Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp601290yba; Mon, 1 Apr 2019 12:43:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqxr4fOfuCsKK3BN94KQyFPN9l+hPB5TrifoY0BNKLATC2qmEJmA9Kl3KvElCV2VcG/cve4I X-Received: by 2002:a62:5385:: with SMTP id h127mr62448432pfb.10.1554147799839; Mon, 01 Apr 2019 12:43:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554147799; cv=none; d=google.com; s=arc-20160816; b=xZw+zWT1bm871Wnz50/taw9jUJi+ZtDJxzYSoS/ncx5ZkR1LOJlmJ5ENKLVKyNo75y /9padoWysfgZzPo9Y/F4nru+RZ6QySYs7KDYkPkWDOcK+t17X2SQqkdDvChgrT9KgV/2 PweQVtl/O5L198AluN7UH28NK2ZXp2+Z6f2uRdzCnomg9YPWagIgWeAMXE/5a4Je/qEq mcWi9p3AivardVAlVe+iZbgMd0APnUpn5BSSg+Dc5a7UweDGdQDZc4BkfuHy06gjBbbI MqKWcsmSAZg5qF110QeMYWjD51fxCXANZwAtRJwwElwIoYs6FbK7jvpfbHhe4fcP7VeD Z4GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=QWYfihem4rvWezrn8ZcGvhzVI9rcxqdC2kQjbtFdTpU=; b=SytsEEjqgF7dtZCOnf1hSwg71G0F9BBKENKz1CXkSoZSI9uXJfIVVnt+qLdQcvhMRx kyJ0K7tj+O7J2aRfqPFFfXOlXd4lBCVI536Iz9ZR1QjJCP53yb33pTsjYq9RdEoHXrFW GFwHYj8o9z8TROXc+XOFm7PiE+BvKv7ZY9z4HxNjqvQOGqoOXSTbpoV85/0081smzK5s PNH7CmIWdITV4h5G1Vl0Osi8dEpMV6UarBaMuncdlqIw98onhQ87mVTT598T6Z0l4B1/ FGcnAbbWNiTqheY3XC0X1JkMNP3SPV1vTi5RD8NAHlO3LEPizzmBbb+eJDOEXrqoXrI+ 8CCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=CVmiFZ29; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h6si9004809pgv.302.2019.04.01.12.43.04; Mon, 01 Apr 2019 12:43:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=CVmiFZ29; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726534AbfDATmU (ORCPT + 99 others); Mon, 1 Apr 2019 15:42:20 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:41095 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726103AbfDATmU (ORCPT ); Mon, 1 Apr 2019 15:42:20 -0400 Received: by mail-wr1-f65.google.com with SMTP id r4so13571095wrq.8 for ; Mon, 01 Apr 2019 12:42:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=QWYfihem4rvWezrn8ZcGvhzVI9rcxqdC2kQjbtFdTpU=; b=CVmiFZ2998XvJEF3ES0oHAc9cXiJAlPNcMDNDbJuughDJdMO2tn5sLHmRRHsyC4noz KDmAqiDQhqexsgl1RNlqZ37SRGQCRKezy9u78hBO/V8FlCdzwhtmAblopFlQfiIXSfuS 2P3NGhWoJ3xPrfZjWG5Hqf+y6uElL3ode2W5RhRVDsqEDdX9WxTSNgT4J5VJcJpainle jyz/XqUAuccyKwj6QpkYN/U8RSrmcL///N3kpfpmasIRRpAJ8wh5umgSfZdu3M+QLoHx w+SkPEnVuHNier/oWh3t3hcWzMu75bZfTnB7Je58Cyl4Y1vHCXn5s2zteYronSj1oVE8 yuDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=QWYfihem4rvWezrn8ZcGvhzVI9rcxqdC2kQjbtFdTpU=; b=qOnOpHS620mmihUpdJ4AqQGkv6pcs5Wp79xRCWL+zd8ORcXqAI4U53bu81yPrpscEn RQ9lDnEspgm5+1mkmMe0Z2GoeY+9kmOJammQVTSdB9DtDPQKTR3KPQ5zdN4verbfqxFQ qziErCAdnX3ln1RhgnqLEHIzaA8zWBnzQfXA+2bP9KV5BpDN+YDhy4bgoaokWilclVIB hFkIVQbX/PJqWh89tg4sbTmEvPBrPwVTIpgcjdDETdGFih3CDA2reCrmSc/HbmqYpB8z VvBhPYpsPdSX8ayasswXWQezO/FSBiiKekE7LuwHSdncDzp+Ptlu9ShTWKDJY72HqV79 SdAg== X-Gm-Message-State: APjAAAV4ad68aR5bF48EOLkft9Tqs8g6Hfff8XCL+WHaUucCMGGEBQcC pO3e3XkEzSjRZb3xDxOaoc0GeQ== X-Received: by 2002:adf:d081:: with SMTP id y1mr41912967wrh.283.1554147737367; Mon, 01 Apr 2019 12:42:17 -0700 (PDT) Received: from brauner.io (p200300EA6F21DE7AB13635B07C8C280A.dip0.t-ipconnect.de. [2003:ea:6f21:de7a:b136:35b0:7c8c:280a]) by smtp.gmail.com with ESMTPSA id 