From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Weimer Subject: Re: RFC: on adding new CLONE_* flags [WAS Re: [PATCH 0/4] clone: add CLONE_PIDFD] Date: Wed, 17 Apr 2019 14:19:29 +0200 Message-ID: <87v9zc6cz2.fsf@oldenburg2.str.redhat.com> References: <20190414201436.19502-1-christian@brauner.io> <20190415195911.z7b7miwsj67ha54y@yavin> Mime-Version: 1.0 Content-Type: text/plain Return-path: In-Reply-To: (Andy Lutomirski's message of "Mon, 15 Apr 2019 13:29:23 -0700") Sender: linux-kernel-owner@vger.kernel.org To: Andy Lutomirski Cc: Aleksa Sarai , "Enrico Weigelt, metux IT consult" , Christian Brauner , Linus Torvalds , Al Viro , Jann Horn , David Howells , Linux API , LKML , "Serge E. Hallyn" , Arnd Bergmann , "Eric W. Biederman" , Kees Cook , Thomas Gleixner , Michael Kerrisk , Andrew Morton , Oleg Nesterov , Joel Fernandes , Daniel Colascione List-Id: linux-api@vger.kernel.org * Andy Lutomirski: > I would personally *love* it if distros started setting no_new_privs > for basically all processes. Wouldn't no_new_privs inhibit all security transitions, including those that reduce privileges? And therefore effectively reduce security? > Anyway, clone(2) is an enormous mess. Surely the right solution here > is to have a whole new process creation API that takes a big, > extensible struct as an argument, and supports *at least* the full > abilities of posix_spawn() and ideally covers all the use cases for > fork() + do stuff + exec(). It would be nifty if this API also had a > way to say "add no_new_privs and therefore enable extra functionality > that doesn't work without no_new_privs". This functionality would > include things like returning a future extra-privileged pidfd that > gives ptrace-like access. I agree that consistent replacement for the clone system call makes sense. I'm not sure if covering everything that posix_spawn could do would make sense. There seems to be some demand to be able to do large parts of container setup using posix_spawn, so we'll probably add support for things like writing to arbitrary files eventually. And of course, proper error reporting, so that you can figure out which file creation action failed. Thanks, Florian