Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp213741yba; Mon, 1 Apr 2019 05:07:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqziL6vmp7XBYrhoACYi4qhHD/jAnC1ioIi/888GMHXoTF9xeyz7Zlm0OF5/cahEKXVEynT3 X-Received: by 2002:a63:10c:: with SMTP id 12mr15913232pgb.276.1554120447103; Mon, 01 Apr 2019 05:07:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554120447; cv=none; d=google.com; s=arc-20160816; b=fT/kD5Toyoo4n70jSwU25xmC25CB55lHacRwBccKRSTlo1MdNjeUmvb9XAAspZLJQz 2bdvKpMOfDl1lGXiVSkFwT2gWSPkFyHMrM1VQaI6fvGmw5xG1Jln4E3MZNA6yS1cJl88 Pm3fvDXBe6H6Uf2vYtUxhwdKyML6k4UGEvQ1Mi5GAFKhNQz2ur3dXOYUmhiDRoqS/hf6 7FXuBhakpM+9sZEOs3nLBVFk/nyWk7nEpy3JVlAypUHfNdZhqLOnniFkdgXCGiJP+kCS Nfd0g79WdZpWTX0djPlm/97gEnoGQ4WvQOqaQoGeM9ybZJj6byKmWTHoplLhnlNLXqJz gvLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=VPDCx0qpmBzfdZBBNDfIB9KlTh+K+UcwTE8iRSsK86c=; b=r1bAg3xVnPJPITtRgtbf1FFXo55Pmx2ba2ZB9Q/w3jlhsYMhHdGGyQ0giwJ2MV9pJW 6+ykIbqlzP6awyz49M1KXuhiuYWBIhgASctnHjdLTSOjm9KVIr4K+kEjST3pBZ5M0BvT vEW0G69PqS6ltjpYpTGtJJBh2LRuX8k0IOkaCY8aAeNaBocrXXNz6wIcekCOHVyIMhj9 8GHjgJlQa1ubtNR5Tqc0SvOEUZOzLRiSHspP+L43Y6XSOfqsdPUUoXwFq024tO2IC6M0 jkNrHtlr/C9deEOyDYTgAftcEckRjfP1mX7IU/wWxwmJS8PnP5kLN58llkyFVaC3WQ32 WE8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=Ewyn7Gn5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 59si8873594plc.84.2019.04.01.05.07.11; Mon, 01 Apr 2019 05:07:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=Ewyn7Gn5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727015AbfDAME7 (ORCPT + 99 others); Mon, 1 Apr 2019 08:04:59 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:34783 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726636AbfDAME4 (ORCPT ); Mon, 1 Apr 2019 08:04:56 -0400 Received: by mail-ed1-f66.google.com with SMTP id x14so7986349eds.1 for ; Mon, 01 Apr 2019 05:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=VPDCx0qpmBzfdZBBNDfIB9KlTh+K+UcwTE8iRSsK86c=; b=Ewyn7Gn5/OUE26WIXS4Zpu8bX43a/BAmveKqDubexEMOO1Tq63e7ZdjOI66/ccWXAS oRYxPhvCQoDKeej8+ze8TLXWj0mlRsyiNy2/Lv9pgQ6TlT2MLZ3/3uGtHowj9FxAG6tJ iroJfx8nsINJDvvbSRuwZM+Vgk36ntm70O5BZJb8mm0ScPQwb6GAITQcq/N4MD2aWi+n qltmuja/sjah1GwpjIWrCMzz8JX5LuUVgobnkJjl5eL746NoImvh5/yEDENssf2KikS3 YGj89hwhLY2h2L+5Vdm/Utn279eYrQYgvnnPb7MC7e5tzdqcESZ0pNkio5fcVFWeQvZj BhgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=VPDCx0qpmBzfdZBBNDfIB9KlTh+K+UcwTE8iRSsK86c=; b=L6rNDf9V3T5Y/Cp0Cfhkd2l7EXvFNFI2sLXgEasvyUahFw9CbUD+XYRKKhH7cz93j2 YpXkmz1yNOZDDnumoSi76jhAhhVkJRXUqluLJVVy6sZW1P0hGr59UjKSieQwa1PF6ESp /R7W19t2Ioml/sRjXwEOCbYgSlDJqoYcDs2IgAg/N7XiqghjyGruJ0zpa8aI78Zj81Y0 VzkcAZQ+JLGMxLCqfHVScPWjPvdlhxb1C0G25qiKU/hY90PkpcsbkwkB/9eZeIvqOyRW v0gu/uhFcCZrHn/cIN6NqL0lkPVEg6XTCnIut/6FOkgapfLD8fHoYMTFZHS3VKBPZsbD A8ig== X-Gm-Message-State: