has hardware error */
>
> +#define EFTYPE 140 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/arch/alpha/include/uapi/asm/fcntl.h
> b/arch/alpha/include/uapi/asm/fcntl.h
> index 50bdc8e8a271..fe488bf7c18e 100644
> --- a/arch/alpha/include/uapi/asm/fcntl.h
> +++ b/arch/alpha/include/uapi/asm/fcntl.h
> @@ -34,6 +34,7 @@
>
> #define O_PATH 040000000
> #define __O_TMPFILE 0100000000
> +#define OPENAT2_REGULAR 0200000000
>
> #define F_GETLK 7
> #define F_SETLK 8
> diff --git a/arch/mips/include/uapi/asm/errno.h
> b/arch/mips/include/uapi/asm/errno.h
> index c01ed91b1ef4..1835a50b69ce 100644
> --- a/arch/mips/include/uapi/asm/errno.h
> +++ b/arch/mips/include/uapi/asm/errno.h
> @@ -126,6 +126,8 @@
>
> #define EHWPOISON 168 /* Memory page has hardware error */
>
> +#define EFTYPE 169 /* Wrong file type for the intended
> operation */
> +
> #define EDQUOT 1133 /* Quota exceeded */
>
>
> diff --git a/arch/parisc/include/uapi/asm/errno.h
> b/arch/parisc/include/uapi/asm/errno.h
> index 8cbc07c1903e..93194fbb0a80 100644
> --- a/arch/parisc/include/uapi/asm/errno.h
> +++ b/arch/parisc/include/uapi/asm/errno.h
> @@ -124,4 +124,6 @@
>
> #define EHWPOISON 257 /* Memory page has hardware error */
>
> +#define EFTYPE 258 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/arch/parisc/include/uapi/asm/fcntl.h
> b/arch/parisc/include/uapi/asm/fcntl.h
> index 03dee816cb13..d46812f2f0f4 100644
> --- a/arch/parisc/include/uapi/asm/fcntl.h
> +++ b/arch/parisc/include/uapi/asm/fcntl.h
> @@ -19,6 +19,7 @@
>
> #define O_PATH 020000000
> #define __O_TMPFILE 040000000
> +#define OPENAT2_REGULAR 0100000000
>
> #define F_GETLK64 8
> #define F_SETLK64 9
> diff --git a/arch/sparc/include/uapi/asm/errno.h
> b/arch/sparc/include/uapi/asm/errno.h
> index 4a41e7835fd5..71940ec9130b 100644
> --- a/arch/sparc/include/uapi/asm/errno.h
> +++ b/arch/sparc/include/uapi/asm/errno.h
> @@ -117,4 +117,6 @@
>
> #define EHWPOISON 135 /* Memory page has hardware error */
>
> +#define EFTYPE 136 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/arch/sparc/include/uapi/asm/fcntl.h
> b/arch/sparc/include/uapi/asm/fcntl.h
> index 67dae75e5274..bb6e9fa94bc9 100644
> --- a/arch/sparc/include/uapi/asm/fcntl.h
> +++ b/arch/sparc/include/uapi/asm/fcntl.h
> @@ -37,6 +37,7 @@
>
> #define O_PATH 0x1000000
> #define __O_TMPFILE 0x2000000
> +#define OPENAT2_REGULAR 0x4000000
>
> #define F_GETOWN 5 /* for sockets. */
> #define F_SETOWN 6 /* for sockets. */
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 66bbf6d517a9..6d8d4c7765e6 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -977,6 +977,10 @@ int ceph_atomic_open(struct inode *dir, struct dentry
> *dentry,
> ceph_init_inode_acls(newino, &as_ctx);
> file->f_mode |= FMODE_CREATED;
