Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp6398584imd; Wed, 31 Oct 2018 11:04:00 -0700 (PDT) X-Google-Smtp-Source: AJdET5fmQWTIkqJf4Sjyvr8oyZ02lpZlNb+DL4O+pFR4IZ820AVur8cx26lgu9wbURtVu5cyLoTe X-Received: by 2002:a17:902:148:: with SMTP id 66-v6mr4466313plb.140.1541009040735; Wed, 31 Oct 2018 11:04:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541009040; cv=none; d=google.com; s=arc-20160816; b=DQHt4igUUGaTVIeFvIpq+n6MAB2ufKEO3R2aBOXGYJ9i3SMYz6mA2CtK06zy+8xm5l sj0/WSn4Co52VmtldYWQ/LrQOJhCfMuAC0vab9Q0JMclYriK0ODESuonGC5Yd3ZARMsd yRpUANwVp5ZiK3RK9kGPls+HKWigL41CNWGkLmpVEtXMeABAqL3BnyBfGY0sotoY8HJ5 zS2qb24upqQiRJ3nvM/S+odO9CJqFRjh59G7PlZwzy2wN3+JcNj87j3FiKEUiZxw6IOM Qno7A+/58GBlORghbIPsnRrGY/ctQ0eKuOL3QOZNvpDI74m63++j+TldHUvojvOwqIOc f4TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=U+dJ4AgdH9DGxnYoDCHDxdcMNM6k3fIWA9x9UjVEZao=; b=LHi0+EOuL8L18gom0KPFI60gR+csN/1kk/61cV1o0CILkjXN68Hr3ik1rgSbh6a16+ mdVnEZd+hyGdAfciZq3bjpxJ3AO422OyeHel2+1mp6AAXUBzYPDbH7wGPsp3Imvqslkf cwTwBJZFZT52NLNIZTgG5PM4TwFmb2mf04EuQDiUYbaIjtZOmVLsZ3k5yEmLEsmIIHIA RbDPa3r7/KVPtI++fHe95NwmIusZ0jXjpOa8OToQ34YVrPVrkECJZ95CsfBYOf5zkeNi n5PNnchBzgdDWnaIbAqwp5nxbJBWhuHMbuJfaguNSoMaa1L837dwseb+VkesXufPiEB+ KjvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PBMWPQWw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k3-v6si19294009pgm.517.2018.10.31.11.03.36; Wed, 31 Oct 2018 11:04:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PBMWPQWw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729823AbeKAC74 (ORCPT + 99 others); Wed, 31 Oct 2018 22:59:56 -0400 Received: from mail-vs1-f67.google.com ([209.85.217.67]:46017 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729279AbeKAC74 (ORCPT ); Wed, 31 Oct 2018 22:59:56 -0400 Received: by mail-vs1-f67.google.com with SMTP id 124so10579731vsp.12 for ; Wed, 31 Oct 2018 11:00:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U+dJ4AgdH9DGxnYoDCHDxdcMNM6k3fIWA9x9UjVEZao=; b=PBMWPQWwN/FHJTe31U3F+tS7A6ohGBiy60XOA7EW9fMXLKENuy6jkPkt8JSReTG80r /EYtizEVXGpfw1KUjS+ZTZY2catCsieF5B1ACElB7YXHNXyhKkA+TtUvMqOMAEU530sB VzYgLuHqfSnK4OpzpeF2GiLpLjQBjQhlTXGpBVsDiy5YuzB39jRqPQ0Y7+fOksRM/tWk hhp8hVkf5a8kgdGQylgN9m+TGlPO1VZz5eRCknQxS+t+u2tGjZScPv3S+1w5lC0UYGXK fIS1BNVh3fVe2kYBaCt+Cq7kwiXNXplZX2ggRWUg4Mnw+Gg8HfroKwIR+9Y+evfYzEfR M6AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U+dJ4AgdH9DGxnYoDCHDxdcMNM6k3fIWA9x9UjVEZao=; b=GddlhEoQ6ir3oq5ajvFerEG4+Infa+Ok7wz/uoaM7zcpdmId74o9Aty9WpMkztXNr2 NHfcbPn1ewrveOnNF/6VrNzs9G+Sk4cahaK4/AuQURird17Eg2qYXAS1azMvg/feegFQ t1thKcuCUmleLRZn3f4vjWbRRiR0QfWhlNwDFOIJJa30J18ivbl99gJpjzGA/YjnsoVn Cs/hFFDMRuLgQfHpnjtA6Sae4YMN0ECT3qhyawJjWuurSO7kD3frKoa4Xp/fmQjj+ZUJ je8OPWfGojrFP07fOOrVlYThsgTQejZBD1ZkDTl8496HUHbpe5xh+p9dAOFn8kvOcKoC O3iQ== X-Gm-Message-State: AGRZ1gKhvhcWuv2uOh3Htf8mixAioKCHtoidE6YtjZ+siwp8qmnhFuiO 4eQ5jIa8bFdb8DoDrDVfzz8gwQlnnSPX7yF4E1krTw== X-Received: by 2002:a67:6e87:: with SMTP id j129mr1777807vsc.171.1541008850780; Wed, 31 Oct 2018 11:00:50 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:f48d:0:0:0:0:0 with HTTP; Wed, 31 Oct 2018 11:00:49 -0700 (PDT) In-Reply-To: <20181031175448.GC2180@cisco> References: <20181029221037.87724-1-dancol@google.com> <20181031155912.45088-1-dancol@google.com> <20181031175448.GC2180@cisco> From: Daniel Colascione Date: Wed, 31 Oct 2018 18:00:49 +0000 Message-ID: Subject: Re: [PATCH v3] Implement /proc/pid/kill To: Tycho Andersen Cc: linux-kernel , Tim Murray , Joel Fernandes , Suren Baghdasaryan , Aleksa Sarai , Christian Brauner , "Eric W. Biederman" , Kees Cook , Oleg Nesterov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 31, 2018 at 5:54 PM, Tycho Andersen wrote: > Why not just use an ioctl() like Jann suggested instead of this big > security check? Then we avoid the whole setuid writer thing entirely, Don't you think a system call would be better than a new ioctl? With either an ioctl or a new system call, though, the shell would need a helper program to use the facility, whereas with the existing approach, the shell can use the new facility without any additional binaries. > and we can pass the fd around if we want to. You can pass the FD around today --- specifically, you just pass the /proc/pid directory FD, not the /proc/pid/kill FD. The /proc/pid directory FD acts as a process handle. (It's literally a reference to a struct pid.) Anyone who receives one of these process handle FDs and who wants to use the corresponding kill file can open the kill fd with openat(2). What you can't do is pass the /proc/pid/kill FD to another security context and use it, but when would you ever want to do that?