Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp299531yba; Mon, 1 Apr 2019 06:44:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqyR5+86QiipCf+KfOpBK/SyWmBVnba8e4j4nkHscH0hdsrY+aeNCOAVpmqL9t9NJaGXB6N5 X-Received: by 2002:a63:5a4b:: with SMTP id k11mr60159377pgm.119.1554126275440; Mon, 01 Apr 2019 06:44:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554126275; cv=none; d=google.com; s=arc-20160816; b=h6dZLVyT784H8eouPi0z4aTNWXHXSguOIEGzLOKwCEs/UvxjiDjqe+7ytcK9UWHXQW Xnn2gXH77uuyW6rDolrGQzGgz1q1JUuX8LgDMy9M1w2AScvKb6li5IdRJEcFj9GZImKp X3ZbRKi7WeLHoav6ECX0KOT4GZD4a9T15gth0zyXlLpGtxS6UrOhMqhDDODA7Z39RybI 9Xcos2qwN5lhEa4HWekwLQuH0WiJ79QlhPQlbdYOgv+iojfUDBV8o1xqZzopV4ywgeUK /lhdIz1sym9AnwtGePK5vR2Ai2XcNMeCzU/zUsB3WgphZIvo54s9mr7mqwPKFsd1AZqd nBXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=jla+Bdd5U7AFgedEhKnt5dtq8Qxhz2PpA3OTawHZGkY=; b=j6JJG8b4n5fIRbkbCjBdiaFAtBx/9rcv/5oo7CsExePabHoIz2bW7u0phkGdvBxSUA 6eDQTjpJKs3gyMEOaEZ7cqfIGS7az7ya0klkvMlMwlMCO38WdeGdICqpAbHQD0lyfYpQ M7LyfC+Dn0mvTXcwqydU8Nj5T1syYmxqzBD+PTz32sHtuSHIH3rQOwhaKa7+b/oWflSV UUJjI3yxUIJKsWoGMCiL5wwIFfjN2h0z76A/M9jhgMwYXthGgfejRwOJsOF8OmRM92Jh yrbvx/j+rYFyQxWR30SZSWKCCBtfGEZnQ4g7KYsM2khdGZfLll1GZoG5jSVirlKiklwN Ev1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=IvbmZyEV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1si4244184ply.420.2019.04.01.06.44.19; Mon, 01 Apr 2019 06:44:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=IvbmZyEV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728038AbfDANnm (ORCPT + 99 others); Mon, 1 Apr 2019 09:43:42 -0400 Received: from mail-oi1-f194.google.com ([209.85.167.194]:44946 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726542AbfDANnm (ORCPT ); Mon, 1 Apr 2019 09:43:42 -0400 Received: by mail-oi1-f194.google.com with SMTP id i21so7240323oib.11 for ; Mon, 01 Apr 2019 06:43:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jla+Bdd5U7AFgedEhKnt5dtq8Qxhz2PpA3OTawHZGkY=; b=IvbmZyEV+7qn9rj6hb4RPzC5r0rSTcsCc66f47CC/8pq7YWWL03WASWiV407HvaIJ2 fDKrLrjGHjdiBW48Z1BUdUHuWw38NvQwAF8nGpKe9uwoGwYWI27MXwRhCERaqo5muR4C 69NCDAL8Ae70qWBnSK2douGjrkjD8/kCR6P6Ym7uQYWzhWLbc90Qa4BuysZ77LeAH5tI j8EUJsYc3R+CP40EIsptU/rWR5TG5dR/Ge86O4WvUnOLjv5E1SfxusvHT6Yaow/61oG6 nZTMXk0Zz/fGQDHSDt3vU8iNVY0MV/hVcImy+xfyMZY+1gptoHkvJj/kouAcd46t4W6a 8Tlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jla+Bdd5U7AFgedEhKnt5dtq8Qxhz2PpA3OTawHZGkY=; b=SGufUP6/ZkLnQZWaJLBFZKl+qjQLO9rehGEKWCxrF89oaE30a7bd8N6bvXaHpYkSdR Q1FzQHr/YyJcT7pumMaF87bBh9qQOCBYgQP1EGgcD8IovTBLQsCJG3Q5Nxny5evmUg6H UjzOp82NYYGYrU4QxTf6eS2do7yILO76NmNbcsU6EJ0VOAYRLsRIJeHA2O/TFd7YgOtf nB9RhY1dAbZ89y8O2YO0HJ3JlT8rQQhSMkLmsylz1nHP3NIroCTSsgZcxwjRJqGj7FnG 0odVcNO2DbzZdCpuyMgbYWt7zM4YU3hn+45QRGYzrRqn26EyLH+NpCy9e3cRwul8X9Js psCg== X-Gm-Message-State: APjAAAVBl1Xw6nOSOgAoqoA+Tdyw+Z8pxj3PdZHWBm4H6S284pYsMiOu c8dLS9tZglJNmfTbRpL864w01yaNtpjFxri0HFkp2Q== X-Received: