Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4329011imm; Mon, 30 Jul 2018 12:34:16 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdxz3zzXw3GgijJ7+Ikji7SCQNe1dzyp+64ZExHYiod+TR8DPRWvINJln13ZVq3hpSwOBWp X-Received: by 2002:a63:380d:: with SMTP id f13-v6mr17732932pga.124.1532979256042; Mon, 30 Jul 2018 12:34:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532979256; cv=none; d=google.com; s=arc-20160816; b=Bmrnq6wPWS5JpsURxMRpa8Tyt5AXvIHk/UWYfDlTshGuaXwDT35dqDJqCicGTUEH98 gqYnI4GqM8aOFu6ByY+2i3EHMAYMsE64cyjFCBWmrxn7YOpKWBR5LkAx8axWI9io4pcb HE+7k4AvHH1QQrIvJg/WGEzbTXXfSSuDX44geeGrEAXjRm0Iho9PpkUFzHe6tiRBU+k4 Q7RHTeSW9/SU+S7/JwrPe7a9GCFVY7iTdQC9ELRouCBzafq/WjoqlSw0sJKAfmO95ltm umreX1vTxvaUOoq/dvYF9N0XYh+mO35uVmCq8aKeVZ5MHPaDrsxAVeAN50ycPWJC5j+F FG1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=WyFkr+9aERana9bYx2edEmZBEBiWiK0gFCoj4HocXkM=; b=Q32JmUkzzsIgh41VydpDfZw24evG1c7vcxce0GhsvFl9QYcEMMPZbnVWIump/fmmXK r787KDqNbOMVvTPsIEZ3md3ALZVwilNo48LtIDP/2l7UoA/mVSZn+XJdpw599C7R9qFD HraQmhpZtI2kZJ5ut0NgE4aeqHx7DHMmpkgh+OnOmM7I2B9eCkdur4d+0HwOijzFwpMA 17T8vt9asSfeigbFLvEkumfD1Nuibb/IfmJus+d4zfYwlAHCdey6iDKZKwA8KNmwTz5F gnK10/WkR8/Egdyfiivv96zGaptCU2TjNz3pcqpjhAfWtajq+TKQ6E3tz71lKFYhcLi6 dJjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s10-v6si11701398pgh.6.2018.07.30.12.34.01; Mon, 30 Jul 2018 12:34:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732012AbeG3VJe (ORCPT + 99 others); Mon, 30 Jul 2018 17:09:34 -0400 Received: from nov-007-i652.relay.mailchannels.net ([46.232.183.206]:5600 "EHLO nov-007-i652.relay.mailchannels.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731899AbeG3VJe (ORCPT ); Mon, 30 Jul 2018 17:09:34 -0400 X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 34A3FBE0326; Mon, 30 Jul 2018 19:33:00 +0000 (UTC) Received: from srv17.tophost.ch (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTPA id CBB25BE031E; Mon, 30 Jul 2018 19:32:57 +0000 (UTC) X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch Received: from srv17.tophost.ch (srv17.tophost.ch [193.33.128.141]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.15.2); Mon, 30 Jul 2018 19:33:00 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: novatrend|x-authuser|juerg@bitron.ch X-MailChannels-Auth-Id: novatrend X-Wide-Eyed-Industry: 7291e95269f8c503_1532979179860_919390253 X-MC-Loop-Signature: 1532979179860:2635747998 X-MC-Ingress-Time: 1532979179859 Received: from [80.219.231.201] (port=49106 helo=jzen.bitron.ch) by srv17.tophost.ch with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fkDuZ-007Y8q-5J; Mon, 30 Jul 2018 21:32:55 +0200 Message-ID: <922baeb3d6d6387c480026fc3a6ca01d915f60a5.camel@bitron.ch> Subject: Re: [PATCH] prctl: add PR_[GS]ET_KILLABLE From: =?ISO-8859-1?Q?J=FCrg?= Billeter To: Oleg Nesterov Cc: Andrew Morton , Eric Biederman , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org Date: Mon, 30 Jul 2018 21:32:54 +0200 In-Reply-To: <20180730101659.GA24781@redhat.com> References: <20180730075241.24002-1-j@bitron.ch> <20180730101659.GA24781@redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.4 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-AuthUser: juerg@bitron.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-07-30 at 12:17 +0200, Oleg Nesterov wrote: > On 07/30, Jürg Billeter wrote: > > > > This is required for job control in a shell that uses CLONE_NEWPID for > > child processes. > > Could you explain in more details? The SIGNAL_UNKILLABLE flag, which is implicitly set for tasks cloned with CLONE_NEWPID, has the effect of ignoring all signals (from userspace) if the corresponding handler is set to SIG_DFL. The only exceptions are SIGKILL and SIGSTOP and they are only accepted if raised from an ancestor namespace. SIGINT, SIGQUIT and SIGTSTP are used in job control for ^C, ^\, ^Z. While a task with the SIGNAL_UNKILLABLE flag could install handlers for these signals, this is not sufficient to implement a shell that uses CLONE_NEWPID for child processes: * As SIGSTOP is ignored when raised from the SIGNAL_UNKILLABLE process itself, I don't think it's possible to implement the stop action in a custom SIGTSTP handler. * Many applications do not install handlers for these signals and thus, job control won't work properly with unmodified applications. Job control in a shell is just an example. There are other scenarios, of course, where applications rely on the default actions as described in signal(7), and PID isolation may be useful. In my opinion, the kernel support for preventing accidental killing of the "init" process should really be optional and this new prctl provides this without breaking backward compatibility. > > + case PR_SET_KILLABLE: > > + if (arg2 != 1 || arg3 || arg4 || arg5) > > + return -EINVAL; > > + me->signal->flags &= ~SIGNAL_UNKILLABLE; > > this needs spin_lock_irq(me->sighand->siglock). Thanks for the review, will fix this for v2. Jürg