Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp4452816imd; Tue, 30 Oct 2018 02:06:24 -0700 (PDT) X-Google-Smtp-Source: AJdET5dVaQivl6ss2CwpmLEKV7G7lzOX451k7nweVonl++2b5QIu9dxxMqo2jweNCpudiRTQPXHK X-Received: by 2002:a62:7a92:: with SMTP id v140-v6mr2082836pfc.46.1540890384654; Tue, 30 Oct 2018 02:06:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540890384; cv=none; d=google.com; s=arc-20160816; b=wnkrBRxTgN5w9VPwHUpsN4O3C9XTI8I9G/yAG77rPnAFbVmVINS4Z8Ig4hu+RuqMte UmqceR8ZHSzARenajksrtrsAV3Gpmayt4CHLvkb6eP3UPtLGjZVQNLUnx/VmXveVljRU BLTQAwJUrEKaxVge6TAON1QhwcgOuDxbzeKJqLFj7Hg7yaYrvQqzZI+YGrUdCxFUf2qd mUasKmyFGT0Xf3EFh6VmCDo2u1TFRA4kdSsuSJQf1nbNCPlBMVUHPSlzyS0QBmUNXFDG Pr1rqcbDDd9RTtjvFER1Uc+PoYIp4dY+bYBqBbwhZbgoZ9+74p1cokdcioL8k4JQLd42 9i+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=d3YLst5mplhWMnLhgzmmxsCqH/L2WlFYlnekXkYUKCI=; b=y5CNOENATw0Ra0RNeoIocIHiWoIUYWirp70l5XMRP6GdiZ/8R45/kpPXOww9ahjGat Fp8coT+sbVaNUS+0ALWgQycCjO66e7PvSbgikR+X4NrcXlNy4UtORJZ+f9JQx1LsAYn4 hARfhXH2W3ycDnmHwdkl7T4r3MR+bV49A988veirIz17WuAqWMiuZnMrV/G2tDYJ2rxY S4vMEeLj3+PZsQUTMrTpXZFEvfqc9gnc68eF8EN5ImQoz/0aE3/twafDDAWhraJXzu1v RlTD+jZiGSQvjulEc4k3xOCO/xJkgmMT/9UxspYN/EAsrYY45mpMHsJO2eLrp9+giWOz AewQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gkQTKI1J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o13-v6si22809832pgh.61.2018.10.30.02.06.08; Tue, 30 Oct 2018 02:06:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gkQTKI1J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727020AbeJ3R56 (ORCPT + 99 others); Tue, 30 Oct 2018 13:57:58 -0400 Received: from mail-vk1-f196.google.com ([209.85.221.196]:42461 "EHLO mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726172AbeJ3R55 (ORCPT ); Tue, 30 Oct 2018 13:57:57 -0400 Received: by mail-vk1-f196.google.com with SMTP id m199-v6so2796404vke.9 for ; Tue, 30 Oct 2018 02:05:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d3YLst5mplhWMnLhgzmmxsCqH/L2WlFYlnekXkYUKCI=; b=gkQTKI1JZmqDQ4HT9C7xcdjdCWDztG3b1bf2gX2kEXJqM2yLzo2+FjxeiIXzpBHQgJ DaPrbe9yxPKfi2dJ+M2qbGdNtXKgKT1WF6tXCViPCO/D8sHXthWmTsXoul8Zy1+3mxxn gUGXTma+NUMSayOMLUJ0m87aGwYu/CHjDzaLVk3QmJnHc0FPq75/3Z3j6Df7UqFcIPDY 7UNoyXWoqjpkdbvVLBWcjia6ZCKeiz90KKvcO8MNyII/udoSXPNvWfbNqGHMrlFfOeBx os6RpzYiMKleYEXF+UcNjzd1FdnvlMtSNluTvrBd0mosGL2iWVwz2AxZHrsgW7cjx/j3 vBbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d3YLst5mplhWMnLhgzmmxsCqH/L2WlFYlnekXkYUKCI=; b=Xf22AOXWlST39IMaF90k3aMF6K36rbJjR8uX4vAa2Do3MNzgiA3q23KTyEOvJCt5BD MFHHrR6k67PhPXebyAKtUT5rox+jBi+tNBEzBgVeIstcRD3OY2tgVG3q+4B44qfNdxUa +WXN0pMwbkSL797J8GYt2FtGDL4G1bLW7LTsKXmu9cbWtFyivof+aoGj0nd3oAm0YyYu JrVoGCY3XsF6G6p588JTQog9xg91SKPViBL8xt3XdY+UfGvoDxsLeE/277YCdOkThy9l k99C8qE6SVmGf3W1io3V/Q++B+PuqtFLJKzG+S+hi+AAXQiALjSykncmrp+FjwCFi4iH 8kTQ== X-Gm-Message-State: AGRZ1gIpaklMxa+hSkD7qP5fbZ8mNl7sx/ZvlZlGyBuiA1/aFfOE6hky HpOtipxkJpPU0VGlJ+uCVi36h9rp6B1s7R1n32foLSjenipSZA== X-Received: by 2002:a1f:1144:: with SMTP id 