Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1762614imu; Sun, 18 Nov 2018 08:19:46 -0800 (PST) X-Google-Smtp-Source: AJdET5eIBEZiuzhTyIc0xGMlLSKqZGdlxudzULtDc722iwm6nlh4T2D6b+7w+1Ftpcb9Sks3ru5M X-Received: by 2002:a62:da5a:: with SMTP id w26mr6815298pfl.106.1542557986392; Sun, 18 Nov 2018 08:19:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542557986; cv=none; d=google.com; s=arc-20160816; b=Ytu8zoQkntofUuT+QNu1j630u3fX+9kGSChsBtKPxrms8S5SfH2IbGulP5Y+MTpWDB Qdo88J2AqXGsjJJFO667roi67kjr5p/WRPv5cSUN2qWsn3TZa+yo7rbpu89vK8h+ivW9 LRuUSSKRjIR+3CqMH8Orbi4bDyiv8lfAxxs8R9f+cu3smWhypTG5fyiDs4QodWEwCUWa KNUXAMka7L0LjvSRO0zFgbNJhiYZpsTnRDmigoCgveuN1YWlPd05ZJ1kLqpLuPvfC1Bz irImuGagrIISWRgvOLNr/GE2s6g3Oo77WLbX6UQfAfPLYicR/gm4vwVhAJ5G/ZvrjP05 Mj7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=iTV+ch1wCJ4D9NzM01mYbt/rdigAujI9nWrh674pb1Y=; b=sWZI/bRisRVGGXIp5xdJdQNz753wN/Mq7Cjsqiek01GGTxUbGQ8+ZTwpo8EZBn5vDf 13qF7IUPWnCMU4sD0cXcbCKXIcw0PM1tBoEbE23yFp9ymscLfMl3596z5xqMsXArGrhT 6A6P16Phcn41/o8Il+t3usdjY6ZkGT/AIJc9CDxhLLmdDxX0xCSEQuqnW1R2pbLqXt4S llZuOUkb+b9PeoruMFSyJ/+eVbMzvRn5XueI87Ttf05le+OMEUd8dQvKq/eBPvO+CsuY 0cb5E/h4Ayt4G9tJADxALb2eAktX0d8kDut/u2/ttvxFlefffMdORxEnJTzq5Ibq+T0K EduQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oH4C6WEm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cc8-v6si42868280plb.377.2018.11.18.08.19.15; Sun, 18 Nov 2018 08:19:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oH4C6WEm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727459AbeKSCiw (ORCPT + 99 others); Sun, 18 Nov 2018 21:38:52 -0500 Received: from mail.kernel.org ([198.145.29.99]:42974 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726746AbeKSCiv (ORCPT ); Sun, 18 Nov 2018 21:38:51 -0500 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9B9682087A for ; Sun, 18 Nov 2018 16:18:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542557889; bh=5RS+IIM8wK/4OBumQsai9zq8KId55KB/3RxydSWNf/s=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=oH4C6WEm5xkko+vSJB+nPBaqaZ4rTky184L4zXQ652C4Zgdqvw3lfV8GP8uD9B0YR si6ZAFZmkWbeysJ0Q5kRmiLSN7C7pWmUbiqk4D34mSkRB14VDj2CPJTwqVekNaln0J GJ+Jglc19iQfRza9H/Cx/7e8SdAUE5QuJSOwxc8Q= Received: by mail-wr1-f45.google.com with SMTP id e3-v6so29498728wrs.5 for ; Sun, 18 Nov 2018 08:18:09 -0800 (PST) X-Gm-Message-State: AGRZ1gL5QicD6rh3afAgnrMRwKqb3R5B9Uz/zghiad5y9tJL/YgRg+G3 yvb3gitkhBzfEwPvuE1vqj+KvWT+iPGGomg1ADPaew== X-Received: by 2002:adf:90af:: with SMTP id i44-v6mr14502486wri.77.1542557887990; Sun, 18 Nov 2018 08:18:07 -0800 (PST) MIME-Version: 1.0 References: <20181118111751.6142-1-christian@brauner.io> In-Reply-To: From: Andy Lutomirski Date: Sun, 18 Nov 2018 08:17:55 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] proc: allow killing processes via file descriptors To: Daniel Colascione Cc: Andrew Lutomirski , Christian Brauner , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Morton , Oleg Nesterov , Aleksa Sarai , Al Viro , Linux FS Devel , Linux API , Tim Murray , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 18, 2018 at 7:53 AM Daniel Colascione wrote: > > On Sun, Nov 18, 2018 at 7:38 AM, Andy Lutomirski wrote: > > I fully agree that a more comprehensive, less expensive API for > > managing processes would be nice. But I also think that this patch > > (using the directory fd and ioctl) is better from a security > > perspective than using a new file in /proc. > > That's an assertion, not an argument. And I'm not opposed to an > operation on the directory FD, now that it's clear Linus has banned > "write(2)-as-a-command" APIs. I just insist that we implement the API > with a system call instead of a less-reliable ioctl due to the > inherent namespace collision issues in ioctl command names. Linus banned it because of bugs iike the ones in the patch. > > > I have an old patch to make proc directory fds pollable: > > > > https://lore.kernel.org/patchwork/patch/345098/ > > > > That patch plus the one in this thread might make a nice addition to > > the kernel even if we expect something much better to come along > > later. > > I've always commented on that patch. You never addressed my technical > objections. Why are you bringing up this patch again as if that > discussion had never happened? To review, that patch has various race > conditions I don't think I ever saw that review. > and even if it were technically correct, it'd be an abuse > of directory objects (in what other circumstance do we poll > directories?) and not logically generalizable to a model in which we > expose process exit status via the exit-monitoring API. I agree it's weird. It might be better to have /proc/PID/exit_status and make *that* pollable.