Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp2554382ybb; Sat, 30 Mar 2019 07:52:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqxJUuPryebpXtPUnXPnvWKqvZuMYjr9X5qe3f4rH7iDc7shLnTFLz3otaFNW+YqxT7pnKM1 X-Received: by 2002:a62:3849:: with SMTP id f70mr49647906pfa.46.1553957531545; Sat, 30 Mar 2019 07:52:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553957531; cv=none; d=google.com; s=arc-20160816; b=lKJ8OeRKxpOhFDahG4CXOXOxus7c2FSkEfdMvHmPk1l1KTiELSWnGJRAXu+U6iKDtX Tr6NAnbK2ttr45FfqFYlbKF4AoFxTYyM8JXY35b0KhI5mUTxCnuv8LR4cuAKsWsWEnGA RrepKX9Lpf0KmY/wcULfGN0GbahiP/iJkc2IUDFABsoYRwjGAmMEqEIs/wxVwF1F+sEo wxl2BpKJCc/c6DlPTANft9/3MthVnxM6nUSKXMBKoCiF0BnZXyMC3mNjhAlj1rU56AMq fkLm1dX7Rk3Ez974bMMilupclhj4Mgw7wTAq/x837d0feJxwszBBhqao2dOhYc9bmhwI g8bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Y+Ua0y72uHwS/397qDoI5MSbL6QTuJnHMgHM128xLiM=; b=qpKDekYMqcOmzx81H3bfS1vfd513R7EGQYlDjS7Qmzl++nm8ZnFoZkoEvtbOVrMQrc /dDQVGDwri4oxD7MFobppCK+EHrjI4nlyfnn9yVXOchZYCA2rWk3fnPFIjHMXcF70WIm 2yTV2A/BKtg+uTmEcZekZdPQbASacgqhoFNz4090knM6slVvDtP3z6IcRdREJ3bwQNCJ rHPo9217qN9sLS8pOnOWN/9xvXJeGuK34cBRAXmeTdP+qxOoeiaImhDUxPu+80CCXurE 8sHWbGnHXI3Cf1HFBJy56Dpi8VlGoL4xe3mswVFfz0vVaM8MElwMZvluQ859Gf0EK5KK j1Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jDnizvpb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w17si4631366pll.30.2019.03.30.07.51.54; Sat, 30 Mar 2019 07:52:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jDnizvpb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730772AbfC3OvR (ORCPT + 99 others); Sat, 30 Mar 2019 10:51:17 -0400 Received: from mail-qk1-f193.google.com ([209.85.222.193]:44885 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730476AbfC3OvR (ORCPT ); Sat, 30 Mar 2019 10:51:17 -0400 Received: by mail-qk1-f193.google.com with SMTP id y5so3099397qkc.11; Sat, 30 Mar 2019 07:51:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Y+Ua0y72uHwS/397qDoI5MSbL6QTuJnHMgHM128xLiM=; b=jDnizvpbZNbkSsql9QlUI7H/sXHo7CD/GlRebGGqCJdoVzhemSc4Pc6sH4dDWGgyfQ vKvZAkRiEt9pEENIYk6sGYPFfKYnLD3MNzhTZc202/7PNkGa13l8dTYrviU7FvciPa8/ iBhasLuh1ezc3oblJsrDSNdeyVHc1H6weoWCFMyDzGBIw+AUGzQ6FeE065IjSp1d8Skr 8c9k4f1wxhECF1Uja8vUJhesp+qxQaalZk9+Wy9kMYI8sIW75WJ3rmn06snhchbQDTwO XGG9QTrJcxW4ZsVl2bdwGuIkI4On9bueDde0+q21w65BDnJZEDkwC7MI8yU7LmYTLsjW Bs9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Y+Ua0y72uHwS/397qDoI5MSbL6QTuJnHMgHM128xLiM=; b=DYYuyPIsagLpFcigG55r+sPecA8KNkhC1YZAvCYaeRvCRXpkniF5Lwk2W7hmMWibyH ahwij0JS7g+ZyP4ZLCuCcnrhDoeXAeq/gHP2k5WhJnopft32H+SH66GhE7r0Re2sCfDe Eo/+OGZ0gQ8TdgHzyM9N9cp2wDHln57BZOb1kKaKI2CIhb07nJixRLAsSkWXTc5SlJJH zVZGxYhV9TpxFabUxRcqvcwTlxnUxFeVgtQW62nNSQAZf1IJ2tz/GXUifiKOZQ6u/cvs mdAp/VOEhPw988p7RFtCkoBA9w/S+2wbkbOkr8QbLTSGsAU/e1dNY2uuLPNyUpY/m2Wl 1F2Q== X-Gm-Message-State: APjAAAVx+it6pZ2J1z9gJptRRB2dhKO4aqZpAGmccB+6GED+q3OVZmmE 32zFXrzdg0yRokJqIwoGBw/GF1yrF1BUbCYYOcw= X-Received: by 2002:a05:620a:1438:: with SMTP id k24mr41073713qkj.165.1553957475973; Sat, 30 Mar 2019 07:51:15 -0700 (PDT) MIME-Version: 1.0 References: <20190329155425.26059-1-christian@brauner.io> <20190329155425.26059-3-christian@brauner.io> <20190330143726.6aaxz4sctu3pzpyx@brauner.io> In-Reply-To: <20190330143726.6aaxz4sctu3pzpyx@brauner.io> From: Jonathan Kowalski Date: Sat, 30 Mar 2019 14:51:09 +0000 Message-ID: Subject: Re: [PATCH v2 2/5] pid: add pidfd_open() To: Christian Brauner Cc: =?UTF-8?Q?J=C3=BCrg_Billeter?= , torvalds@linux-foundation.org, Jann Horn , Andy Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , linux-kernel , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Aleksa Sarai , Al Viro , Joel Fernandes , Daniel Colascione Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 30, 2019 at 2:37 PM Christian Brauner wr= ote: > > On Sat, Mar 30, 2019 at 12:53:57PM +0100, J=C3=BCrg Billeter wrote: > > On Fri, 2019-03-29 at 16:54 +0100, Christian Brauner wrote: > > > diff --git a/include/uapi/linux/wait.h b/include/uapi/linux/wait.h > > > index ac49a220cf2a..d6c7c0701997 100644 > > > --- a/include/uapi/linux/wait.h > > > +++ b/include/uapi/linux/wait.h > > > @@ -18,5 +18,7 @@ > > > #define P_PID 1 > > > #define P_PGID 2 > > > > > > +/* Get a file descriptor for /proc/ of the corresponding pidfd > > > */ > > > +#define PIDFD_GET_PROCFD _IOR('p', 1, int) > > > > > > #endif /* _UAPI_LINUX_WAIT_H */ > > > > This is missing an entry in Documentation/ioctl/ioctl-number.txt and is > > actually conflicting with existing entries. > > Thanks. Yes, Jann mentioned this too. > > > > > However, I'd actually prefer a syscall to allow strict whitelisting via > > seccomp and avoid the other ioctl disadvantages that Daniel has already > > mentioned. > > You can filter ioctls with seccomp. > You probably wouldn't even need to, because the only way the ioctl would be useful is to have a dir fd to the procfs root. As such, the pidfd file descriptor itself is useless with the ioctl. There's also no filtering to be done, as one pidfd strictly maps to a specific task, so it's not that you get access to other things than what you weren't permitted to, and that's pretty neat the way it is. If /proc is not mounted in its namespace, you'd need to pass it to the process explicitly, and if it is, then it doesn't matter anyway (even if it can open /proc, hidepid based restrictions still work -- it's essentially a race free openat).