Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp944770yba; Sun, 31 Mar 2019 17:56:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvVs8ORVy6SqWA6ZocoVklxgxTYXLy3l0ZdpbLeVO6VnLf+uBqVcu7GDnDEQ5yKesxZw5U X-Received: by 2002:aa7:934f:: with SMTP id 15mr20337268pfn.256.1554080167115; Sun, 31 Mar 2019 17:56:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554080167; cv=none; d=google.com; s=arc-20160816; b=oiZ51fceo6FVtF5lDsOFLmVIYyBAAtQWY3l3w0C1Uayp59Z7k8h9DihZqZovgxhKYQ Yzb66i+/KpGHqZ0EBg1TvQZynJwSj2vYyJv9KKXQkr653GjRvRhogTekij3PpDPbL3la t207g9GKFujJT7Wo+iWa09hJNeoP36lszMam+TOoyUPmo/yIZtbtMBeyl7pJpvirQiFn ncYh2m8VgFYOJpywduQH4rUTGt5VPwMp/pIF9yfDjDBecAA1hLLHAvNLgnVuzklK5eed SdSll0CvEpazNeJLkdR4TcF6BzoF4cyVgG36l2ICoGL19aYU0hEsIjNRZ8HnI/RFaGJ1 xnMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9fZfyXBhna5b8vlwx3QgblKyuLXKRH6SlLfM7+wdlsQ=; b=NAjic44Rj6uNlvTn8pQ6awFuUL7mCbXo/nO+H7ISfkw7VsFrSeUx9s31xVDTd7e1EL tnVMoYeqz7tycUc1Eh7WUogH8qbgsFqTwyowUlIDbM3yxsUlew122jhXTDjrquCNfJWV 3BA2arrubQpntG3Dszir5jQnyMc4nQgHtbKryhog407XDFmIbQoPTB3P7fe+Lt6IWBkh Y28ZMChC3J8IaEVSJUrwlQrXpgH4N92BV18EHuqr3Al8CcTrnAUsqtOmGs/tWubIWegk 3zObvw2N16yWUfwR5ZEue8Oegl9W+R4p1aB0GZl8kCYT2IBgQORvOAh0OyaENhHxY7J5 BXog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZPbmNxNP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i26si7777235pfd.140.2019.03.31.17.55.23; Sun, 31 Mar 2019 17:56:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZPbmNxNP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731628AbfDAAxP (ORCPT + 99 others); Sun, 31 Mar 2019 20:53:15 -0400 Received: from mail-oi1-f195.google.com ([209.85.167.195]:37175 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731532AbfDAAxO (ORCPT ); Sun, 31 Mar 2019 20:53:14 -0400 Received: by mail-oi1-f195.google.com with SMTP id v84so5879553oif.4 for ; Sun, 31 Mar 2019 17:53:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9fZfyXBhna5b8vlwx3QgblKyuLXKRH6SlLfM7+wdlsQ=; b=ZPbmNxNPiCUJal4s9qtVD5qyHo69dwGTeKy4y28f7LFEoRY8Ss+eIcmkmgpvISmUe/ Cwo+BrvGSmYtJ+MFqKI2mnkY+PEAiHi7uuQ2jMf9NSI5rSl7enc6jfFyGatE6c8RMNYP adxuVc+RLRqq4Qc3rm5OOc//KBIa4LYhviTbpWFmhnjHIKruqnYklRNGUS42PMDHgR9w Dn2B8cB14fAQr0UtHpNq1caWs88MoXvWYug/7bAHu0IFyAePr8kxV89NT+k46Bt4BY33 ouQd5YBCJIKatLtfLkTIxEcqv9Fwm2hyDZEfD4/1f6pWiW60xtifQxsudh1T5uZ5DwiN aV3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9fZfyXBhna5b8vlwx3QgblKyuLXKRH6SlLfM7+wdlsQ=; b=Q6bz9wBJbgl8ulr1X4y88mFw3Cin0aoOX+Rk1B4wbCIPmbqjAERSCsjBpuJ2qx9sSO rozPkj1n/rQq63qspDOGfdihT+F7YvTWUetvpW2df1a7gEiwVjZBXp9IGV5gxBrelowY GbsYSn7zVywfAQoTqmnHWBB3Ooxf1DgeAvBXtr+IBX50Y5P1xM1KkVFTBr5ZQKv4kUwf p5E7gYWQFFSLBM9zn1Ob/9L5QgzWo5jLoMwm0uwS6jdf4YS3j7eNhf86xcqOn/c92nJb CDJ3wBSwzNl0OWDyOlGCrwE4XwhzBdupp4MDTaM243kY9CGp4/QJ6oBQk9cHZrbGeg0A 38rQ== X-Gm-Message-State: APjAAAU/yP2AYTDzMaQPmm0nj1PcZeODfmw8kI4nrK10BvEmgXRe/q3L LJNZp/sGsDbw4d2bDELhk7TwknSq1q5YQMlkB2ppqw== X-Received: by 2002:aca:3806:: with SMTP id f6mr10662436oia.47.1554079993801; Sun, 31 Mar 2019 17:53:13 -0700 (PDT) MIME-Version: 1.0 References: <20190330171215.3yrfxwodstmgzmxy@brauner.io> <132107F4-F56B-4D6E-9E00-A6F7C092E6BD@amacapital.net> <20190331211041.vht7dnqg4e4bilr2@brauner.io> <20190331220259.qntxynluk765hpnt@brauner.io> <20190331223355.vfbnnkmevl63etvv@brauner.io> In-Reply-To: <20190331223355.vfbnnkmevl63etvv@brauner.io> From: Jann Horn Date: Mon, 1 Apr 2019 02:52:46 +0200 Message-ID: Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() To: Christian Brauner Cc: Linus Torvalds , Andy Lutomirski , Daniel Colascione , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Aleksa Sarai , Al Viro , Joel Fernandes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 1, 2019 at 12:33 AM Christian Brauner wrote: > On Sun, Mar 31, 2019 at 03:16:47PM -0700, Linus Torvalds wrote: > > On Sun, Mar 31, 2019 at 3:03 PM Christian Brauner wrote: > > > Thanks for the input. The problem Jann and I saw with this is that it > > > would be awkward to have the kernel open a file in some procfs instance, > > > since then userspace would have to specify which procfs instance the fd > > > should come from. > > > > I would actually suggest we just make the rules be that the > > pidfd_open() always return the internal /proc entry regardless of any > > mount-point (or any "hidepid") but also suggest that exactly *because* > > it gives you visibility into the target pid, you'd basically require > > the strictest kind of control of the process you're trying to get the > > pidfd of. > > > > Ie likely something along the lines of > > > > ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS) > > I can live with that but I would like to hear what Jann thinks too if > that's ok. Ah, yes. That seems reasonable. And, as Linus said, pidfd_open() is less important if you can just do open("/proc/...") on systems with procfs instead. One minor detail to keep in mind for the future is that in a straightforward implementation of this concept, if a non-capable process is running in a mount namespace, but in the initial network namespace, without any reachable /proc mount, it will be able to look at information about other processes' network connections by first using pidfd_open() on itself or by using clone(CLONE_PIDFD), then looking at the "net" directory under the resulting file descriptor.