Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4100574imu;
        Mon, 28 Jan 2019 17:25:10 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7ZQr/pF2seQ9y8CseZSfrzvM8eCydv/U+am/1Gt0mr+JXKLbG4D5WDDPBu6L6fk43enmw5
X-Received: by 2002:a62:30c3:: with SMTP id w186mr24225003pfw.39.1548725110750;
        Mon, 28 Jan 2019 17:25:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548725110; cv=none;
        d=google.com; s=arc-20160816;
        b=Y7XAdvhnfSZLTsCBBVO79NmQMszRJETSDhqQes+2Ncru5FtWOse5HajxGLz8MqPBoX
         DiNjMZL7C3gnxzcSkuI+ac5zr7rPEbbkF+PxK1q8g6bLo3kE9dQ0+L/mPfxr9w+GCRh7
         O/6feTJtGVTaLJHQxQPO72aFjAzOSzyDLtKNM0Rb1986X2murf2ZdpKp9LEh4MLrI5c2
         ilDjQJ5cJ+1eO6qHcokT71TnKuLd56b51ixQ6LES8iKCExGAfr8UlHLOGQjPagykiLeu
         JqdUsANMScuYSNdbgitfsLV4wOoDvXUb3p4cPo7S7Z2oc6RxeOVC+X/9UIbtTv0lks/M
         MS4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=mcLEeWiqCCUr0de6aMm+cr5E38jZp7HgRkjwH7nK1oI=;
        b=EXufviOxUo93YWv4SgYDPFDe//ChdJJgnZ+G9jKIuv5I5patgK4sQMupm+DGVcwHlk
         xtBXvqneP3oOVWC01nKpMTN/sSj2/fTyC8Q8N/EKMfZpyWG5DZrjXLHy0X4qSArRab3B
         F9YgD+L9tvejMXrOLj9S3lpvXpBdrmhsxKNgD6t3W1jXGMd6B4lblvGWRFKrNC/Pq80j
         a+owvsUAr9vR5PyKqncnmV8YfJuviiBXMwEkkUjeurRWyB6uwPFqRc2117Cq0bRg2iwH
         OjS+t+xeRTHZOoPycRw0KgdCdU829/gGk9OwSKMdCez+iovhwN0DTM8n9G50UEf5yYl4
         bO4w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l5si32445926plt.5.2019.01.28.17.24.54;
        Mon, 28 Jan 2019 17:25:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727747AbfA2BXZ convert rfc822-to-8bit (ORCPT
        <rfc822;kernelgary@gmail.com> + 99 others);
        Mon, 28 Jan 2019 20:23:25 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:36186 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727139AbfA2BXY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Jan 2019 20:23:24 -0500
Received: from akpm3.svl.corp.google.com (unknown [104.133.8.65])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id CCD5B28DF;
        Tue, 29 Jan 2019 01:23:22 +0000 (UTC)
Date:   Mon, 28 Jan 2019 17:23:21 -0800
From:   Andrew Morton <akpm@linux-foundation.org>
To:     =?ISO-8859-1?Q?J=FCrg?= Billeter <j@bitron.ch>
Cc:     Oleg Nesterov <oleg@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Eric Biederman <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@kernel.org>, linux-api@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [RESEND PATCH v2 1/1] prctl: add
 PR_{GET,SET}_KILL_DESCENDANTS_ON_EXIT
Message-Id: <20190128172321.780e9b380dd40eb3e7c22daf@linux-foundation.org>
In-Reply-To: <20190118131130.42209-2-j@bitron.ch>
References: <20181127225408.7553-1-j@bitron.ch>
        <20190118131130.42209-1-j@bitron.ch>
        <20190118131130.42209-2-j@bitron.ch>
X-Mailer: Sylpheed 3.6.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 18 Jan 2019 14:11:30 +0100 J?rg Billeter <j@bitron.ch> wrote:

> This introduces a new thread group flag that can be set by calling
> 
>     prctl(PR_SET_KILL_DESCENDANTS_ON_EXIT, 1, 0, 0, 0)
> 
> When a thread group exits with this flag set, it will send SIGKILL to
> all descendant processes.  This can be used to prevent stray child
> processes.
> 
> This flag is cleared on privilege gaining execve(2) to ensure an
> unprivileged process cannot get a privileged process to send SIGKILL.
> 
> Descendants that are orphaned and reparented to an ancestor of the
> current process before the current process exits, will not be killed.
> PR_SET_CHILD_SUBREAPER can be used to contain orphaned processes.
> 
> If a descendant gained privileges, the current process may not be
> allowed to kill it, and the descendant process will survive.
> PR_SET_NO_NEW_PRIVS can be used to prevent descendant processes from
> gaining privileges.

I don't feel that I'm able to judge the usefulness of this.  It would
help to have a lot more words right here in this changelog which
communicate the value of this change to our users.  References are
useful, but please don't send people off to chase down mailing list and
bugzilla discussions as a substitute for properly describing the feature
and its justification.

Some test code in tools/testing/selftests/ would be helpful.

We'll need to update the prctl(2) manpage if we proceed with this.