Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4772378imu; Sat, 1 Dec 2018 02:41:52 -0800 (PST) X-Google-Smtp-Source: AFSGD/WI3MP/US6u4gq+aK63LlSJKNwTd9nkfBt0E8+LYlxjFuInnPUEjtF15WqaGnGyFiVB77I5 X-Received: by 2002:a63:7f4f:: with SMTP id p15mr6385786pgn.296.1543660912557; Sat, 01 Dec 2018 02:41:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543660912; cv=none; d=google.com; s=arc-20160816; b=d7jjKkoB3IeWgvx6BcG1/9u+hQfx5EYRg9XFv98nytv+DzdZiNM3/G1SkFk/LbPkAm hDoAzImfLqkJaAJy+iw/V63zDb3ICFjJl7UkBXB1IN8PCBXe3broGAbkacrtmrstT/qI gMrsAqVQyO498UMGhEFOA/p89upCnmX/zW+McjUsu1sWfBcmbzPDzEtR42jEN7APaau0 LTS83T0Usyu2Bms/ylO3n5XdWzmYYWeQfMracX8JpV9hW+OWYvSRaHYx3eksoXUWL4hm vUNumP+bPgt46KEmVjHAoBOUT5tTH1BWpl87jzsmZCatdb5Js/vp1soMdA0vWLlNygKp Ertw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=3vq3BiLs7Ua8F7ne4al/ou9aUCUvv39ZApiJGNJGXSg=; b=Wvad5apRwWu6H+cvrvxxik2udMNeDo7B8WL/GOyBqVCaRXUx+kwqTkVbSsNLNKJ2UP QuzV9+gas1w/VHTziSNKO1K20ApiJjofT00xnOxzJJ2xaq7Be/RYo3vamb+b3vy1q6vm 5ZjPeuriiJq0vkRVJ6R7PWp1MCf+jWmrXhldgMky/SeZOfyI+S2PIbbebL3nnzY6e2f0 c7zwX6+RHbUeW7Tr+jUyUTDDybxB1Uq0okGdFKs9T1h0Iuku+j+icj/HNs/r414UQLsO h9KC6Wb8uUal9SwFZuqX3hBBdXBMlFD3vTcf/zJQJ91SpJcEZamJe7as2QrdW3w2Klu7 ZtGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n11-v6si8059132plg.300.2018.12.01.02.41.36; Sat, 01 Dec 2018 02:41:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726736AbeLAVvx (ORCPT + 99 others); Sat, 1 Dec 2018 16:51:53 -0500 Received: from nov-007-i650.relay.mailchannels.net ([46.232.183.204]:31631 "EHLO nov-007-i650.relay.mailchannels.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726396AbeLAVvx (ORCPT ); Sat, 1 Dec 2018 16:51:53 -0500 X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4CF352EC0004; Sat, 1 Dec 2018 10:39:35 +0000 (UTC) Received: from srv17.tophost.ch (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTPA id A613B2EC001D; Sat, 1 Dec 2018 10:39:31 +0000 (UTC) X-Sender-Id: novatrend|x-authuser|juerg@bitron.ch Received: from srv17.tophost.ch (srv17.tophost.ch [193.33.128.141]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.15.2); Sat, 01 Dec 2018 10:39:35 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: novatrend|x-authuser|juerg@bitron.ch X-MailChannels-Auth-Id: novatrend X-Lyrical-Scare: 3b72dba2193a9c0c_1543660775061_736159515 X-MC-Loop-Signature: 1543660775061:341173792 X-MC-Ingress-Time: 1543660775060 Received: from [88.98.246.21] (port=58586 helo=jx1y.mynet) by srv17.tophost.ch with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1gT2gL-007tIe-Dy; Sat, 01 Dec 2018 11:39:29 +0100 Message-ID: Subject: Re: [PATCH v2 1/1] prctl: add PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT From: =?ISO-8859-1?Q?J=FCrg?= Billeter To: Florian Weimer Cc: Andrew Morton , Oleg Nesterov , Thomas Gleixner , Eric Biederman , Kees Cook , Andy Lutomirski , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org Date: Sat, 01 Dec 2018 10:39:28 +0000 In-Reply-To: <87bm66u1j5.fsf@oldenburg.str.redhat.com> References: <20181127225408.7553-2-j@bitron.ch> <20181130080004.23635-1-j@bitron.ch> <20181130080004.23635-2-j@bitron.ch> <87bm66u1j5.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-AuthUser: juerg@bitron.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-11-30 at 14:40 +0100, Florian Weimer wrote: > * Jürg Billeter: > > > This introduces a new thread group flag that can be set by calling > > > > prctl(PR_SET_KILL_DESCENDANTS_ON_EXIT, 1, 0, 0, 0) > > > > When a thread group exits with this flag set, it will send SIGKILL to > > all descendant processes. This can be used to prevent stray child > > processes. > > > > This flag is cleared on privilege gaining execve(2) to ensure an > > unprivileged process cannot get a privileged process to send SIGKILL. > > So this is inherited across regular execve? I'm not sure that's a good > idea. Yes, this matches PR_SET_CHILD_SUBREAPER (and other process attributes). Besides consistency and allowing a parent to configure the flag for a spawned process, this is also needed to prevent a process from clearing the flag (in combination with a seccomp filter). > > > Descendants that are orphaned and reparented to an ancestor of the > > current process before the current process exits, will not be killed. > > PR_SET_CHILD_SUBREAPER can be used to contain orphaned processes. > > For double- or triple-forking daemons, the reparenting will be racy, if > I understand things correctly. Can you please elaborate, if you're concerned about a particular race? As the commit message mentions, for containment this flag can be combined with PR_SET_CHILD_SUBREAPER (and PR_SET_NO_NEW_PRIVS). Jürg