Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp5591157imd;
        Tue, 30 Oct 2018 21:48:53 -0700 (PDT)
X-Google-Smtp-Source: AJdET5eDCUpb3LbodrGrSiav4sMo4nn7SB4loSxAbXGCPotdtsFnnR8Hk+2txMuBhKSoXiT0jH0A
X-Received: by 2002:a17:902:509:: with SMTP id 9-v6mr1697298plf.3.1540961332942;
        Tue, 30 Oct 2018 21:48:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540961332; cv=none;
        d=google.com; s=arc-20160816;
        b=PPjre6rL0w6LrnAX+OAaG41QDbrvFHN3wy7Fd/ZmT1KejJc6uRMD3s8EeBQy0W5eoo
         GZnbPn6rVi55u9uMAXCgyNI9QjStU0RWfnlC1bRNPwGo1/0sP/u5SWP9XxrQHo87gWTK
         TH/Vfj8WhXXDm8n75Y8XY1davaRrb4azFfCLtg12hc5EcPUEKNoNadUqQQ/1fq2eRlKY
         PSHerbZrHGDCBJ1l+3O8XB08LiOlOSqNb/tK+d+wbvPsVHGp4zJABExSDWAsHxQUpGKI
         DKf3CYsbXOosiyBdUdRo7Dy9ofx6I+nrSO7NBUhWdnt6RQ2FGr9sC7VImxYxRLyZBdFo
         K7ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from;
        bh=E+9f9FSmYYD3nNmWxJx7xAixsokon8jMQG0dtTtk6yA=;
        b=taVMQdxUM/AyXqhYQYkpN8Hw1jPhq+moivQy9af0iRboF5H06BL5oZdqRcaIAptthh
         Pn5otrB2dT7N2ePaGq2bhfrJodvx09QRKHivv+tRSddpFw96kqmKuzTfpbPw4MiPNnHc
         eBvI1eJ+XwBIS4T/ogrH0MluuNGJPCgvTu8k9FjeT1gjsU0udjKjKxSRDwPzQ887Uq2R
         Z9lFPj6Z53ZEe8/X/B+3m7xzn/t+jY10NMzKnNW4Q4sjlhkevmQnwT7ZXXsEmqtOxP+1
         x1dYccM1cyp1VDKhSXQQxIMd2/blAPje6EvjhOUxHQk9K7H9vTtQV5Yiq3Tt97M99aQS
         0i5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r3-v6si26669760pga.321.2018.10.30.21.48.37;
        Tue, 30 Oct 2018 21:48:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729126AbeJaNok (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 31 Oct 2018 09:44:40 -0400
Received: from out03.mta.xmission.com ([166.70.13.233]:47740 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729021AbeJaNok (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Oct 2018 09:44:40 -0400
Received: from in01.mta.xmission.com ([166.70.13.51])
        by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gHiQP-00036Z-2M; Tue, 30 Oct 2018 22:48:13 -0600
Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com)
        by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1gHiQO-00060O-Ec; Tue, 30 Oct 2018 22:48:12 -0600
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Aleksa Sarai <cyphar@cyphar.com>
Cc:     Daniel Colascione <dancol@google.com>,
        linux-kernel@vger.kernel.org, timmurray@google.com,
        joelaf@google.com, surenb@google.com
References: <20181029221037.87724-1-dancol@google.com>
        <20181030050012.u43lcvydy6nom3ul@yavin>
Date:   Tue, 30 Oct 2018 23:47:42 -0500
In-Reply-To: <20181030050012.u43lcvydy6nom3ul@yavin> (Aleksa Sarai's message
        of "Tue, 30 Oct 2018 16:00:12 +1100")
Message-ID: <8736sm3eoh.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1gHiQO-00060O-Ec;;;mid=<8736sm3eoh.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1/FZiJnpy7KYFhIbHPkPm2qPZFNP6dh+uI=
X-SA-Exim-Connect-IP: 67.3.154.154
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa08.xmission.com
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=8.0 tests=ALL_TRUSTED,BAYES_40,
        DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG autolearn=disabled
        version=3.4.1
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        * -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
        *      [score: 0.3887]
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa08 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa08 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Aleksa Sarai <cyphar@cyphar.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 161 ms - load_scoreonly_sql: 0.04 (0.0%),
        signal_user_changed: 5 (3.2%), b_tie_ro: 3.6 (2.3%), parse: 1.12 (0.7%),
        extract_message_metadata: 12 (7.3%), get_uri_detail_list: 1.36 (0.8%),
        tests_pri_-1000: 4.8 (3.0%), tests_pri_-950: 1.09 (0.7%), tests_pri_-900:
        1.00 (0.6%), tests_pri_-90: 19 (11.8%), check_bayes: 18 (10.9%), b_tokenize:
        3.9 (2.4%), b_tok_get_all: 6 (3.8%), b_comp_prob: 1.56 (1.0%),
        b_tok_touch_all: 3.2 (2.0%), b_finish: 0.90 (0.6%), tests_pri_0: 107 (66.6%),
        check_dkim_signature: 0.38 (0.2%), check_dkim_adsp: 2.9 (1.8%), tests_pri_10:
        1.72 (1.1%), tests_pri_500: 5 (3.3%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Aleksa Sarai <cyphar@cyphar.com> writes:

> On 2018-10-29, Daniel Colascione <dancol@google.com> wrote:
>> Add a simple proc-based kill interface. To use /proc/pid/kill, just
>> write the signal number in base-10 ASCII to the kill file of the
>> process to be killed: for example, 'echo 9 > /proc/$$/kill'.
>> 
>> Semantically, /proc/pid/kill works like kill(2), except that the
>> process ID comes from the proc filesystem context instead of from an
>> explicit system call parameter. This way, it's possible to avoid races
>> between inspecting some aspect of a process and that process's PID
>> being reused for some other process.
>
> (Aside from any UX concerns other folks might have.)
>
> I think it would be a good idea to (at least temporarily) restrict this
> so that only processes that are in the same PID namespace as the /proc
> being resolved through may use this interface. Otherwise you might have
> cases where partial container breakouts can start sending signals to
> PIDs they wouldn't normally be able to address.

No.  That is the container managers job.  If you have the wrong proc
mounted in your container or otherwise allow access to it that is the
fault of the application that set up the container.

The pid namespace limits visibility.  If something becomes visible and
you have permissions over it, it is perfectly reasonable for you to
execute those permissions.

Eric