> }
> + if ((flags & OPENAT2_REGULAR) && !d_is_reg(dentry)) {
> + err = -EFTYPE;
> + goto out_req;
> + }
^^^
This doesn't look quite right. Here's a larger chunk of the code:
-------------------------8<--------------------------
if (d_in_lookup(dentry)) {
dn = ceph_finish_lookup(req, dentry, err);
if (IS_ERR(dn))
err = PTR_ERR(dn);
} else {
/* we were given a hashed negative dentry */
dn = NULL;
}
if (err)
goto out_req;
if (dn || d_really_is_negative(dentry) || d_is_symlink(dentry)) {
/* make vfs retry on splice, ENOENT, or symlink */
doutc(cl, "finish_no_open on dn %p\n", dn);
err = finish_no_open(file, dn);
} else {
if (IS_ENCRYPTED(dir) &&
!fscrypt_has_permitted_context(dir, d_inode(dentry))) {
pr_warn_client(cl,
"Inconsistent encryption context (parent
%llx:%llx child %llx:%llx)\n",
ceph_vinop(dir), ceph_vinop(d_inode(dentry)));
goto out_req;
}
doutc(cl, "finish_open on dn %p\n", dn);
if (req->r_op == CEPH_MDS_OP_CREATE &&
req->r_reply_info.has_create_ino) {
struct inode *newino = d_inode(dentry);
cache_file_layout(dir, newino);
ceph_init_inode_acls(newino, &as_ctx);
file->f_mode |= FMODE_CREATED;
}
err = finish_open(file, dentry, ceph_open);
}
-------------------------8<--------------------------
It looks like this won't handle it correctly if the pathwalk terminates
on a symlink (re: d_is_symlink() case). You should either set up a test
ceph cluster on your own, or reach out to the ceph community and ask
them to test this.
> err = finish_open(file, dentry, ceph_open);
> }
> out_req:
> diff --git a/fs/fcntl.c b/fs/fcntl.c
> index beab8080badf..240bb511557a 100644
> --- a/fs/fcntl.c
> +++ b/fs/fcntl.c
> @@ -1169,9 +1169,9 @@ static int __init fcntl_init(void)
> * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
> * is defined as O_NONBLOCK on some platforms and not on others.
> */
> - BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ !=
> + BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=
> HWEIGHT32(
> - (VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
> + (VALID_OPENAT2_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
> __FMODE_EXEC));
>
> fasync_cache = kmem_cache_create("fasync_cache",
> diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
> index 8344040ecaf7..4604e2e8a9cc 100644
> --- a/fs/gfs2/inode.c
> +++ b/fs/gfs2/inode.c
> @@ -738,6 +738,12 @@ static int gfs2_create_inode(struct inode *dir, struct
> dentry *dentry,
> inode = gfs2_dir_search(dir, &dentry->d_name, !S_ISREG(mode) || excl);
> error = PTR_ERR(inode);
> if (!IS_ERR(inode)) {
> + if (file && (file->f_flags & OPENAT2_REGULAR) &&
> !S_ISREG(inode->i_mode)) {
Isn't OPENAT2_REGULAR getting masked off in ->f_flags now?
JFYI: it's quite simple to set up a single-node gfs2 fs to test this.
