Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2960116ybl;
        Fri, 20 Dec 2019 01:21:37 -0800 (PST)
X-Google-Smtp-Source: APXvYqy9iarcnLmrO0H/H/G/0TeVaTY1xqzATQJer2DxhuMHoP3gRx5prgJvYvhN2iEUifLt1+Wj
X-Received: by 2002:a9d:23b5:: with SMTP id t50mr13386887otb.122.1576833697292;
        Fri, 20 Dec 2019 01:21:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576833697; cv=none;
        d=google.com; s=arc-20160816;
        b=jHu7+RVAVS1MHG8WbouyjKTwlMTARQTGsY1ohDXnCr3F9+MvPrJy9qZJKkbqC5bFpp
         l7JpakaEVc7NNGK+wI1hrHp0wJGF2Hz3hKf9icE7uELd+g5349LgwJXSOmT1T5ky2Ddi
         KI/JaOmekaP3JjHNfsSiQ4xFPErvJI/wp1BVM0D88oIhIGBcVtKnWqr1wHleBjIX6h0I
         aekRLnrr6Pus43tm1O3yvtFWEeVwMaKXR9IqIjS/3TuHzmRnL1ApS+HVfAjCEn3CABsm
         ksO69OB+GbIpmhneVUgEDDLQ3yh6d7zXT9Mzhtc98cb65f5fOTTgroTsWtdBTSgFw3ra
         OTmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=3v7dxzSJEJ1yWkClVjvOyMii5LUuWGWUSQjt8LKR3wA=;
        b=am6HKFuVJoi3U2SwyC2d7HViJrC0+X7/SgDhBWHsbofxscDMLMIxsxseE755WNxgq3
         2qqN9m5ca5RESL+AaERegqDatYS026rAHMbks5x335wDMLcfgpW441CKPZkXujKKnVxI
         WEV5t3PMjsObao1VogNBwt0Nw+9DeM/PyqHW+UMryklK00X2jJ6swD++xnBF8b7dJE7P
         QQHkek+dUtE+o4/M+1hy7prDtge4hAkI04uo8Xl3JAw8B+mVZvZwkpdcV3Y/pFRGDWx7
         75ryO9nOJ0fe3V0TawwwQ3aBn+I0C+AElFHmCwknHXU5qwXtM4NP3610iFvtZ8CFAyeq
         TaGg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=cSPcVwWI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r26si4818139otc.163.2019.12.20.01.21.24;
        Fri, 20 Dec 2019 01:21:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=cSPcVwWI;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727258AbfLTJUV (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 20 Dec 2019 04:20:21 -0500
Received: from mail-lj1-f196.google.com ([209.85.208.196]:33951 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727167AbfLTJUV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Dec 2019 04:20:21 -0500
Received: by mail-lj1-f196.google.com with SMTP id z22so4455029ljg.1
        for <linux-kernel@vger.kernel.org>; Fri, 20 Dec 2019 01:20:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=brauner.io; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=3v7dxzSJEJ1yWkClVjvOyMii5LUuWGWUSQjt8LKR3wA=;
        b=cSPcVwWIVS1ArGZRrJfotRqRQooXD8MIeMchCt+DhIL0IxF/ZlKkI4jg1aAydkRK+r
         OHjXxr/DIapkkt3MnnXJ4nI+FENizI+oMHKMKTYIP6Tj2MXeJ2VBNv7kdDYCxiDXfPxV
         opo142e9QxQY7ddx+jsyPP3Szd1Sm9lS8QC5DAv+fy6YHfQo6YOVqLSyp+Pgby7SuVOq
         2FwQcbJqu73W1/GOPIPvuJ6dlp2keMafuCu6nXbClec0IN2kt5HQS3pFfbBjUujMRXN+
         3XLGcE8YGj0uBaeyPAKl14aNj4KdhovWo5mvhkCqPMGWB0fo1x5+n4NV3aFEM8aSAGyW
         dqZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=3v7dxzSJEJ1yWkClVjvOyMii5LUuWGWUSQjt8LKR3wA=;
        b=T4Dwt4v5i4rNXD5O4FqBJlDfMmojm0eN9KQmpFVB1toTkUbvbp1lGUQ6hRJ2a430eu
         SSnEYBx7kjH4Cp3Nir6QuBcePVigZcwdW90ecSazno3a508eg+NwCkPMe2UXqvrmqQ0q
         1Of3vCx+eiNI42KwpsGWO5r8JVlg0S7GS6xaw4UC7JcNPYFdm7cG3Gmlw10hOzHNTew1
         kAjWm2nDHGCXcy/8t8PNhmcsGHsmOlZKr/zTlJNumu861j7PKtmCtK4keYwbBm9r81OS
