Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3626083img;
        Mon, 25 Mar 2019 14:17:23 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz+F9ayItUCHVYBCozwk5MiQc8P4+8DCHYfHAS8G9Mt+5RE6+NEcu3ilv9D/0q/ZBu43SeL
X-Received: by 2002:a17:902:aa87:: with SMTP id d7mr26599861plr.146.1553548643456;
        Mon, 25 Mar 2019 14:17:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553548643; cv=none;
        d=google.com; s=arc-20160816;
        b=xrBU0DbcO1UqCpFI/WpGXzoZ3kvo+lCRSqOQ/4EjItJK/dYEQJNSJMSx/mK6B+v6U8
         K2DGuVTq7MSib89eNO+GeI4Z+Wbo8zLS91Z3mbv9F17O7x9PwYa8ZBOTU2jYlulejHHA
         7lEr5UAjkKOnaknelTsRdOSeFrgj5BoJwJ3SOgVCnn/BqkEFT+QvzvOfBTSF3qQXPm6U
         1gWjP7Rhjc5J/dZplTrvGhC36NMG0SJf5QqQ+iPxIbddv6ynC/D+sce+13VwOwRDfX79
         Yn2HR7buQDcyA81HHEVH6tAC+OddzNucVWPUqaDepvW7/K3Hw2m11HNwOqs+IEumD46X
         6B+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=dule8/Sib5NZg46Ic7dMLM20PZXCss5GqQ0YoQLmGxY=;
        b=e/DzCisG/9685McZC7nEAruAMEjB83OwTjiyxRIjzUbFYFxNS32Mgwfb8bY1loccjS
         zA3kb8TEyMTa5hMDT2YF7TFt3ZEr+SEi9r6SCXmtS8rVp/HyEte3dcMmzIG21csH1HVS
         Kani7V9rw2BDlrlu9mBcrLCcDpU1NCO/0hOHEm1r5UbP/mcW2wt8WEBx5XjqaUANWDQI
         A9iqjAGg7NaVedhN5IBT1/tr7Fk5qcnUyF2DYgfKj4eqpezYOaC8F/GBl3YRzfjuqXL9
         ddu9BqR3EsCGT03O1K09sltbyK/fanQC0ly0edUf/NWKhtFlySnPfRD7eL73gNyKTgPa
         9GdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="E8/zHf8s";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u20si14250946pga.71.2019.03.25.14.17.07;
        Mon, 25 Mar 2019 14:17:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="E8/zHf8s";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730354AbfCYVPu (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Mon, 25 Mar 2019 17:15:50 -0400
Received: from mail-ot1-f66.google.com ([209.85.210.66]:39258 "EHLO
        mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729610AbfCYVPu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Mar 2019 17:15:50 -0400
Received: by mail-ot1-f66.google.com with SMTP id f10so9468440otb.6
        for <linux-kernel@vger.kernel.org>; Mon, 25 Mar 2019 14:15:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=dule8/Sib5NZg46Ic7dMLM20PZXCss5GqQ0YoQLmGxY=;
        b=E8/zHf8snyhpahrEZ72FqUQE4vBX/m15HVOJQtTqmWf0bnqwk8IM5qxvai+3j+cCND
         NoIU7UaeJFhPdXNyJojeU+s/o5ALsz4mThWnucCftkR4XxJSaXQQoze0IEbnw1iMCVhe
         KamAQwFPGgql+mFhUr+bdk3Iue/VXs5rw7pn16MjymW+rPcib6DZiZkWCzZeRQJoavl/
         XRNPV5h2VvoBz8Rwxc3XMuANGQpDWA1cuqsdhTyvvn/kLInu5WIeCDjLfRbNCpF8WmPO
         xcVoH0aTdPvinaUkTWIbz1S1uWq1BvaObYXLw6UtCcnVCI33/N2W+f8dMTieSjWQ2ua6
         K7/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=dule8/Sib5NZg46Ic7dMLM20PZXCss5GqQ0YoQLmGxY=;
        b=FfBg30llZz+Glh+Xkz3iMF8eHNFJr+ae8PDZshWmtIqCX0AePMiT790hERrULu2Lho
         Rbz1S17py+JkX1q3uuv6yEbwQZPdJFlTNiyiyvoKSxDAZ3uMylbHfTlK+7QsSIen7HPv
         s8XzXy5Vf6Mtz1Uk7wyhfF0G4P3y9TCWRxWib65TVT0vObyLSy3UCBcPfq/HoJgUJG5x
         Lv++nB/OVZIzK99SoI+1iQR987uqw49ThxohEYYdiujZeMWHOzXxZ+tSchmAGsezthMq
         Fy7PHDtt5Zjm3CyPfsx0Ez38YvnYRpO867utLAwCdRYev9uIfYRCEx/m7+HNxlwI97Ry
         DVqQ==
X-Gm-Message-State: APjAAAVG1aIZPtzqY1TzXeBOGfXbzczacAqq75qhIX7rYOm71CFdagl7
        oVxD9AnxTWAyN9mn8fE3uno8MGV53pMm6C42HUQRPw==
X-Received: by 2002:a9d:309:: with SMTP id 9mr19042441otv.230.1553548549129;
 Mon, 25 Mar 2019 14:15:49 -0700 (PDT)
MIME-Version: 1.0
References: <20190325162052.28987-1-christian@brauner.io> <CAKOZueuJSAiKU7fZR2FNDKKCktdyE-sADtWprpsNMAqYQvD9Jw@mail.gmail.com>