> + iput(inode);
> + inode = NULL;
> + error = -EFTYPE;
> + goto fail_gunlock;
> + }
> if (S_ISDIR(inode->i_mode)) {
> iput(inode);
> inode = NULL;
> diff --git a/fs/namei.c b/fs/namei.c
> index 2113958c3b7a..e557c538c238 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -4679,6 +4679,10 @@ static int do_open(struct nameidata *nd,
> if (unlikely(error))
> return error;
> }
> +
> + if ((open_flag & OPENAT2_REGULAR) && !d_is_reg(nd->path.dentry))
> + return -EFTYPE;
> +
> if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
> return -ENOTDIR;
>
> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
> index ddc3789363a5..bfe9470327c8 100644
> --- a/fs/nfs/dir.c
> +++ b/fs/nfs/dir.c
> @@ -2195,6 +2195,10 @@ int nfs_atomic_open(struct inode *dir, struct dentry
> *dentry,
> break;
> case -EISDIR:
> case -ENOTDIR:
> + if (open_flags & OPENAT2_REGULAR) {
> + err = -EFTYPE;
> + break;
> + }
> goto no_open;
> case -ELOOP:
> if (!(open_flags & O_NOFOLLOW))
> diff --git a/fs/open.c b/fs/open.c
> index 681d405bc61e..a6f445f72181 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -960,7 +960,7 @@ static int do_dentry_open(struct file *f,
> if (f->f_mapping->a_ops && f->f_mapping->a_ops->direct_IO)
> f->f_mode |= FMODE_CAN_ODIRECT;
>
> - f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);
> + f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC |
> OPENAT2_REGULAR);
> f->f_iocb_flags = iocb_flags(f);
>
> file_ra_state_init(&f->f_ra, f->f_mapping->host->i_mapping);
> @@ -1183,7 +1183,7 @@ inline int build_open_flags(const struct open_how *how,
> struct open_flags *op)
> int lookup_flags = 0;
> int acc_mode = ACC_MODE(flags);
>
> - BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS),
> + BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPENAT2_FLAGS),
> "struct open_flags doesn't yet handle flags > 32
> bits");
>
> /*
> @@ -1196,7 +1196,7 @@ inline int build_open_flags(const struct open_how *how,
> struct open_flags *op)
> * values before calling build_open_flags(), but openat2(2) checks all
> * of its arguments.
> */
> - if (flags & ~VALID_OPEN_FLAGS)
> + if (flags & ~VALID_OPENAT2_FLAGS)
> return -EINVAL;
> if (how->resolve & ~VALID_RESOLVE_FLAGS)
> return -EINVAL;
> @@ -1235,6 +1235,8 @@ inline int build_open_flags(const struct open_how *how,
> struct open_flags *op)
> return -EINVAL;
> if (!(acc_mode & MAY_WRITE))
> return -EINVAL;
> + } else if ((flags & O_DIRECTORY) && (flags & OPENAT2_REGULAR)) {
> + return -EINVAL;
> }
> if (flags & O_PATH) {
> /* O_PATH only permits certain other flags to be set. */
> diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c
> index 953f1fee8cb8..355681ebacf1 100644
> --- a/fs/smb/client/dir.c
> +++ b/fs/smb/client/dir.c
> @@ -222,6 +222,13 @@ static int cifs_do_create(struct inode *inode, struct
> dentry *direntry, unsigned
> goto cifs_create_get_file_info;
> }
>
> + if ((oflags & OPENAT2_REGULAR) &&
> !S_ISREG(newinode->i_mode)) {
> + CIFSSMBClose(xid, tcon, fid->netfid);
> + iput(newinode);
> + rc = -EFTYPE;
> + goto out;
> + }
> +
> if (S_ISDIR(newinode->i_mode)) {
> CIFSSMBClose(xid, tcon, fid->netfid);
> iput(newinode);
> @@ -436,11 +443,16 @@ static int cifs_do_create(struct inode *inode, struct
> dentry *direntry, unsigned
> goto out_err;
> }
>
> - if (newinode)
> + if (newinode) {
> + if ((oflags & OPENAT2_REGULAR) && !S_ISREG(newinode->i_mode)) {
> + rc = -EFTYPE;
> + goto out_err;
> + }
> if (S_ISDIR(newinode->i_mode)) {
> rc = -EISDIR;
> goto out_err;
> }
> + }
>
> d_drop(direntry);