         4mF6eTF3V7qLIk1Bf9XrJ4KH2yp34aDftkqZObBv0ABV4IlcvzmejqyX4sT8mAQ2qURS
         Yn2g==
X-Gm-Message-State: APjAAAWdEUn7xuNk1CPpqenOQwjloDwAsiTt6sFFHk2US6Te3ZZrDo4L
        N4dopdyRkkIPrEeKafndld2kMiaNPT6Gs12jqniO9A==
X-Received: by 2002:a05:651c:8f:: with SMTP id 15mr9026170ljq.109.1576833618773;
 Fri, 20 Dec 2019 01:20:18 -0800 (PST)
MIME-Version: 1.0
References: <20191218235459.GA17271@ircssh-2.c.rugged-nimbus-611.internal> <CALCETrUK-SHA=sOUrBscpf+Bpxxff2L3RpXEaAfRHNnHGxa-LQ@mail.gmail.com>
In-Reply-To: <CALCETrUK-SHA=sOUrBscpf+Bpxxff2L3RpXEaAfRHNnHGxa-LQ@mail.gmail.com>
From:   Christian Brauner <christian@brauner.io>
Date:   Fri, 20 Dec 2019 10:20:07 +0100
Message-ID: <CAHrFyr6oWgeQGS9Yh4akorWyrfdYt6j6Y6v=v9=rDVgf5TbMQg@mail.gmail.com>
Subject: Re: [PATCH v4 2/5] pid: Add PIDFD_IOCTL_GETFD to fetch file
 descriptors from processes
To:     Andy Lutomirski <luto@kernel.org>
Cc:     Sargun Dhillon <sargun@sargun.me>, ealvarez@mozilla.com,
        Arnd Bergmann <arnd@arndb.de>, Jann Horn <jannh@google.com>,
        gpascutto@mozilla.com, Linux API <linux-api@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        jld@mozilla.com, LKML <linux-kernel@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Dec 20, 2019 at 2:43 AM Andy Lutomirski <luto@kernel.org> wrote:
>
> On Wed, Dec 18, 2019 at 3:55 PM Sargun Dhillon <sargun@sargun.me> wrote:
> >
> > +
> > +       if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
> > +               file = ERR_PTR(-EPERM);
> > +               goto out;
> > +       }
>
> I don't think this is MODE_READ.  By copying an fd from the task, you
> can easily change its state.
>
> IMO it would be really nice if pidfd could act more like a capability

That's ultimately what I would like to get to.

> here and carry a ptrace mode, for example.  But I guess it doesn't
> right now.

It doesn't right now for mainly two reasons.
The way I think about it is that a pidfd gets a capability at process
creation time. Before v5.3 we couldn't have done that because legacy
clone() couldn't be extended anymore. Imho, this has changed with clone3().
The other reason was that the basic properties a process can be created
with right now do not lend itself to be turned into a capability. Even
if they did
suddenly treating them like such would prevent userspace from switching to
clone3() because it would regress usecases they had.
However, for new properties this is not a problem. I have some ideas around this
(e.g. spawning private processes only reapable through pidfds and auto-cleanup
if there's no pidfd anymore).
From an implementation perspective clone3() could get a __aligned_u64 caps
(naming up for debate since we don't want people to think this is equivalent
to our current capabilities) field.
Where at process creation time you could e.g. specify PIDFD_CAP_GET_FD and
only then can you use that pidfd to get file descriptors from other processes.
You still need ptrace_access() to get the actual fd of course.

Christian