7sm40903939wrc.81.2019.04.01.12.42.15 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 01 Apr 2019 12:42:16 -0700 (PDT) Date: Mon, 1 Apr 2019 21:42:15 +0200 From: Christian Brauner To: Linus Torvalds , Jann Horn Cc: Daniel Colascione , Aleksa Sarai , Andy Lutomirski , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Al Viro , Joel Fernandes Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() Message-ID: <20190401194214.4rbvmwogpke3cjcx@brauner.io> References: <132107F4-F56B-4D6E-9E00-A6F7C092E6BD@amacapital.net> <20190331211041.vht7dnqg4e4bilr2@brauner.io> <18C7FCB9-2CBA-4237-94BB-9C4395A2106B@amacapital.net> <20190401114059.7gdsvcqyoz2o5bbz@yavin> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 01, 2019 at 09:01:29AM -0700, Linus Torvalds wrote: > On Mon, Apr 1, 2019 at 8:55 AM Daniel Colascione wrote: > > > > > > > I wonder if we really want a fill procfs2, or maybe we could just make > > > the pidfd readable (yes, it's a directory file descriptor, but we > > > could allow reading). > > > > What would read(2) read? > > We could make it read anything, but it would have to be something > people agree is sufficient (and not so expensive to create that rare > users of that data would find the overhead excessive). > > Eg we could make it return the same thing that /proc//status > reads right now. > > But it sounds like you need pretty much all of /proc//xyz: From what I gather from this thread we are still best of with using fds to /proc/ as pidfds. Linus, do you agree or have I misunderstood? Yes, we can have an internal mount option to restrict access to various parts of procfs from such pidfds or do the parent-less bind-mount trick but I think this beats having a stunted dummy dirfd that we implement a read method on. One thing is that we also need something to disable access to the "/proc//net". One option could be to give the files in "net/" an ->open-handler which checks that our file->f_path.mnt is not one of our special clone() mounts and if it is refuse the open. To clarify the way forward: Jann and I were discussing whether pidfd_open() still makes sense and whether I shouldn't just jump straight to a first version of CLONE_PIDFD. Basically, if you have a system without CONFIG_PROC_FS it makes sense that clone gives back an anon inode file descriptor as pidfds because you can still signal threads in a race-free way. But it doesn't make a lot of sense to have pidfd_open() in this scenario because you can't really do anything with that pidfd apart from sending signals. And on a system like that sending a signal is still racy. Since the process can be recycled between learning the pid number and calling pidfd_open() [1]. So it only makes sense to have _clone()_ give back anon_inode() fds on a system without CONFIG_PROC_FS but it doesn't make sense for pidfd_open() In other news, I think it makes more sense if I jump to the implementation of CLONE_PIDFD instead of working on pidfd_open(). [1]: The only case - that seems rather far-fetched - where it makes sense is when the parent wants to create that pidfd and hand it to someone else. Christian