by 2002:aca:3806:: with SMTP id f6mr12306401oia.47.1554126220999; Mon, 01 Apr 2019 06:43:40 -0700 (PDT) MIME-Version: 1.0 References: <20190330171215.3yrfxwodstmgzmxy@brauner.io> <132107F4-F56B-4D6E-9E00-A6F7C092E6BD@amacapital.net> <20190331211041.vht7dnqg4e4bilr2@brauner.io> <18C7FCB9-2CBA-4237-94BB-9C4395A2106B@amacapital.net> <20190401120450.e4k2m434qyqj4yrn@brauner.io> In-Reply-To: <20190401120450.e4k2m434qyqj4yrn@brauner.io> From: Jann Horn Date: Mon, 1 Apr 2019 15:43:13 +0200 Message-ID: Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() To: Christian Brauner , Al Viro , Andy Lutomirski Cc: Linus Torvalds , Daniel Colascione , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Aleksa Sarai , Joel Fernandes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 1, 2019 at 2:04 PM Christian Brauner wro= te: > On Sun, Mar 31, 2019 at 08:13:38PM -0600, Andy Lutomirski wrote: > > > On Mar 31, 2019, at 3:17 PM, Linus Torvalds wrote: > > >> On Sun, Mar 31, 2019 at 2:10 PM Christian Brauner wrote: > > >> > > >> I don't think that we want or can make them equivalent since that wo= uld > > >> mean we depend on procfs. > > > > > > Sure we can. > > > > > > If /proc is enabled, then you always do that dance YOU ALREADY WROTE > > > THE CODE FOR to do the stupid ioctl. > > > > > > And if /procfs isn't enabled, then you don't do that. > > > > > > Ta-daa. Done. No stupid ioctl, and now /proc and pidfd_open() return > > > the same damn thing. > > > > > > And guess what? If /proc isn't enabled, then obviously pidfd_open() > > > gives you the /proc-less thing, but at least there is no crazy "two > > > different file descriptors for the same thing" situation, because the= n > > > the /proc one doesn't exist. > > > > > > > I wish we could do this, and, in a clean design, it would be a no-brain= er. But /proc has too much baggage. Just to mention two such things, ther= e=E2=80=99s =E2=80=9Cnet=E2=80=9D and =E2=80=9C../sys=E2=80=9D. This crud = is why we have all kinds of crazy rules that prevent programs in sandboxes = from making a new mounts and mounting /proc in it. If we make it possible = to clone a new process and this access /proc without having /proc mounted, = we=E2=80=99ll open up a big can of worms. > > > > Maybe we could have a sanitized view of /proc and make a pidfd be a dir= ectory fd pointing at that. > > We can also just create something like an internal bind-mount without a > parent, i.e. similar to > > open_tree(, "", OPEN_TREE_CLONE); > > on a clone(CLONE_PIDFD); > > that would block any openat(fd, ".."); Or we add a check to follow_dotdot()/follow_dotdot_rcu() that throws an error if nd->path.mnt->mnt_flags has some new flag for "no dotdot traversal on this mountpoint", and then set that on the internal procfs mount... if Al Viro doesn't think that that's too hideous.