 <20190325173614.GB25975@google.com> <CAKOZuetbZOs1Yur4OrW6hh3wVYdoKNkSqTszbpTWnuRBTmT9zA@mail.gmail.com>
 <CAGLj2rE1f4x36KFUjFLiFq8tF1RUmFuCSRTg_tCQ9W2G6LtizA@mail.gmail.com>
 <CAKOZuetCFgu0B53+mGmQ3+539MPT_tiu-PACx2ATvihHrrmUKg@mail.gmail.com>
 <CAGLj2rHETs+FjkOVP6PJ_EiePP7FKiDwxaWyjwg1gMZPYpU1fQ@mail.gmail.com>
 <CAKOZueuYMKdkt8BoSj1+p7=mpe2PA8r7xT5QiF6q3cTK+6HsAA@mail.gmail.com>
 <CAG48ez1ZVKgwfQDYT1k4pB4-8Y8Ywv12dabh5KFFxtKmT-e7Cw@mail.gmail.com> <CAGLj2rE7k-p=ZniyV6bDm-VbhAdzSSwxYcVV=X_Rsky5nixGvw@mail.gmail.com>
In-Reply-To: <CAGLj2rE7k-p=ZniyV6bDm-VbhAdzSSwxYcVV=X_Rsky5nixGvw@mail.gmail.com>
From:   Jann Horn <jannh@google.com>
Date:   Mon, 25 Mar 2019 22:15:22 +0100
Message-ID: <CAG48ez2Fy1tFyZqy7bVwG=aBJnwm1mdZgHzchFiguzufctw03Q@mail.gmail.com>
Subject: Re: [PATCH 0/4] pid: add pidctl()
To:     Jonathan Kowalski <bl0pbl33p@gmail.com>
Cc:     Daniel Colascione <dancol@google.com>,
        Joel Fernandes <joel@joelfernandes.org>,
        Christian Brauner <christian@brauner.io>,
        Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
        Andy Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Kees Cook <keescook@chromium.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
        "Dmitry V. Levin" <ldv@altlinux.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Nagarathnam Muthusamy <nagarathnam.muthusamy@oracle.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Al Viro <viro@zeniv.linux.org.uk>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 25, 2019 at 9:40 PM Jonathan Kowalski <bl0pbl33p@gmail.com> wrote:
> On Mon, Mar 25, 2019 at 8:34 PM Jann Horn <jannh@google.com> wrote:
> >
> >  [...SNIP...]
> >
> > Please don't do that. /proc/$pid/fd refers to the set of file
> > descriptors the process has open, and semantically doesn't have much
> > to do with the identity of the process. If you want to have a procfs
> > directory entry for getting a pidfd, please add a new entry. (Although
> > I don't see the point in adding a new procfs entry for this when you
> > could instead have an ioctl or syscall operating on the procfs
> > directory fd.)
>
> There is no new entry. What I was saying (and I should have been
> clearer) is that the existing entry for the fd when open'd with
> O_DIRECTORY makes the kernel resolve the symlink to /proc/<PID> of the
> process it maps to, so it would become:
>
>   int dirfd = open("/proc/self/fd/3", O_DIRECTORY|O_CLOEXEC);

That still seems really weird. This magically overloads O_DIRECTORY,
which means "fail if the thing is not a directory", to suddenly have
an entirely different meaning for one magical special type of file. On
top of that, unlike an ioctl or a new syscall, it doesn't convey
explicit intent and increases the risk of confused deputy issues.

> This also means you cannot cross the filesystem boundry, the said
> process needs to have a visible entry (which would mean hidepid= and
> gid= based access controls are honored), and you can only open the
> dirfd of a process in the current ns (as the PID will not map to an
> existent process if the pidfd maps to a process not in the same or
> children pid ns, in fdinfo it lists -1 in the pid field (we might not
> even need fdinfo anymore)).

AFAICS that doesn't have anything to do with whether you do this as a
syscall, as an ioctl, or as a jumped symlink. The kernel would have to
do the same security checks in any of those cases - only a classic,
non-jumped symlink would implicitly go through the existing permission
checks. And if you implement this with a non-jumped symlink, you get
races.