From: "Theodore Tso" <tytso@mit.edu>
To: Christian Brauner <brauner@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jann Horn <jannh@google.com>, Oleg Nesterov <oleg@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL
Date: Wed, 18 Feb 2026 09:00:10 -0500 [thread overview]
Message-ID: <20260218140010.GC45984@macsyma-wired.lan> (raw)
In-Reply-To: <20260218-wonach-kampieren-adfca0940b45@brauner>
On Wed, Feb 18, 2026 at 09:18:49AM +0100, Christian Brauner wrote:
> The kill-on-close contract cannot be flaunted no matter what gets
> executed very much in contrast to pdeath_signal which is annoying
> because it magically gets unset and then userspace needs to know when it
> got unset and then needs to reset it again.
I think you mean "violated", not "flaunted", above.
If a process can do the double-fork dance to avoid getting killed, is
that a problem with your use case?
What if we give the process time to exit before we bring down the
hammer, as I suggested in another message on this thread?
> My ideal model for kill-on-close is to just ruthlessly enforce that the
> kernel murders anything once the file is released. I would value input
> under what circumstances we could make this work without having the
> kernel magically unset it under magical circumstances that are
> completely opaque to userspace.
I don't think this proposal would fly, but what if an exec of a setuid
binary fails with an error if the AUTOKILL flag is set? :-)
- Ted
next prev parent reply other threads:[~2026-02-18 14:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 22:35 [PATCH RFC v3 0/4] pidfd: add CLONE_AUTOREAP and CLONE_PIDFD_AUTOKILL Christian Brauner
2026-02-17 22:35 ` [PATCH RFC v3 1/4] clone: add CLONE_AUTOREAP Christian Brauner
2026-02-18 11:25 ` Oleg Nesterov
2026-02-18 13:30 ` Christian Brauner
2026-02-17 22:35 ` [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL Christian Brauner
2026-02-17 23:17 ` Linus Torvalds
2026-02-17 23:38 ` Jann Horn
2026-02-17 23:44 ` Linus Torvalds
2026-02-18 8:18 ` Christian Brauner
2026-02-18 14:00 ` Theodore Tso [this message]
2026-02-18 13:29 ` Theodore Tso
2026-02-18 10:21 ` Christian Brauner
2026-02-17 23:43 ` Jann Horn
2026-02-18 10:00 ` Christian Brauner
2026-02-18 11:50 ` Oleg Nesterov
2026-02-18 13:31 ` Christian Brauner
2026-02-17 22:35 ` [PATCH RFC v3 3/4] selftests/pidfd: add CLONE_AUTOREAP tests Christian Brauner
2026-02-17 22:35 ` [PATCH RFC v3 4/4] selftests/pidfd: add CLONE_PIDFD_AUTOKILL tests Christian Brauner
2026-02-17 22:46 ` [PATCH RFC v3 0/4] pidfd: add CLONE_AUTOREAP and CLONE_PIDFD_AUTOKILL Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260218140010.GC45984@macsyma-wired.lan \
--to=tytso@mit.edu \
--cc=brauner@kernel.org \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.