*: remove broken O_RESOLVE_BENEATH fallback for Linux

cyphar · cyphar · commit f49a494c9b5f · 2026-06-01T18:57:28.000+10:00
On Linux, openat(2) famously does not return an error if you pass it invalid flag bits. This was something I fixed in openat2(2) but for backward compatibility reasons, openat(2) will always silently ignore unknown O_* flags (which makes adding new ones quite painful). As a result, the fallback path added by commits e1c5f0e ("t_chmod_secure: probe kernel RESOLVE_BENEATH at runtime; drop test skip") and commit 7f60ec0 ("syscall: also use O_RESOLVE_BENEATH on FreeBSD and MacOS") would always return sucess and could cause spurious test failures so we can just remove it. O_RESOLVE_BENEATH will never get added to Linux for this reason, and anyone doing so out-of-tree is just creating a massive foot-gun so there is no need to entertain such broken kernels. Fixes: 7f60ec0 ("syscall: also use O_RESOLVE_BENEATH on FreeBSD and MacOS") Fixes: e1c5f0e ("t_chmod_secure: probe kernel RESOLVE_BENEATH at runtime; drop test skip") Signed-off-by: Aleksa Sarai <aleksa@amutable.com>
diff --git a/syscall.c b/syscall.c
@@ -1815,9 +1815,7 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
 		if (fd != -1 || errno != ENOSYS)
 			return fd;
 	}
-#endif
-
-#ifdef O_RESOLVE_BENEATH
+#elif defined(O_RESOLVE_BENEATH)
 	return secure_relative_open_resolve_beneath(basedir, relpath, flags, mode);
 #endif
 
diff --git a/t_chmod_secure.c b/t_chmod_secure.c
@@ -45,23 +45,21 @@ static int errs = 0;
 static int kernel_resolve_beneath_supported(void)
 {
 	int fd;
-#ifdef __linux__
-	{
-		struct open_how how;
-		memset(&how, 0, sizeof how);
-		how.flags = O_RDONLY | O_DIRECTORY;
-		how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
-		fd = syscall(SYS_openat2, AT_FDCWD, ".", &how, sizeof how);
-		if (fd >= 0) {
-			close(fd);
-			return 1;
-		}
-		/* ENOSYS = kernel < 5.6.  Fall through to the O_RESOLVE_BENEATH
-		 * probe in case we're a Linux build running on a kernel that
-		 * gained O_RESOLVE_BENEATH via some out-of-tree backport. */
+#if defined __linux__
+	struct open_how how;
+	memset(&how, 0, sizeof how);
+	how.flags = O_RDONLY | O_DIRECTORY;
+	how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
+	fd = syscall(SYS_openat2, AT_FDCWD, ".", &how, sizeof how);
+	if (fd >= 0) {
+		close(fd);
+		return 1;
 	}
-#endif
-#ifdef O_RESOLVE_BENEATH
+	/* O_RESOLVE_BENEATH is not defined on Linux, and even if it were, Linux's
+	 * openat(2) does not return -EINVAL for unknown flag bits and so if
+	 * O_RESOLVE_BENEATH happened to get defined somehow, the following
+	 * fallback would always return success. */
+#elif defined O_RESOLVE_BENEATH
 	fd = openat(AT_FDCWD, ".", O_RDONLY | O_DIRECTORY | O_RESOLVE_BENEATH);
 	if (fd >= 0) {
 		close(fd);
