Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp4053366ybh;
        Tue, 17 Mar 2020 11:19:48 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vspDcm2MbkRUX6XP/9iRzTGOS9PLrvKdcEYlMDT2jzuSBuTzygEKPhPWgNB9Ws+eRxN47PP
X-Received: by 2002:a05:6808:56:: with SMTP id v22mr144336oic.116.1584469188229;
        Tue, 17 Mar 2020 11:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584469188; cv=none;
        d=google.com; s=arc-20160816;
        b=YrBWOArCnPpqzOWt/ysZwVN85WkCHjBMjkdhDSWStSUXU25iVb1LFlac/IQ1ZcTYH/
         C/Y6mU5Z5VvaHhRLww71JCtmw+yQ60jH0ykYDKwf8lTu4jCVPfq1W2AjbCaHzTPsNB+I
         bpWnAJqFvrBNq9E2zX35maQUGy7sui6W0wCgUEv8joPdFuFRloYguELH35EKCf/hj4fQ
         VBdLcFw5MYTFZBezpw/FzX0Ct8AiwrHITVcgLbO9xfoUERXeAekKF4WPsVeDuBj2U/EZ
         Qbxmdtz5jP8qZfQv47V+Rhc/uOz6nJsHTS1GTpI5ILEBxYqNJChfRgiEsx7ouZ8O1f0f
         tVTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=hkIZk2bcD1/+ofMtox5LTL2E7f8XFkBGx7EbDhzslx0=;
        b=wFhJXZCPvQ611hxtgGh2kFtR8tozJuVlXBNs3OqlD93+TfOORRGlGnb1yLUZxDF7GM
         F87oOD7oOVGdjQ9UPthV5Iu1QqK+MIIDnEITfZPi2iJCFX/Wd4qwRVi3rZ8FGpsTVRcU
         r1h66kMZWlZ9yb9chwW2ex7z0/VOBhxHR6DFqsk4RAARrEBb86V8BUZGbMvf87OKELdY
         ovdE9V2WFETemISdP31KbJBPPM9vMy0CKoW1MQ29Y/gpHC5Kz3thOjXLnFvvgVizOEcV
         25FhNQoWe9bCaaHBrOyOi3VNa9+tIlfgag6dszIztJplmDJfhD5CsVn1oNrAJhkIuaEF
         4o8g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q23si2148716otg.271.2020.03.17.11.19.34;
        Tue, 17 Mar 2020 11:19:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726682AbgCQSSq (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Tue, 17 Mar 2020 14:18:46 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:34824 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726189AbgCQSSq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Mar 2020 14:18:46 -0400
Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1jEGnb-00063Y-ST; Tue, 17 Mar 2020 18:18:44 +0000
Date:   Tue, 17 Mar 2020 19:18:43 +0100
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Simon Ser <contact@emersion.fr>
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        "oleg@redhat.com" <oleg@redhat.com>,
        "christian@brauner.io" <christian@brauner.io>,
        "ebiederm@xmission.com" <ebiederm@xmission.com>
Subject: Re: SO_PEERCRED and pidfd
Message-ID: <20200317181843.iq3jaboqid2xfktv@wittgenstein>
References: <go0RLOS7_DdxyAmfrDR38QPUloZuUtiFdXe2Ey3EkGGuvmW7z18Dvt4fY1qZ1k-Y75-YZSxqVWnZpWRGN7TZ6OPbDczfL7HI25bXLIYq1y4=@emersion.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <go0RLOS7_DdxyAmfrDR38QPUloZuUtiFdXe2Ey3EkGGuvmW7z18Dvt4fY1qZ1k-Y75-YZSxqVWnZpWRGN7TZ6OPbDczfL7HI25bXLIYq1y4=@emersion.fr>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 17, 2020 at 05:54:47PM +0000, Simon Ser wrote:
> Hi all,
> 
> I'm a Wayland developer and I've been working on protocol security,
> which involves identifying the process on the other end of a Unix
> socket [1]. This is already done by e.g. D-Bus via the PID, however
> this is racy [2].
> 
> Getting the PID is done via SO_PEERCRED. Would there be interest in
> adding a way to get a pidfd out of a Unix socket to fix the race?

Puh, I knew this would happen. I've been asked to add this feature by
the systemd people as well and also at a conference last year. And
honestly, I don't know yet. pidfds right now are mostly about
guaranteeing (stable) identity and they come with the necessary
restrictions in place to prevent shenanigans (such as signaling across
pid namespaces a restriction I'd like to lift at _some_ point). But I
have been thinking about attaching some capability like features to
pidfds soon as that has been an even more frequent request. At that
point having them receivable this way might be problematic unless we put
restrictions in place.

I would like to go through codepaths for SO_PEERCRED as I don't have
them in my head and so can't really say something definitely about this
just now.
(From the top of my head it seems that if we were to do this it might
need to be a separate SO_* flag? Mainly so people don't suddenly receive
fds they didn't expect.)

Christian