[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8736sm3eoh.fsf@xmission.com>
Date: Tue, 30 Oct 2018 23:47:42 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Aleksa Sarai <cyphar@...har.com>
Cc: Daniel Colascione <dancol@...gle.com>,
linux-kernel@...r.kernel.org, timmurray@...gle.com,
joelaf@...gle.com, surenb@...gle.com
Subject: Re: [RFC PATCH] Implement /proc/pid/kill
Aleksa Sarai <cyphar@...har.com> writes:
> On 2018-10-29, Daniel Colascione <dancol@...gle.com> wrote:
>> Add a simple proc-based kill interface. To use /proc/pid/kill, just
>> write the signal number in base-10 ASCII to the kill file of the
>> process to be killed: for example, 'echo 9 > /proc/$$/kill'.
>>
>> Semantically, /proc/pid/kill works like kill(2), except that the
>> process ID comes from the proc filesystem context instead of from an
>> explicit system call parameter. This way, it's possible to avoid races
>> between inspecting some aspect of a process and that process's PID
>> being reused for some other process.
>
> (Aside from any UX concerns other folks might have.)
>
> I think it would be a good idea to (at least temporarily) restrict this
> so that only processes that are in the same PID namespace as the /proc
> being resolved through may use this interface. Otherwise you might have
> cases where partial container breakouts can start sending signals to
> PIDs they wouldn't normally be able to address.
No. That is the container managers job. If you have the wrong proc
mounted in your container or otherwise allow access to it that is the
fault of the application that set up the container.
The pid namespace limits visibility. If something becomes visible and
you have permissions over it, it is perfectly reasonable for you to
execute those permissions.
Eric
Powered by blists - more mailing lists