> d_add(direntry, newinode);
> diff --git a/include/linux/fcntl.h b/include/linux/fcntl.h
> index a332e79b3207..a80026718217 100644
> --- a/include/linux/fcntl.h
> +++ b/include/linux/fcntl.h
> @@ -12,6 +12,8 @@
> FASYNC | O_DIRECT | O_LARGEFILE | O_DIRECTORY | O_NOFOLLOW | \
> O_NOATIME | O_CLOEXEC | O_PATH | __O_TMPFILE)
>
> +#define VALID_OPENAT2_FLAGS (VALID_OPEN_FLAGS | OPENAT2_REGULAR)
> +
> /* List of all valid flags for the how->resolve argument: */
> #define VALID_RESOLVE_FLAGS \
> (RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS | \
> diff --git a/include/uapi/asm-generic/errno.h
> b/include/uapi/asm-generic/errno.h
> index 92e7ae493ee3..bd78e69e0a43 100644
> --- a/include/uapi/asm-generic/errno.h
> +++ b/include/uapi/asm-generic/errno.h
> @@ -122,4 +122,6 @@
>
> #define EHWPOISON 133 /* Memory page has hardware error */
>
> +#define EFTYPE 134 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/include/uapi/asm-generic/fcntl.h
> b/include/uapi/asm-generic/fcntl.h
> index 613475285643..b2c2ddd0edc0 100644
> --- a/include/uapi/asm-generic/fcntl.h
> +++ b/include/uapi/asm-generic/fcntl.h
> @@ -88,6 +88,10 @@
> #define __O_TMPFILE 020000000
> #endif
>
> +#ifndef OPENAT2_REGULAR
> +#define OPENAT2_REGULAR 040000000
> +#endif
> +
> /* a horrid kludge trying to make sure that this will fail on old kernels */
> #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
>
> diff --git a/tools/arch/alpha/include/uapi/asm/errno.h
> b/tools/arch/alpha/include/uapi/asm/errno.h
> index 6791f6508632..1a99f38813c7 100644
> --- a/tools/arch/alpha/include/uapi/asm/errno.h
> +++ b/tools/arch/alpha/include/uapi/asm/errno.h
> @@ -127,4 +127,6 @@
>
> #define EHWPOISON 139 /* Memory page has hardware error */
>
> +#define EFTYPE 140 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/tools/arch/mips/include/uapi/asm/errno.h
> b/tools/arch/mips/include/uapi/asm/errno.h
> index c01ed91b1ef4..1835a50b69ce 100644
> --- a/tools/arch/mips/include/uapi/asm/errno.h
> +++ b/tools/arch/mips/include/uapi/asm/errno.h
> @@ -126,6 +126,8 @@
>
> #define EHWPOISON 168 /* Memory page has hardware error */
>
> +#define EFTYPE 169 /* Wrong file type for the intended
> operation */
> +
> #define EDQUOT 1133 /* Quota exceeded */
>
>
> diff --git a/tools/arch/parisc/include/uapi/asm/errno.h
> b/tools/arch/parisc/include/uapi/asm/errno.h
> index 8cbc07c1903e..93194fbb0a80 100644
> --- a/tools/arch/parisc/include/uapi/asm/errno.h
> +++ b/tools/arch/parisc/include/uapi/asm/errno.h
> @@ -124,4 +124,6 @@
>
> #define EHWPOISON 257 /* Memory page has hardware error */
>
> +#define EFTYPE 258 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/tools/arch/sparc/include/uapi/asm/errno.h
> b/tools/arch/sparc/include/uapi/asm/errno.h
> index 4a41e7835fd5..71940ec9130b 100644
> --- a/tools/arch/sparc/include/uapi/asm/errno.h
> +++ b/tools/arch/sparc/include/uapi/asm/errno.h
> @@ -117,4 +117,6 @@
>
> #define EHWPOISON 135 /* Memory page has hardware error */
>
> +#define EFTYPE 136 /* Wrong file type for the intended
> operation */
> +
> #endif
> diff --git a/tools/include/uapi/asm-generic/errno.h
> b/tools/include/uapi/asm-generic/errno.h
> index 92e7ae493ee3..bd78e69e0a43 100644
> --- a/tools/include/uapi/asm-generic/errno.h
> +++ b/tools/include/uapi/asm-generic/errno.h
> @@ -122,4 +122,6 @@
>
> #define EHWPOISON 133 /* Memory page has hardware error */
>
> +#define EFTYPE 134 /* Wrong file type for the intended
> operation */
> +
> #endif
--
Jeff Layton <[email protected]>
