Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp677291yba; Mon, 1 Apr 2019 14:31:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqwGAJBx8Ypm6Ugm9Qzu16vvD+dudu/MHZvGg/HY6XLkSTUn9lBENUzPLf1+mEhFRi/ABB94 X-Received: by 2002:a63:360c:: with SMTP id d12mr53657952pga.404.1554154311652; Mon, 01 Apr 2019 14:31:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554154311; cv=none; d=google.com; s=arc-20160816; b=Ypw8m0D3+kKKLw9VZOSiENoHwmRtol4fzXDogip8YGvrawCuJlVe9T71x/ne4ZL8Kl 9TUn/mNopDbAM4Sjg+QlEFEhj6HKDU4W06WuZKUUli+8F8slXVkIunfOd24jvIHwYtE8 bMI06Kmi55Ohv91un3aSVuV66CrkWZaqBcevp8Chx8NIXqhipN+y3yp7voLPpQfP3GqK Gdde+/Sd/PiPXOT6Ot9pVqFf4B3n2k8e6wLSyPjdO08q4K9KejzAQNVE0RV5MiIcR0Ot WhxV63B3j21NiMtdTU6NRDDS+V0NxjIzqNWw5g0VmXC/JiQsqoRwRCI2rZYoJlNNrKct 2XcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YMXJ/m9oIy+nA+Cbm8U5H8R/R1W1YG/xRHF8Ie05RlI=; b=0E3L1vStUqXER4pK9LmXAZenQ5Qihn9p3xVPvxfU2bCjfTabGgIp+SW+JWFsaHOmV5 2pDbF/ufrV8Pf8e8axN9r7BQRonEH+2pJQVlvbx0UnzzgedwYEFarYRGTTlFgKkjntCV wuqBtYHn8taY6bWoZ9pGFE3bscqDiGwwdSucRaWDqGBqb0+FEsjINfe59tQ7vKYRjfdO ZZ2PTBvNuotGoSWxXducBL/qkLA9WZfPD+P+Gij4gv8+k9MSaK/qzL/guL8bE7h9UXoG 8XZ7G+zG8PiD/plbDGtH0dGh/mADAnDDk1NxCbmwAFMy6+2AzrGBiTPGHmEcat/v2I8g FybQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=eC7fqbk8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q77si9768181pfa.102.2019.04.01.14.31.36; Mon, 01 Apr 2019 14:31:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=eC7fqbk8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728647AbfDAVao (ORCPT + 99 others); Mon, 1 Apr 2019 17:30:44 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:37495 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725869AbfDAVao (ORCPT ); Mon, 1 Apr 2019 17:30:44 -0400 Received: by mail-lj1-f193.google.com with SMTP id v13so9615520ljk.4 for ; Mon, 01 Apr 2019 14:30:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YMXJ/m9oIy+nA+Cbm8U5H8R/R1W1YG/xRHF8Ie05RlI=; b=eC7fqbk8S/oTbA+EppWReoKiBnR4Nv8UdSoRwgs6E5Kt0/vRcWxhzXZNWDVE5uOmGP 3y/wZssfhpm/YDnbrxN3D4e0u2hxXPkraykx7vdxBnbW0WP6bdIbHidvGmUz3TjWJhWO xGhfsJYBiKZ5f7QZyZvaxRmd3ca4Q9bjp9KMc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YMXJ/m9oIy+nA+Cbm8U5H8R/R1W1YG/xRHF8Ie05RlI=; b=IZXkSSZg11L422t6bgJEPJN305BsAb7YhhXJUOuOHMmWHCBcnYLZYjla1SOUQFV9JU JYMrQR0iLlRGPqA5TzszOw5xZvKOwKWzO6tVc16sYHTDIy159qhnIsSd2Tiaq2EE5igZ t124IUB0P6ytZ7nyEGwJzXqHFz/Pt7IvElTgpaRvCNbhMncgVisk39ves8esIoN53hfg TC0BG+S+ozsue8bW8aiduEHIDHtLkIW4JMAEGYk8cETjOJpxWN/t6fZAYYCu1/jcTYEZ rBxkXav2lXU5Ri3m68qRtWz18hOh6Ml6ZkiqOjzGV/E1Z/nwzpXgGq57/6xNwQipcj2q 75dQ== X-Gm-Message-State: APjAAAVTd6vSxfElSEQhkOBkNxxVCPuVzuY5c8LJXWGXcbLY3VsvTrnE wM8biTvNBLvuk3zT7p7EOvmuNr5FM0Q= X-Received: by 2002:a2e:9bc7:: with SMTP id w7mr31076623ljj.58.1554154240711; Mon, 01 Apr 2019 14:30:40 -0700 (PDT) Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com. [209.85.208.174]) by smtp.gmail.com with ESMTPSA id j9sm2391828lja.92.2019.04.01.14.30.36 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Apr 2019 14:30:37 -0700 (PDT) Received: by mail-lj1-f174.google.com with SMTP id f18so9573879lja.10 for ; Mon, 01 Apr 2019 14:30:36 -0700 (PDT) X-Received: by 2002:a2e:88c1:: with SMTP id a1mr34853791ljk.78.1554154236323; Mon, 01 Apr 2019 14:30:36 -0700 (PDT) MIME-Version: 1.0 References: <132107F4-F56B-4D6E-9E00-A6F7C092E6BD@amacapital.net> <20190331211041.vht7dnqg4e4bilr2@brauner.io> <18C7FCB9-2CBA-4237-94BB-9C4395A2106B@amacapital.net> <20190401114059.7gdsvcqyoz2o5bbz@yavin> <20190401194214.4rbvmwogpke3cjcx@brauner.io> In-Reply-To: <20190401194214.4rbvmwogpke3cjcx@brauner.io> From: Linus Torvalds Date: Mon, 1 Apr 2019 14:30:19 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() To: Christian Brauner Cc: Jann Horn , Daniel Colascione , Aleksa Sarai , Andy Lutomirski , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Al Viro , Joel Fernandes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 1, 2019 at 12:42 PM Christian Brauner wrote: > > From what I gather from this thread we are still best of with using fds > to /proc/ as pidfds. Linus, do you agree or have I misunderstood? That does seem to be the most flexible option. > Yes, we can have an internal mount option to restrict access to various > parts of procfs from such pidfds I suspect you'd find that other parties might want such a "restrict proc" mount option too, so I don't think it needs to be anything internal. But it would be pretty much independent of the pidfd issue, of course. > One thing is that we also need something to disable access to the > "/proc//net". One option could be to give the files in "net/" an > ->open-handler which checks that our file->f_path.mnt is not one of our > special clone() mounts and if it is refuse the open. I would expect that that would be part of the "restrict proc" mount options, no? > Basically, if you have a system without CONFIG_PROC_FS it makes sense > that clone gives back an anon inode file descriptor as pidfds because > you can still signal threads in a race-free way. But it doesn't make a > lot of sense to have pidfd_open() in this scenario because you can't > really do anything with that pidfd apart from sending signals. Well, people might want that. But realistically, everybody enables /proc support anyway. Even if you don't actually fully *mount* it in some restricted area, the support is pretty much always there in any kernel config. But yes, in general I agree that that also most likely means that a separate system call for "open_pidfd()" isn't worth it. Because if the main objection to /proc is that it exposes too much, then I think a much better option is to see how to sanely restrict the "too much" parts. Because I think there might be a lot of people who want a restricted /proc, in various container models etc. Linus