Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2256764imu; Sun, 18 Nov 2018 19:49:49 -0800 (PST) X-Google-Smtp-Source: AJdET5dbG+DMWC9F3TCK/pxFiQeOzBfCkCMLEzrzTzKpK2mmzeRZGecMWI/HvDXyVTQjj8gtCfgw X-Received: by 2002:a17:902:f81:: with SMTP id 1-v6mr20614588plz.203.1542599389456; Sun, 18 Nov 2018 19:49:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542599389; cv=none; d=google.com; s=arc-20160816; b=d1lVQZTV2ZatYNkhVlU0qD1YrljTTZX1wxIHbSgfKiHUmBk3UcZQCa3clX8Vfdrh3y JqFUW1bvp+oUl09MxQAT+KN7d824ZgtrmlJqOijdc8EK6BXP0qStnMmC5YMIvPCMGfRJ xRE8sOOj28pdMCDDiNT/XDizblcJ4fi47ogzvGn8zu+W9ndpgUo0r0yBkdWH3PK+xd/Z gRVNJcp7K6hCmZov7cVihAJAi9sqj0E7AY0lX5/260xdE8kNq9/b/lbtxOG9C6QN++l9 68L/W4hpAOWE+CpJ15/repOhf4PJwYLWBJMYuRbWfzPcRWkPeDyCQ5rngHW2w7kF0xAY aJ1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=tuD89b22xSS/VyKnU4T2w9ZhtCtINvzmBDlFJvddDBY=; b=Cwmz9EOqd1v+16DOXffrKkOuj8P5E+OZXJ0yFNArJBRHCKQETfByjbvuAXcO2Bxjb6 iXdZBbdoFmAsCmDK+pO0bZmLJqxJeiZy3rZiCwm66WCuYseMPhZdM+EY0hNh3fUmZMvN i+WHxQ9lCTNYjOullHEaHwJzC1WJ3uGEPDlbIREpZyiYJqCfZhMDf4hCUCAsuInYgSNU OUAtF5nGyYQvUzogJtIgDi+H2K0Ulqn7OXREE0ZR2ucuTW6eBlhb0jb0F/cO8mVyGiFA Mh/Yfa/crKI/WNV/BjN9E9NOuJLw/DZnACx924S2IHf3YgJ8BjjGzQU5pMFGlwOOMRtX ij9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=V87+lMhX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 188-v6si42020253pfd.19.2018.11.18.19.49.32; Sun, 18 Nov 2018 19:49:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=V87+lMhX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728268AbeKSNXn (ORCPT + 99 others); Mon, 19 Nov 2018 08:23:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:49322 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727675AbeKSNXm (ORCPT ); Mon, 19 Nov 2018 08:23:42 -0500 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A967620989 for ; Mon, 19 Nov 2018 03:01:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542596492; bh=DD6pDfG8A7Gq+tfNzebe+8Z2NwxIZKby60Cfrmj/NvE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=V87+lMhX3kmhUUP+Tn0geRikhoux/PWvtNyBxa0wiYRmxTOefYnei1OvtbAUQMwWd aysvtfT3l0AflrQgJLoW479+2sgPVl4dZ6BlMevny/mBpCbheyz7UwIcEH79vHBuRk maIUAoytFXdkikm8z2heeQRw1dUED08IP14iq+7Q= Received: by mail-wm1-f41.google.com with SMTP id 79so1720226wmo.0 for ; Sun, 18 Nov 2018 19:01:31 -0800 (PST) X-Gm-Message-State: AA+aEWZyZLD4KKT0jt3JVSKYrs8MT0KjGu6zIwLkvEmRR6wAs9/WG1sA JTRk8m3YOfhjMa2ZUSPjvSSFq5/EtlfXrvLWiMxaQA== X-Received: by 2002:a1c:110b:: with SMTP id 11mr2802652wmr.83.1542596490017; Sun, 18 Nov 2018 19:01:30 -0800 (PST) MIME-Version: 1.0 References: <20181118111751.6142-1-christian@brauner.io> <20181119024704.GK32577@ZenIV.linux.org.uk> In-Reply-To: <20181119024704.GK32577@ZenIV.linux.org.uk> From: Andy Lutomirski Date: Sun, 18 Nov 2018 19:01:18 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] proc: allow killing processes via file descriptors To: Al Viro Cc: Andrew Lutomirski , Daniel Colascione , Randy Dunlap , Christian Brauner , "Eric W. Biederman" , LKML , "Serge E. Hallyn" , Jann Horn , Andrew Morton , Oleg Nesterov , Aleksa Sarai , Linux FS Devel , Linux API , Tim Murray , Kees Cook , Jan Engelhardt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 18, 2018 at 6:47 PM Al Viro wrote: > > On Sun, Nov 18, 2018 at 09:42:35AM -0800, Andy Lutomirski wrote: > > > Now here's the kicker: if the "running program" calls execve(), it > > goes away. The fd gets some sort of notification that this happened > > Type error, parser failed. > > Define "fd", please. If it's a "file descriptor", thank you do playing, > you've lost. That's not going to work. If it's "opened file" (aka > "file description" in horrible POSIXese), who's going to get notifications > and what kind of exclusion are you going to use? What I meant was: a program that has one of these fds would be able to find out that an execve() happened and the program needs to refresh its access to the target task. This could be as simple as POLLHUP and, if needed, some syscall indicating exactly why we got POLLHUP (e.g. execve vs exit). There would be some sort of indication that a program that holds an fd pointing at an "opened file" could get -- probably poll() would return some status indicating that execve() happened and our capability is gone, and, if needed