[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231208-hitzig-charmant-6bbdc427bf7e@brauner>
Date: Fri, 8 Dec 2023 14:48:30 +0100
From: Christian Brauner <brauner@...nel.org>
To: Florian Weimer <fweimer@...hat.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Tycho Andersen <tycho@...ho.pizza>,
linux-kernel@...r.kernel.org, linux-api@...r.kernel.org,
Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org,
Jens Axboe <axboe@...nel.dk>
Subject: Re: [RFC 1/3] pidfd: allow pidfd_open() on non-thread-group leaders
On Fri, Dec 08, 2023 at 02:15:58PM +0100, Florian Weimer wrote:
> * Christian Brauner:
>
> > File descriptors are reachable for all processes/threads that share a
> > file descriptor table. Changing that means breaking core userspace
> > assumptions about how file descriptors work. That's not going to happen
> > as far as I'm concerned.
>
> It already has happened, though? Threads are free to call
> unshare(CLONE_FILES). I'm sure that we have applications out there that
If you unshare a file descriptor table it will affect all file
descriptors of a given task. We don't allow hiding individual or ranges
of file descriptors from close/dup. That's akin to a partially shared
file descriptor table which is conceptually probably doable but just
plain weird and nasty to get right imho.
This really is either LSM territory to block such operations or use
stuff like io_uring gives you.
Powered by blists - more mailing lists