65mr536268vkr.54.1540890321836; Tue, 30 Oct 2018 02:05:21 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:f492:0:0:0:0:0 with HTTP; Tue, 30 Oct 2018 02:05:20 -0700 (PDT) In-Reply-To: <20181030050012.u43lcvydy6nom3ul@yavin> References: <20181029221037.87724-1-dancol@google.com> <20181030050012.u43lcvydy6nom3ul@yavin> From: Daniel Colascione Date: Tue, 30 Oct 2018 09:05:20 +0000 Message-ID: Subject: Re: [RFC PATCH] Implement /proc/pid/kill To: Aleksa Sarai Cc: linux-kernel , Tim Murray , Joel Fernandes , Suren Baghdasaryan Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 30, 2018 at 5:00 AM, Aleksa Sarai wrote: > On 2018-10-29, Daniel Colascione wrote: >> Add a simple proc-based kill interface. To use /proc/pid/kill, just >> write the signal number in base-10 ASCII to the kill file of the >> process to be killed: for example, 'echo 9 > /proc/$$/kill'. >> >> Semantically, /proc/pid/kill works like kill(2), except that the >> process ID comes from the proc filesystem context instead of from an >> explicit system call parameter. This way, it's possible to avoid races >> between inspecting some aspect of a process and that process's PID >> being reused for some other process. > > (Aside from any UX concerns other folks might have.) > > I think it would be a good idea to (at least temporarily) restrict this > so that only processes that are in the same PID namespace as the /proc > being resolved through may use this interface. Otherwise you might have > cases where partial container breakouts can start sending signals to > PIDs they wouldn't normally be able to address. That's a good idea. >> With /proc/pid/kill, it's possible to write a proper race-free and >> safe pkill(1). An approximation follows. A real program might use >> openat(2), having opened a process's /proc/pid directory explicitly, >> with the directory file descriptor serving as a sort of "process >> handle". > > I do like the idea of holding a dirfd to /proc/$pid to address > processes, and it something I considered doing in runc. I did think about explicit system calls to create userspace struct pid references, independent of proc --- something like open_process(int pid). But when we already have procfs, which is already a way of getting struct pid references, why add a new interface? Granted, not everyone has /proc mounted. One idea add a special PROCFS_FD constant (say, -2) that you would supply to openat(2) as dirfd. When openat(2) saw PROCFS_FD, it'd interpret the open as relative to procfs whether or not /proc were actually mounted anywhere. This facility would let you open a "proc" file from anywhere even without the right mounts set up. > (Unfortunately > there are lots of things that make it a bit difficult to use /proc/$pid > exclusively for introspection of a process -- especially in the context > of containers.) Tons of things already break without a working /proc. What do you have in mind?