Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5342496imd; Tue, 30 Oct 2018 16:12:49 -0700 (PDT) X-Google-Smtp-Source: AJdET5cKOqkfk3DkA9/IxW+P+98NOtOfyfUSwtcHyaKRxQZ56z+gCaZ62WoPSOIfWo+BQR7Z3kOd X-Received: by 2002:a17:902:6e08:: with SMTP id u8-v6mr736484plk.64.1540941169287; Tue, 30 Oct 2018 16:12:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540941169; cv=none; d=google.com; s=arc-20160816; b=M8sPgIDyUlzKszsKyi46yMJE9Mam/w8tNFIAakFwYpB2DpImEFD+sPnQMTwoqOOfex lCi2SD1Nwf1IPLi5+23P++QPPeJ9P3udS/xBbfc4N/swWyAn89Vd2dvFiWYOk5olTj2a Yu3aSpvnPIZcjpKin7Vxw5w5R7dYOp17vtd3MysCss4of1y6B7zwCIHIWU0ZZxixPK6A B4a+JsmofICTK87OkqHZa8/T9abmHVR0o0ZBBQVdIZACZpvqpw4EcIHEXxzE2bGGDvyY M79hKPXlTQn1smXMvkKU0FpyGrKAH18ZDkdavDkv3242GLVCGUH4I1hP5JAEGQtRl2eo 6X0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=uyNmxWgVjtCDcTKlEYTWilkBglVV2Ve0yeaY0nXKyx0=; b=V9SeydIc+/GXsl+iVQnC7PNCpONmj9aq3hvnvLgcMiwcso7JtwZ3ZAnA2hG0knSQxx wLqn4n1UDl2lLN0gVa67n8WGm0mGbEF397Zj8spTydzA/2Jbw6gl4p78KaG9lPeu/5IM oIE8O/0oWlmgoFqgUW3O0UcNx3Q3nZRXJXGdoHmDqbaqVIy8/42OdSis+sqZscIj01eC jaKG1dhVarPhm+StEma6jUFfF5d9KM+jvQPjk1TUVG24vepZzbG3ctb/mtWqGBrz1kJk f+IusJXnT9fdwcOEtZGjKG1tWJ3lCBWZXAsQWP+Kbc9YNrRloI+9LaAj6iO69VG4S5Ry Sv0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HxA8N5Z5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k135-v6si9441690pfd.239.2018.10.30.16.12.33; Tue, 30 Oct 2018 16:12:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=HxA8N5Z5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728625AbeJaIGT (ORCPT + 99 others); Wed, 31 Oct 2018 04:06:19 -0400 Received: from mail-vs1-f65.google.com ([209.85.217.65]:39043 "EHLO mail-vs1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727430AbeJaIGS (ORCPT ); Wed, 31 Oct 2018 04:06:18 -0400 Received: by mail-vs1-f65.google.com with SMTP id h78so7802542vsi.6 for ; Tue, 30 Oct 2018 16:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uyNmxWgVjtCDcTKlEYTWilkBglVV2Ve0yeaY0nXKyx0=; b=HxA8N5Z5b3dxflo9UiRMfqQ7f3t85wA1ta9xqNLLEU+PJrAh/RFqc8Vzx4DLig5fKL Etrxv/z8JASsncWUwrmJUDIg1a8wjZ0z/py8wtqsws4pNr+f2EqccClxb2+d5AG3wiAw 0qk4v1Vi4bhgj2UFi8Ir/JTMxgAMjN7RkhUa7S1Iy7PeovVJaqtIerGZp2jB5dG91B5N XizrOUrfaX27gxfjeSuHVGMMNm7utP9YhcJItpezTFwfMoSs0rWdr6Eg4MhSZLdPxZkg T7BD/swMCFb0sy55QEdXgBc6t1wEZbJAlytmuzEKDEKmeNIzr/R50KfSxE6nt3Zu4atZ etZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uyNmxWgVjtCDcTKlEYTWilkBglVV2Ve0yeaY0nXKyx0=; b=hvGDIkCNJxYUJ0oeJAI/Pqu+i0CikNeXWNpAO7B5fMDIrDE0KFT1zhfBL9F+N+qN2g vojmVYuhjep7zwYu9Ga8Gxfh+iwz7p/Ij5y8HNmtmyAyrGTDE+lQuGh/vjPR1aV7DZXp AlunEQbPRPwPGZTimcv8rdGqsmzNNr/S8zWK3iN9jogrrwhpDr7dc9y4OpaKauOht0L+ mDPMqKOfT/JU4Mn08GEk9jCP6iVUv1vtSpj0ruO1Dk4MzGK8LlTRxBDf9pL6Jh7fJTdg mhQoJdxgLYnosuFVanjjGB0bgDIG2q+3IXLIorxoBZ0VZbi2KeiOR1NuS90HA2PlQEgp RhNw== X-Gm-Message-State: AGRZ1gIwkEgEpBnVeips3utTppecejKGo/UajFBy8LuWrwGlpNzW9+JX I56/E9c5i2pber8tMmEvGVLnTBX6k1sGMZGwcRLgTQ== X-Received: by 2002:a67:6e87:: with SMTP id j129mr313033vsc.171.1540941048268; Tue, 30 Oct 2018 16:10:48 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:f48d:0:0:0:0:0 with HTTP; Tue, 30 Oct 2018 16:10:47 -0700 (PDT) In-Reply-To: <20181030223343.GB105735@joelaf.mtv.corp.google.com> References: <20181029221037.87724-1-dancol@google.com> <20181030050012.u43lcvydy6nom3ul@yavin> <20181030204501.jnbe7dyqui47hd2x@yavin> <20181030214243.GB32621@google.com> <20181030222339.ud4wfp75tidowuo4@yavin> <20181030223343.GB105735@joelaf.mtv.corp.google.com> From: Daniel Colascione Date: Tue, 30 Oct 2018 23:10:47 +0000 Message-ID: Subject: Re: [RFC PATCH] Implement /proc/pid/kill To: Joel Fernandes Cc: Aleksa Sarai , linux-kernel , Tim Murray , Suren Baghdasaryan Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 30, 2018 at 10:33 PM, Joel Fernandes wrote: > On Wed, Oct 31, 2018 at 09:23:39AM +1100, Aleksa Sarai wrote: >> On 2018-10-30, Joel Fernandes wrote: >> > On Wed, Oct 31, 2018 at 07:45:01AM +1100, Aleksa Sarai wrote: >> > [...] >> > > > > (Unfortunately >> > > > > there are lots of things that make it a bit difficult to use /proc/$pid >> > > > > exclusively for introspection of a process -- especially in the context >> > > > > of containers.) >> > > > >> > > > Tons of things already break without a working /proc. What do you have in mind? >> > > >> > > Heh, if only that was the only blocker. :P >> > > >> > > The basic problem is that currently container runtimes either depend on >> > > some non-transient on-disk state (which becomes invalid on machine >> > > reboots or dead processes and so on), or on long-running processes that >> > > keep file descriptors required for administration of a container alive >> > > (think O_PATH to /dev/pts/ptmx to avoid malicious container filesystem >> > > attacks). Usually both. >> > > >> > > What would