Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5350543imm;
        Tue, 31 Jul 2018 09:27:44 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdkM1v7xxhWr6J3CKYX/s2pmG41hMHgTUzgtU/gX/ywNdxOfZI6Lj/A8fDKgb2Q1YS5dK2W
X-Received: by 2002:a63:7c5c:: with SMTP id l28-v6mr21500337pgn.352.1533054464796;
        Tue, 31 Jul 2018 09:27:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1533054464; cv=none;
        d=google.com; s=arc-20160816;
        b=Vud7cN33I7DMJvU9KYI2grf+P8Q5z1TV34HvnDvX+J3s204SBrwEJv6eMrEO1GPz+F
         h802qITB13npZPr8DAsGzhbBLEa+n1P7VMD1D3NCj8bBcdNUW1YC1l0eD4vUDJnBPARw
         pfb+IkfQFV5ajNa9O484Aj9WB/WWThg3xVyC3XUDFJsd6qknu83RMm4iUcvuTFtnNO7O
         bjC5dP1RfPSRd9ZouFC4pj1ILuI+z3Jf1+C0e3wFiENgY3RRoeQRLKRf76iqlxe0jSq4
         obX9Jp3DlfTxmUzhQgjdNZhFrrwvpdwCoGEhwAUbOOOLw3juIsMyWNOmG5v9RyBvHiPC
         PemQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature:arc-authentication-results;
        bh=vjhNIKhxgf1s8B1n/bfFrUZ6c0znrh9skJahDADg2EY=;
        b=T00GvI6IpOWi7VOi0/DNy4h3Dl2uj1AzIJMDwAoqvccNlnpK12TvDMPri4FBg/jc0Q
         KaacBB756BCDgDlUNDpa8UKvW7VVCFRykjL7dsZMFYGHQPFI4POp2h23uVp9n0ULPM4T
         bFxlLmDl+psdcKZUOgjj8mzSLhm6vFvw6mcU8ef3Cr9HWwWFYXfVNpMEUl4Qk5jANBTO
         gd3bNSJFbQKSsruM+Y90IJfwUDpFQjoUoIjrAo03ChaKo4vnan/T15tOj3Pvul6p5/zZ
         BfgjOxMGc2wVExKpWH+TBozU+3dGhPisuQ8Rq5lAvChXmOwOMsbfcF12pCHWGiIDioSP
         GPCg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=MVvnpr0w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s10-v6si14030768pgh.6.2018.07.31.09.27.29;
        Tue, 31 Jul 2018 09:27:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=MVvnpr0w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732496AbeGaSHe (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Tue, 31 Jul 2018 14:07:34 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:42298 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732411AbeGaSHe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Jul 2018 14:07:34 -0400
Received: by mail-oi0-f65.google.com with SMTP id n84-v6so29040951oib.9
        for <linux-kernel@vger.kernel.org>; Tue, 31 Jul 2018 09:26:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=vjhNIKhxgf1s8B1n/bfFrUZ6c0znrh9skJahDADg2EY=;
        b=MVvnpr0woKh8gv1Wc80aYYcMoyyOsn9CR29NyhKeqrsFh/0vztygvSgaFD8rs596PW
         E2w1GzbZ3GcZWmOH9dCTdZFAeKtVBJaV5treOE8mzQoRGJOv2wlRgGYtPMBUmO+tnCUC
         FrdTm2hYgGHao3wmceS/L88ES9dsdwR7Mpwq+4+H8bPdtiqAw7udYKxINf1h/4xhbae3
         GT3qdkMGFEYrCtlBaG+cXOrpON0VqD2lXabGgiDQTCwinSIrRKSCYDKxNzmqGJQZmFMo
         LDSuUm1MdTUT+DK9meogtdddkVQhEalHwDFKhVTVRmS6frFkIj3zv0RILQEPsI4XxuU+
         0QEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=vjhNIKhxgf1s8B1n/bfFrUZ6c0znrh9skJahDADg2EY=;
        b=ORRAJ5CQQu2KCXrjG3XMLNiK5nFblclY0JXmRikILjrFzPI1nexjGl5l6W4bnq/+W+
         rTSlC46Sxofr8r1MVlycMd2AJdKS+DbTY0fVk6r+Z3qH+swri79+XkReAjfCTNjvYtUP
         eDHa5aAbwQToNXp+vDPS7zSOq85WEMG4QVOTtm3kFtRe2NfKXGPgBW6hLIKzB6Jah1BT
         6aePYjMPGwF3NM6gtWidQHEl1NF3oPCI+DkbTl8elqfm2CXtB62ah421OfsQWjqaCuXd
         LyLon94wRzVo64olu1ALbxXnzpczrLkEeqJF+9TIhuLWW1sqWvHakQ3dWDJ7WRe8zgVQ
         fXvQ==
X-Gm-Message-State: AOUpUlGH7DFCs1MoPfETS/XaRhGLkvgllLQ6EDeZL6vcZ+r7gbD27SZ7
        1k7bzReD/FI8qLOF35cIyDMzzLpQ63TKA5qoN2QewQ==
X-Received: by 2002:aca:c42:: with SMTP id i2-v6mr20974542oiy.219.1533054389101;
 Tue, 31 Jul 2018 09:26:29 -0700 (PDT)
MIME-Version: 1.0
References: <20180730075241.24002-1-j@bitron.ch>
In-Reply-To: <20180730075241.24002-1-j@bitron.ch>
From:   Jann Horn <jannh@google.com>
Date:   Tue, 31 Jul 2018 18:26:02 +0200
Message-ID: <CAG48ez1izZ+W_cPdNp3SOUwb_8YzwAYdSA6d=eqvaF=5+GKemA@mail.gmail.com>
Subject: Re: [PATCH] prctl: add PR_[GS]ET_KILLABLE
To:     j@bitron.ch
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linux API <linux-api@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jul 30, 2018 at 10:01 AM J=C3=BCrg Billeter <j@bitron.ch> wrote:
>
> PR_SET_KILLABLE clears the SIGNAL_UNKILLABLE flag. This allows
> CLONE_NEWPID tasks to restore normal signal behavior, opting out of the
> special signal protection for init processes.
>
> This is required for job control in a shell that uses CLONE_NEWPID for
> child processes.
>
> This prctl does not allow setting the SIGNAL_UNKILLABLE flag, only
> clearing.
>
> Signed-off-by: J=C3=BCrg Billeter <j@bitron.ch>
> ---
[...]
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 38509dc1f77b..264de630d548 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
[...]
> +       case PR_SET_KILLABLE:
> +               if (arg2 !=3D 1 || arg3 || arg4 || arg5)
> +                       return -EINVAL;
> +               me->signal->flags &=3D ~SIGNAL_UNKILLABLE;
> +               break;

I don't have an opinion on this patchset otherwise, but should this
prctl maybe block PR_SET_KILLABLE if you're actually the real init
process? This seems like it could potentially lead to weird things.

This code in kernel/fork.c seems to rely on the fact that global init
is SIGNAL_UNKILLABLE, and probably also leads to weirdness if
container init is non-SIGNAL_UNKILLABLE:

        /*
         * Siblings of global init remain as zombies on exit since they are
         * not reaped by their parent (swapper). To solve this and to avoid
         * multi-rooted process trees, prevent global and container-inits
         * from creating siblings.
         */
        if ((clone_flags & CLONE_PARENT) &&
                                current->signal->flags & SIGNAL_UNKILLABLE)
                return ERR_PTR(-EINVAL);