lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 31 Mar 2019 15:16:47 -0700
From:   Linus Torvalds <>
To:     Christian Brauner <>
Cc:     Andy Lutomirski <>,
        Daniel Colascione <>,
        Jann Horn <>,
        Andrew Lutomirski <>,
        David Howells <>,
        "Serge E. Hallyn" <>,
        Linux API <>,
        Linux List Kernel Mailing <>,
        Arnd Bergmann <>,
        "Eric W. Biederman" <>,
        Konstantin Khlebnikov <>,
        Kees Cook <>,
        Alexey Dobriyan <>,
        Thomas Gleixner <>,
        Michael Kerrisk-manpages <>,
        Jonathan Kowalski <>,
        "Dmitry V. Levin" <>,
        Andrew Morton <>,
        Oleg Nesterov <>,
        Nagarathnam Muthusamy <>,
        Aleksa Sarai <>,
        Al Viro <>,
        Joel Fernandes <>
Subject: Re: [PATCH v2 0/5] pid: add pidfd_open()

On Sun, Mar 31, 2019 at 3:03 PM Christian Brauner <> wrote:
> Thanks for the input. The problem Jann and I saw with this is that it
> would be awkward to have the kernel open a file in some procfs instance,
> since then userspace would have to specify which procfs instance the fd
> should come from.

I would actually suggest we just make the rules be that the
pidfd_open() always return the internal /proc entry regardless of any
mount-point (or any "hidepid") but also suggest that exactly *because*
it gives you visibility into the target pid, you'd basically require
the strictest kind of control of the process you're trying to get the
pidfd of.

Ie likely something along the lines of

        ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)

kind of requirements.

But honestly, just how much do you need pidfd_open()? If this is
purely because somebody goes "oh, ASCII is expensive", then just stop
doing it entirely. It's not. It's fine. Going throuigh a filesystem is
a *good* thing, exactly because it allows MIS to control it.

So it's entirely possible that the right answer is: "just open
/proc/<pid>/", and accept the fact that everybody has it anyway, and
people who don't have it don't get the new functionality (with the
possible exception of clone(CLONE_PIDFD), which only gives you access
to a child you created yourself.


Powered by blists - more mailing lists