lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 31 Mar 2019 23:03:07 +0100
From:   Jonathan Kowalski <>
To:     Linus Torvalds <>
Cc:     Christian Brauner <>,
        Andy Lutomirski <>,
        Daniel Colascione <>,
        Jann Horn <>,
        Andrew Lutomirski <>,
        David Howells <>,
        "Serge E. Hallyn" <>,
        Linux API <>,
        Linux List Kernel Mailing <>,
        Arnd Bergmann <>,
        "Eric W. Biederman" <>,
        Konstantin Khlebnikov <>,
        Kees Cook <>,
        Alexey Dobriyan <>,
        Thomas Gleixner <>,
        Michael Kerrisk-manpages <>,
        "Dmitry V. Levin" <>,
        Andrew Morton <>,
        Oleg Nesterov <>,
        Nagarathnam Muthusamy <>,
        Aleksa Sarai <>,
        Al Viro <>,
        Joel Fernandes <>
Subject: Re: [PATCH v2 0/5] pid: add pidfd_open()

On Sun, Mar 31, 2019 at 10:18 PM Linus Torvalds
<> wrote:
> On Sun, Mar 31, 2019 at 2:10 PM Christian Brauner <> wrote:
> >
> > I don't think that we want or can make them equivalent since that would
> > mean we depend on procfs.
> Sure we can.
> If /proc is enabled, then you always do that dance YOU ALREADY WROTE
> THE CODE FOR to do the stupid ioctl.
> And if /procfs isn't enabled, then you don't do that.
> Ta-daa. Done. No stupid ioctl, and now /proc and pidfd_open() return
> the same damn thing.

So this is already inherently broken with the /proc filesystem mounted
with hidepid=2. What type of object will it return when CONFIG_PROC_FS
is enabled, but I cannot see anyone's /proc entry except the
processe's running as my own user.

> And guess what? If /proc isn't enabled, then obviously pidfd_open()
> gives you the /proc-less thing, but at least there is no crazy "two
> different file descriptors for the same thing" situation, because then
> the /proc one doesn't exist.

There will be when you have no procfs mount for the PID namespace.
What do you return in that case? You run into the problem of two types
of descriptors on the same system.

If you choose to error out, the whole API is useless.

Yes, you can now argue that if I use hidepid=2 and cannot see other
process's /proc entry other than my own user, I wouldn't be able to
kill them anyway, so erroring out is fine, but let's not forget

> Notice? No incompatibility. No crazy stupid new "convert one to the
> other", because "the other model" NEVER EXISTS. There is only one
> pidfd - it might be proc-less if CONFIG_PROC isn't there, but let's
> face it, nobody even cares, because nobody ever disabled /proc anyway.

I agree that the ioctl really sucks, but using /proc sucks even further.

Processes have their own namespace, and that is not the filesystem, it
is the PID namespace. As such, pidfd_open should be my open() for an
addressable task I can see in my PID namespace, unrelated to /proc.

Then, processes could pass a pidfd for something in their namespace
*elsewhere*, crossing namespace boundaries, as file descriptors remain
unaffected by that, and subject to kernel permissions, you could
implement some neat communication primitive just through such process
descriptors (which are stable).

It's like the filesystem in some sense, the processes form some
hierarchy, so I should be only be able to open something I can address
in this namespace. It is otherwise a gross layering violation if the
/proc filesystem works like some sort of backdoor to open some
different kind of descriptors pidfd calls accept (and it ends up
working for those I cannot even see).

> And no need for some new "convert" interface (ioctl or other).
> Problem solved.
>                    Linus

Powered by blists - more mailing lists