Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751451AbdILSzV convert rfc822-to-8bit (ORCPT <rfc822;w@1wt.eu>);
        Tue, 12 Sep 2017 14:55:21 -0400
Received: from nov-007-i584.relay.mailchannels.net ([46.232.183.138]:20359
        "EHLO nov-007-i584.relay.mailchannels.net" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750949AbdILSzS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Sep 2017 14:55:18 -0400
X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch
X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch
X-MC-Relay: Neutral
X-MailChannels-SenderId: novatrend|x-authuser|juerg@bitron.ch
X-MailChannels-Auth-Id: novatrend
X-Relation-Trouble: 42f7624a584fb00d_1505242510457_1055845027
X-MC-Loop-Signature: 1505242510457:1563369011
X-MC-Ingress-Time: 1505242510456
Message-ID: <1505242495.5111.82.camel@bitron.ch>
Subject: Re: [PATCH] prctl: add PR_[GS]ET_PDEATHSIG_PROC
From: =?ISO-8859-1?Q?J=FCrg?= Billeter <j@bitron.ch>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        Eric Biederman <ebiederm@xmission.com>, linux-kernel@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 12 Sep 2017 20:54:55 +0200
In-Reply-To: <20170912170544.GA32121@redhat.com>
References: <20170909094008.49983-1-j@bitron.ch>
         <20170912170544.GA32121@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.5 
Mime-Version: 1.0
X-AuthUser: juerg@bitron.ch
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1661
Lines: 40

Hi Oleg,

Thanks for the review.

On Tue, 2017-09-12 at 19:05 +0200, Oleg Nesterov wrote:
> On 09/09, Jürg Billeter wrote:
> > Unlike
> > PR_SET_PDEATHSIG, this is inherited across fork to allow killing a whole
> > subtree without race conditions.
> 
> but I am still not sure this is right... at least I can't understand the
> "without race conditions" above.
> 
> IOW, the child can do prctl(PR_SET_PDEATHSIG_PROC, SIGKILL) right after fork(),
> why this is not enough to kill a whole subtree without race conditions?

What if the parent dies between fork() and prctl()? Besides avoiding
this race condition, it also makes it relatively easy to enforce
PDEATHSIG_PROC for all descendants of a process. You simply set
PDEATHSIG_PROC and then block further changes using seccomp (and set
no_new_privs) to avoid runaway children.

> OTOH. If you want to kill a whole sub-tree then perhaps the exiting process
> should simply send the ->pdeath_signal_proc to the whole sub-tree? Not that
> I really think this makes more sense, but if we add the new API we should
> discuss everything we can.

While this would likely work for my use case of avoiding runaway
processes, I don't think it would make sense for non-SIGKILL use cases
of cooperating processes. Inheritance across fork still allows
resetting PDEATHSIG_PROC in the child after fork and I don't expect the
parent death race to be a significant issue in the case of cooperating
processes.

> Say, CLONE_PARENT. Should it succeed if ->pdeath_signal_proc != 0 ?

Yes, I don't see an issue with that. The new process will be a sibling
and inheriting pdeath_signal_proc seems sensible to me for this.

Jürg