APjAAAW/GXYHMpxo82Tv9DxTI3Zs5AXhV2GfQQGLG0rkxSPF2N3TuEbV xb/gX39ZdjfDovWxMo4jwzb4uA== X-Received: by 2002:a50:86dc:: with SMTP id 28mr43468797edu.258.1554120294737; Mon, 01 Apr 2019 05:04:54 -0700 (PDT) Received: from brauner.io (x59cc8b8e.dyn.telefonica.de. [89.204.139.142]) by smtp.gmail.com with ESMTPSA id a25sm3170218edc.55.2019.04.01.05.04.52 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 01 Apr 2019 05:04:54 -0700 (PDT) Date: Mon, 1 Apr 2019 14:04:52 +0200 From: Christian Brauner To: Andy Lutomirski Cc: Linus Torvalds , Daniel Colascione , Jann Horn , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Aleksa Sarai , Al Viro , Joel Fernandes Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() Message-ID: <20190401120450.e4k2m434qyqj4yrn@brauner.io> References: <20190330171215.3yrfxwodstmgzmxy@brauner.io> <132107F4-F56B-4D6E-9E00-A6F7C092E6BD@amacapital.net> <20190331211041.vht7dnqg4e4bilr2@brauner.io> <18C7FCB9-2CBA-4237-94BB-9C4395A2106B@amacapital.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <18C7FCB9-2CBA-4237-94BB-9C4395A2106B@amacapital.net> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 31, 2019 at 08:13:38PM -0600, Andy Lutomirski wrote: > > > > On Mar 31, 2019, at 3:17 PM, Linus Torvalds wrote: > > > >> On Sun, Mar 31, 2019 at 2:10 PM Christian Brauner wrote: > >> > >> I don't think that we want or can make them equivalent since that would > >> mean we depend on procfs. > > > > Sure we can. > > > > If /proc is enabled, then you always do that dance YOU ALREADY WROTE > > THE CODE FOR to do the stupid ioctl. > > > > And if /procfs isn't enabled, then you don't do that. > > > > Ta-daa. Done. No stupid ioctl, and now /proc and pidfd_open() return > > the same damn thing. > > > > And guess what? If /proc isn't enabled, then obviously pidfd_open() > > gives you the /proc-less thing, but at least there is no crazy "two > > different file descriptors for the same thing" situation, because then > > the /proc one doesn't exist. > > > > I wish we could do this, and, in a clean design, it would be a no-brainer. But /proc has too much baggage. Just to mention two such things, there’s “net” and “../sys”. This crud is why we have all kinds of crazy rules that prevent programs in sandboxes from making a new mounts and mounting /proc in it. If we make it possible to clone a new process and this access /proc without having /proc mounted, we’ll open up a big can of worms. > > Maybe we could have a sanitized view of /proc and make a pidfd be a directory fd pointing at that. We can also just create something like an internal bind-mount without a parent, i.e. similar to open_tree(, "", OPEN_TREE_CLONE); on a clone(CLONE_PIDFD); that would block any openat(fd, "..");