be really useful would be having some way of "hiding away" a >> > > mount namespace (of the pid1 of the container) that has all of the >> > > information and bind-mounts-to-file-descriptors that are necessary for >> > > administration. If the container's pid1 dies all of the transient state >> > > has disappeared automatically -- because the stashed mount namespace has >> > > died. In addition, if this was done the way I'm thinking with (and this >> > > is the contentious bit) hierarchical mount namespaces you could make it >> > > so that the pid1 could not manipulate its current mount namespace to >> > > confuse the administrative process. You would also then create an >> > > intermediate user namespace to help with several race conditions (that >> > > have caused security bugs like CVE-2016-9962) we've seen when joining >> > > containers. >> > > >> > > Unfortunately this all depends on hierarchical mount namespaces (and >> > > note that this would just be that NS_GET_PARENT gives you the mount >> > > namespace that it was created in -- I'm not suggesting we redesign peers >> > > or anything like that). This makes it basically a non-starter. >> > > >> > > But if, on top of this ground-work, we then referenced containers >> > > entirely via an fd to /proc/$pid then you could also avoid PID reuse >> > > races (as well as being able to find out implicitly whether a container >> > > has died thanks to the error semantics of /proc/$pid). And that's the >> > > way I would suggest doing it (if we had these other things in place). >> > >> > I didn't fully follow exactly what you mean. If you can explain for the >> > layman who doesn't know much experience with containers.. >> > >> > Are you saying that keeping open a /proc/$pid directory handle is not >> > sufficient to prevent PID reuse while the proc entries under /proc/$pid are >> > being looked into? If its not sufficient, then isn't that a bug? If it is >> > sufficient, then can we not just keep the handle open while we do whatever we >> > want under /proc/$pid ? >> >> Sorry, I went on a bit of a tangent about various internals of container >> runtimes. My main point is that I would love to use /proc/$pid because >> it makes reuse handling very trivial and is always correct, but that >> there are things which stop us from being able to use it for everything >> (which is what my incoherent rambling was on about). > > Ok thanks. So I am guessing if the following sequence works, then Dan's patch is not > needed. > > 1. open /proc/ directory > 2. inspect /proc/ or do whatever with > 3. Issue the kill on > 4. Close the /proc/ directory opened in step 1. > > So unless I missed something, the above sequence will not cause any PID reuse > races. Keeping a /proc/$PID directory file descriptor open does not prevent $PID being used to name some other process. If it could, you could pretty quickly fill a whole system's process table. See the program below, which demonstrates the PID collision. I think Aleksa's larger point is that it's useful to treat processes as other file-descriptor-named, poll-able, wait-able resources. Consistency is important. A process is just another system resource, and like any other system resource, you should be open to hold a file descriptor to it and do things to that process via that file descriptor. The precise form of this process-handle FD is up for debate. The existing /proc/$PID directory FD is a good candidate for a process handle FD, since it does almost all of what's needed. But regardless of what form a process handle FD takes, we need it. I don't see a case for continuing to treat processes in a non-unixy, non-file-descriptor-based manner. #include #include #include #include #include #include #include #include int main() { int child_pid = fork(); if (child_pid < 0) abort(); char buf[64]; int child_procfs_fd; if (child_pid == 0) { for (;;) pause(); abort(); } printf("child PID is %d\n", child_pid); sprintf(buf, "/proc/%d", child_pid); child_procfs_fd = open(buf, O_DIRECTORY | O_RDONLY); if (child_procfs_fd < 0) abort(); printf("FD# of open /proc/%d is %d\n", child_pid, child_procfs_fd); printf("killing child with SIGKILL\n"); kill(child_pid, SIGKILL); if (wait(NULL) != child_pid) abort(); printf("child is now dead. PROCFS FD STILL OPEN\n"); for (;;) { int new_child_pid = fork(); if (new_child_pid < 0) abort(); if (new_child_pid == 0) _exit(0); // printf("new child PID: %d\n", new_child_pid); if (wait(NULL) != new_child_pid) abort(); if (new_child_pid == child_pid) { printf("FOUND PID COLLISION %d\n", child_pid); printf("old child had pid %d. new, " "different child has pid %d. " "procfs directory for old child still open!\n", child_pid, child_pid); break; } } return 0; }