From: Christian Brauner <christian.brauner@ubuntu.com>
To: Sargun Dhillon <sargun@sargun.me>
Cc: "Emilio Cobos Álvarez" <ealvarez@mozilla.com>,
"Arnd Bergmann" <arnd@arndb.de>, "Jann Horn" <jannh@google.com>,
"Gian-Carlo Pascutto" <gpascutto@mozilla.com>,
"Linux API" <linux-api@vger.kernel.org>,
"Linux Containers" <containers@lists.linux-foundation.org>,
"Jed Davis" <jld@mozilla.com>,
LKML <linux-kernel@vger.kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Linux FS-devel Mailing List" <linux-fsdevel@vger.kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>
Subject: Re: [PATCH v5 2/3] pid: Introduce pidfd_getfd syscall
Date: Sun, 22 Dec 2019 21:15:58 +0100 [thread overview]
Message-ID: <20191222201556.zcjceuwpel26jo37@wittgenstein> (raw)
In-Reply-To: <CAMp4zn-x3wiYVgmoVfkA61Epfh7JoEHUn5QCpULERxLPkLoMYA@mail.gmail.com>
On Sun, Dec 22, 2019 at 10:36:42AM -0800, Sargun Dhillon wrote:
> , On Sun, Dec 22, 2019 at 4:48 AM Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> >
> > On Fri, Dec 20, 2019 at 11:28:13PM +0000, Sargun Dhillon wrote:
> > > This syscall allows for the retrieval of file descriptors from other
> > > processes, based on their pidfd. This is possible using ptrace, and
> > > injection of parasitic code along with using SCM_RIGHTS to move
> > > file descriptors between a tracee and a tracer. Unfortunately, ptrace
> > > comes with a high cost of requiring the process to be stopped, and
> > > breaks debuggers. This does not require stopping the process under
> > > manipulation.
> > >
> > > One reason to use this is to allow sandboxers to take actions on file
> > > descriptors on the behalf of another process. For example, this can be
> > > combined with seccomp-bpf's user notification to do on-demand fd
> > > extraction and take privileged actions. For example, it can be used
> > > to bind a socket to a privileged port.
> > >
> > > /* prototype */
> > > /*
> > > * pidfd_getfd_options is an extensible struct which can have options
> > > * added to it. If options is NULL, size, and it will be ignored be
> > > * ignored, otherwise, size should be set to sizeof(*options). If
> > > * option is newer than the current kernel version, E2BIG will be
> > > * returned.
> > > */
> > > struct pidfd_getfd_options {};
> > > long pidfd_getfd(int pidfd, int fd, unsigned int flags,
> > > struct pidfd_getfd_options *options, size_t size);
> That's embarrassing. This was supposed to read:
> long pidfd_getfd(int pidfd, int fd, struct pidfd_get_options *options,
> size_t size);
>
> >
> > The prototype advertises a flags argument but the actual
> >
> > +SYSCALL_DEFINE4(pidfd_getfd, int, pidfd, int, fd,
> > + struct pidfd_getfd_options __user *, options, size_t, usize)
> >
> > does not have a flags argument...
> >
> > I think having a flags argument makes a lot of sense.
> >
> > I'm not sure what to think about the struct. I agree with Aleksa that
> > having an empty struct is not a great idea. From a design perspective it
> > seems very out of place. If we do a struct at all putting at least a
> > single reserved field in there might makes more sense.
> >
> > In general, I think we need to have a _concrete_ reason why putting a
> > struct versioned by size as arguments for this syscall.
> > That means we need to have at least a concrete example for a new feature
> > for this syscall where a flag would not convey enough information.
> I can think of at least two reasons we need flags:
> * Clearing cgroup flags
> * Closing the process under manipulation's FD when we fetch it.
>
> The original reason for wanting to have two places where we can put
> flags was to have a different field for fd flags vs. call flags. I'm not sure
> there's any flags you'd want to set.
>
> Given this, if we want to go down the route of a syscall, we should just
> leave it as a __u64 flags, and drop the pointer to the struct, if we're
I think it needs to be an unsigned int. Having a 64bit register arg is
really messy on 32bit and means you need to have a compat syscall
implementation which handles this.
Christian
next prev parent reply other threads:[~2019-12-22 20:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 23:28 [PATCH v5 2/3] pid: Introduce pidfd_getfd syscall Sargun Dhillon
2019-12-21 0:27 ` Aleksa Sarai
2019-12-21 1:45 ` Sargun Dhillon
2019-12-22 12:47 ` Christian Brauner
2019-12-22 18:36 ` Sargun Dhillon
2019-12-22 20:15 ` Christian Brauner [this message]
2019-12-24 11:09 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191222201556.zcjceuwpel26jo37@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=arnd@arndb.de \
--cc=containers@lists.linux-foundation.org \
--cc=ealvarez@mozilla.com \
--cc=gpascutto@mozilla.com \
--cc=jannh@google.com \
--cc=jld@mozilla.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=sargun@sargun.me \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox