Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp629213yba;
        Wed, 15 May 2019 07:19:48 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzrRV/dfDwg6SXDsvsg4a/5TEqZXY3Dd3wiO6QAqSTp44aonDjfRoFRzw+Lkqfb2UOtxtSm
X-Received: by 2002:aa7:9a1d:: with SMTP id w29mr26267607pfj.81.1557929988907;
        Wed, 15 May 2019 07:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1557929988; cv=none;
        d=google.com; s=arc-20160816;
        b=Yr8tCdJfl1senDjfdzhzzelmLCy/7PiSa3lpw2KL2aJZRODeJ3E/P67rsWoU8hhOi9
         1ls5a3rwn5Ag4spBLH3YK2JBUMgh8blIuaVBtEbY1fL0R1Xsu4wDIZWQE17v30RoPnas
         mA4MkHW+1NSpLJXUPe9hljpJgQHswAgH6uxwpwnQT+C+aNZqBGKpSLPRAh3orf74W6a1
         tNe2u07qpkALh3pdp09kKtOnsw0nkFH5JTcM+CxblYN8AnXcCDCcZcrXYANfvpnnw3af
         owzzpLpUc47Hw0SgvLQrjrOKEpOwrfjucBGwEAzlJ5PSaAWdoXvVeQlNCrOnDrLwMwhD
         KT/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=5teuJo4XSRrnL6XxnC+QODipuz2WCzByYGo45sEdpQE=;
        b=NqCUE646JK1cG247cmQkHIIsSfBoIMc83YaCLVdnnNTXfhtg+vcjahidoSU/1bEnqL
         BgqR6LMbKUJnOG6tfDRgYUI2QYKI54Erx7UJSwh+KDTa+rlpi5SX0vvhrALaXnZ87pz4
         xyl9xvkGv8vG7Xozs8CSeLP7Upr3paFh+JOwhoBc8Sn5VXNQzBDRcgJQvj9p5YsVfULs
         xWFemaW3ci/H2FJBlf8ZYwj/bH5upF/swKno2nzt4654M2icTwr+ARqbjapUXXKdTF4R
         IUnnDSaD2NssrDY93KVJ96asejXfNO7ftgkBDjhJP1xZKp1yg0Yj13qCyWnWrLNLTvyO
         MP5w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=gAJyzptk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 129si2484702pfy.160.2019.05.15.07.19.33;
        Wed, 15 May 2019 07:19:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=gAJyzptk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728275AbfEOOQn (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 15 May 2019 10:16:43 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:34162 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726821AbfEOOQk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 May 2019 10:16:40 -0400
Received: by mail-ed1-f68.google.com with SMTP id p27so97789eda.1
        for <linux-kernel@vger.kernel.org>; Wed, 15 May 2019 07:16:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=brauner.io; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to
         :user-agent;
        bh=5teuJo4XSRrnL6XxnC+QODipuz2WCzByYGo45sEdpQE=;
        b=gAJyzptkeah2CnPVHf8ki6Ey+Aje7kt4hiLFQY/UoXftAeb5KMt9kDcge1dL70700f
         v4lzCF24qKMgoDDJqK48PCIsuOAEIEWh56QloYL0Zx1Ytcl8wEHGZj2FHlHTDjeh1xHN
         qgtG9Lh2tYpVWiUdw1UsD0iGHta3lP4Ta8QIkzIE14Ud+jGfSqHpCDEAvWIr2Z7unvQT
         7zkggOJrHmZj/c4eERJMnDK2ju7392d0B+Atitgv36pLJz4hMjFGB1lnPt+6SoqUGyah
         IPYOEdYPIgWXRHQq6puWtz6SFEJeqqmkoJuWNHfimIVIYgR96+2ydELKuFEvw/jF51Hq
         +B1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=5teuJo4XSRrnL6XxnC+QODipuz2WCzByYGo45sEdpQE=;
        b=UEycQOPQXrdG1+aG/gZ01jcWVkxi+IhG+wjlLWD8yO5uGC4iyqu+1yvdXBllVaCK57
         LKDoHih9QD2U3p2Q5fJPxwe5MWZ34ltnq/OR+hkcNQeNJe1cP8c4NLhEk0UKlQDeiIUM
         BVeX8oLngkgentyx+eVjgUFmR377nqcPIBCxFz30Oe2YREWN2M0b047XzfbeH2hY/c4m
         cRZcqai2uVVUvzq4sxq2oSOq670irdx+q74sOHxr2DmqZsJOVraq+1Nlr7iMkKh4doN1
         vYGWkd6tSh6CYLpxHBjYLDj46O19fUPHfGHKjeG3ADdi0fDYJLd8tONxnYu4NwxKq06A
         SaPA==
X-Gm-Message-State: APjAAAVbu+s7ur1UdcSoZ12Y3X14UlIqJUUXod1AHc/qUb4JFlCKaVKY
        OPX33cf1p4tTBNLATE4tHBh3lg==
X-Received: by 2002:a50:8bbb:: with SMTP id m56mr44288042edm.230.1557929797459;
        Wed, 15 May 2019 07:16:37 -0700 (PDT)
Received: from brauner.io ([178.19.218.101])
        by smtp.gmail.com with ESMTPSA id h13sm493114ejs.3.2019.05.15.07.16.35
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Wed, 15 May 2019 07:16:36 -0700 (PDT)
Date:   Wed, 15 May 2019 16:16:35 +0200
From:   Christian Brauner <christian@brauner.io>
To:     Yann Droneaud <ydroneaud@opteya.com>
Cc:     jannh@google.com, oleg@redhat.com, viro@zeniv.linux.org.uk,
        torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
        arnd@arndb.de, dhowells@redhat.com, akpm@linux-foundation.org,
        cyphar@cyphar.com, ebiederm@xmission.com,
        elena.reshetova@intel.com, keescook@chromium.org,
        luto@amacapital.net, luto@kernel.org, tglx@linutronix.de,
        linux-alpha@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        linux-ia64@vger.kernel.org, linux-m68k@lists.linux-m68k.org,
        linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org,
        linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
        linux-sh@vger.kernel.org, sparclinux@vger.kernel.org,
        linux-xtensa@linux-xtensa.org, linux-api@vger.kernel.org,
        linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH 1/2] pid: add pidfd_open()
Message-ID: <20190515141634.lrc5ynllcmjr64mn@brauner.io>
References: <20190515100400.3450-1-christian@brauner.io>
 <4c5ae46657e1931a832def5645db61eb0bf1accd.camel@opteya.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <4c5ae46657e1931a832def5645db61eb0bf1accd.camel@opteya.com>
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 15, 2019 at 04:00:20PM +0200, Yann Droneaud wrote:
> Hi,
> 
> Le mercredi 15 mai 2019 à 12:03 +0200, Christian Brauner a écrit :
> > 
> > diff --git a/kernel/pid.c b/kernel/pid.c
> > index 20881598bdfa..237d18d6ecb8 100644
> > --- a/kernel/pid.c
> > +++ b/kernel/pid.c
> > @@ -451,6 +452,53 @@ struct pid *find_ge_pid(int nr, struct
> > pid_namespace *ns)
> >  	return idr_get_next(&ns->idr, &nr);
> >  }
> >  
> > +/**
> > + * pidfd_open() - Open new pid file descriptor.
> > + *
> > + * @pid:   pid for which to retrieve a pidfd
> > + * @flags: flags to pass
> > + *
> > + * This creates a new pid file descriptor with the O_CLOEXEC flag set for
> > + * the process identified by @pid. Currently, the process identified by
> > + * @pid must be a thread-group leader. This restriction currently exists
> > + * for all aspects of pidfds including pidfd creation (CLONE_PIDFD cannot
> > + * be used with CLONE_THREAD) and pidfd polling (only supports thread group
> > + * leaders).
> > + *
> 
> Would it be possible to create file descriptor with "restricted"
> operation ?
> 
> - O_RDONLY: waiting for process completion allowed (for example)
> - O_WRONLY: sending process signal allowed

Yes, something like this is likely going to be possible in the future.
We had discussion around this. But mapping this to O_RDONLY and O_WRONLY
is not the right model. It makes more sense to have specialized flags
that restrict actions.

> 
> For example, a process could send over a Unix socket a process a pidfd,
> allowing this to only wait for completion, but not sending signal ?
> 
> I see the permission check is not done in pidfd_open(), so what prevent
> a user from sending a signal to another user owned process ?

That's supposed to be possible. You can do the same right now already
with pids. Tools like LMK need this probably very much.
Permission checking for signals is done at send time right now.
And if you can't signal via a pid you can't signal via a pidfd as
they're both subject to the same permissions checks.

> 
> If it's in pidfd_send_signal(), then, passing the socket through
> SCM_RIGHT won't be useful if the target process is not owned by the
> same user, or root.
> 
> > + * Return: On success, a cloexec pidfd is returned.
> > + *         On error, a negative errno number will be returned.
> > + */
> > +SYSCALL_DEFINE2(pidfd_open, pid_t, pid, unsigned int, flags)
> > +{
> > +	int fd, ret;
> > +	struct pid *p;
> > +	struct task_struct *tsk;
> > +
> > +	if (flags)
> > +		return -EINVAL;
> > +
> > +	if (pid <= 0)
> > +		return -EINVAL;
> > +
> > +	p = find_get_pid(pid);
> > +	if (!p)
> > +		return -ESRCH;
> > +
> > +	rcu_read_lock();
> > +	tsk = pid_task(p, PIDTYPE_PID);
> > +	if (!tsk)
> > +		ret = -ESRCH;
> > +	else if (unlikely(!thread_group_leader(tsk)))
> > +		ret = -EINVAL;
> > +	else
> > +		ret = 0;
> > +	rcu_read_unlock();
> > +
> > +	fd = ret ?: pidfd_create(p);
> > +	put_pid(p);
> > +	return fd;
> > +}
> > +
> >  void __init pid_idr_init(void)
> >  {
> >  	/* Verify no one has done anything silly: */
> 
> Regards.
> 
> -- 
> Yann Droneaud
> OPTEYA
> 
>