Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1728025imu; Sun, 18 Nov 2018 07:40:54 -0800 (PST) X-Google-Smtp-Source: AJdET5d+S+vd0iEyBwZ7u71/hn0EA5EGAsKF2zTDS0C4uq9Z5awas3e7Ykw/TT2he8vvsS9/UarM X-Received: by 2002:a63:3c44:: with SMTP id i4mr16726998pgn.286.1542555654903; Sun, 18 Nov 2018 07:40:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542555654; cv=none; d=google.com; s=arc-20160816; b=HrPC+lNw09UjAhlP8zlmURF59IWFeiMdiSAEioEindiBd9lf4oyDgBfAFLuLDHAmsj WSxxLkczFetXP4oSDOScuE8tE8v7qXjBWF8J3J8Cf7x1SLKKnTzPTN9s9Pnp5dv6Mjar WQdreiu033gQiigRhmZ7v3tVtcwWVwsmOkPNebcYnzZzxoKHEhy1rtg+y2bFD+ARfui9 rc/OUmbEDjCUaW8TPK4qS7JS4AbmiQFioWLG0PKrPnm1m0aFTPmc0njmbal7STEzxwa7 kdunPG225xYCJ2FCIADR22zXiMZAMjUPKQNb614uyup1ZH7qdjWD57QpFbEfcZa7tOc4 YvhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=NRt/+j8zeNm4rXeC/qlWLaF0k25bzytmXB47dCzNi28=; b=vRnzOxcvCWHUPW9jxe+d6ekuSG2ZMuPmQ38KvGD1C4b/uVH642UxaBlv86VygQXGyR jwCOkFOh0V6Rdzy11+EpWtX8XjDHmGJjSU3z79sNjPzwAYirWb8vicHtGoGxWKinBSxi nM8E74Q5yJ7UBLnAx7PolSUIEbz5/u3rppRUBrN+XHOA53Pjeiy3c9gzS6GK7i2o4vQU vzrJLUTIUgs6bL+hCSUnFGk2Yb+ym7z5f9YbUqeqNiIibnRIIQnhmocBnXfZaZAXxf8w Awkg3rGuPXsLA3LHaaMiXSuSVnkRUYZBKEH6k1/5vKoMMgr5yuSGHtnRtsFXSNOE7z41 d1rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y05v9z5o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2si7628403pgk.497.2018.11.18.07.40.10; Sun, 18 Nov 2018 07:40:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=y05v9z5o; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727522AbeKSB67 (ORCPT + 99 others); Sun, 18 Nov 2018 20:58:59 -0500 Received: from mail.kernel.org ([198.145.29.99]:53416 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727188AbeKSB67 (ORCPT ); Sun, 18 Nov 2018 20:58:59 -0500 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 641BB213A2 for ; Sun, 18 Nov 2018 15:38:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542555502; bh=Up6VGSy2xyfQcM0X7k9YsrdA27zOzyg5+F0wR7Oc1rI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=y05v9z5oUCo12QB599rEACuvW59FHRXIhGBVOsQ8WjI3jAzlufyyAypwrlAG+Crwj Sxm14cqpx+Pyk6LGGRJVhOJ9HkV7pfoKOn+VgRyHfdgQPT0Qtr7cL8EHZDKsgktQQf Z7K2kIfCOQ+T+K1UeF4GYuzD+L5xKS/NlVgKR6uU= Received: by mail-wm1-f43.google.com with SMTP id s11so2915833wmh.1 for ; Sun, 18 Nov 2018 07:38:22 -0800 (PST) X-Gm-Message-State: AA+aEWZN83zsr9Bm4j9AYhOiWrngma66/9Uqz5rxcnEszQ/K/wAbSN87 Ok2dmrEyDnw8/67IPqHrU0oL5eV1HKALlFYyifVpwg== X-Received: by 2002:a7b:ce11:: with SMTP id m17mr4740184wmc.74.1542555500631; Sun, 18 Nov 2018 07:38:20 -0800 (PST) MIME-Version: 1.0 References: <20181118111751.6142-1-christian@brauner.io> In-Reply-To: From: Andy Lutomirski Date: Sun, 18 Nov 2018 07:38:09 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] proc: allow killing processes via file descriptors To: Daniel Colascione Cc: Christian Brauner , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Lutomirski , Andrew Morton , Oleg Nesterov , Aleksa Sarai , Al Viro , Linux FS Devel , Linux API , Tim Murray , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 18, 2018 at 5:59 AM Daniel Colascione wrote: > > I had been led to believe that the proposal would be a comprehensive > process API, not an ioctl basically equivalent to my previous patch. > If you had a more comprehensive proposal, please just share it on LKML > instead of limiting the discussion to those able to attend these > various conferences. If there's some determined opposition to a > general new process API, this opposition needs a fair and full airing, > as not everyone can attend these conferences. > > On Sun, Nov 18, 2018 at 3:17 AM, Christian Brauner wrote: > > With this patch an open() call on /proc/ will give userspace a handle > > to struct pid of the process associated with /proc/. This allows to > > maintain a stable handle on a process. > > I have been discussing various approaches extensively during technical > > conferences this year culminating in a long argument with Eric at Linux > > Plumbers. The general consensus was that having a handle on a process > > will be something that is very simple and easy to maintain > > ioctls are the opposite of "easy to maintain". Their > file-descriptor-specific behavior makes it difficult to use the things > safely. If you want to take this approach, please make a new system > call. An ioctl is just a system call with a very strange spelling and > unfortunate collision semantics. > > > with the > > option of being extensible via a more advanced api if the need arises. > > The need *has* arisen; see my exithand patch. > > > I > > believe that this patch is the most simple, dumb, and therefore > > maintainable solution. > > > > The need for this has arisen in order to reliably kill a process without > > running into issues of the pid being recycled as has been described in the > > rejected patch [1]. > > That patch was not "rejected". It was tabled pending the more > comprehensive process API proposal that was supposed to have emerged. > This patch is just another variant of the sort of approach we > discussed on that patch's thread here. As I mentioned on that thread, > the right approach option is a new system call, not an ioctl. > > To fulfill the need described in that patchset a new > > ioctl() PROC_FD_SIGNAL is added. It can be used to send signals to a > > process via a file descriptor: > > > > int fd = open("/proc/1234", O_DIRECTORY | O_CLOEXEC); > > ioctl(fd, PROC_FD_SIGNAL, SIGKILL); > > close(fd); > > > > Note, the stable handle will allow us to carefully extend this feature in > > the future. > > We still need the ability to synchronously wait on a process's death, > as in my patch set. I will be refreshing that patch set. I fully agree that a more comprehensive, less expensive API for managing processes would be nice. But I also think that this patch (using the directory fd and ioctl) is better from a security perspective than using a new file in /proc. I have an old patch to make proc directory fds pollable: https://lore.kernel.org/patchwork/patch/345098/ That patch plus the one in this thread might make a nice addition to the kernel even if we expect something much better to come along later. This patch that uses ioctl