mbox series

[v3,0/4] Add pidfd getfd ioctl (Was Add ptrace get_fd request)

Message ID 20191217005842.GA14379@ircssh-2.c.rugged-nimbus-611.internal (mailing list archive)
Headers show
Series Add pidfd getfd ioctl (Was Add ptrace get_fd request) | expand

Message

Sargun Dhillon Dec. 17, 2019, 12:58 a.m. UTC
This patchset introduces a mechanism to capture file descriptors from other
processes by pidfd and ioctl. Although this can be achieved using
SCM_RIGHTS, and parasitic code injection, this offers a more
straightforward mechanism.

It has a flags mechanism that's only usable to set CLOEXEC on the fd,
but I'm thinking that it could be extended to other aspects. For example,
for sockets, one could want to scrub the cgroup information.

Changes since v2:
 * Move to ioctl on pidfd instead of ptrace function
 * Add security check before moving file descriptor

Changes since the RFC v1:
 * Introduce a new helper to fs/file.c to fetch a file descriptor from
   any process. It largely uses the code suggested by Oleg, with a few
   changes to fix locking
 * It uses an extensible options struct to supply the FD, and option.
 * I added a sample, using the code from the user-ptrace sample

Sargun Dhillon (4):
  vfs, fdtable: Add get_task_file helper
  pid: Add PIDFD_IOCTL_GETFD to fetch file descriptors from processes
  samples: split generalized user-trap code into helper file
  samples: Add example of using pidfd getfd in conjunction with user
    trap

 Documentation/ioctl/ioctl-number.rst |   1 +
 fs/file.c                            |  22 +++-
 include/linux/file.h                 |   2 +
 include/linux/pid.h                  |   1 +
 include/uapi/linux/pid.h             |  26 ++++
 kernel/fork.c                        |  72 ++++++++++
 samples/seccomp/.gitignore           |   1 +
 samples/seccomp/Makefile             |  15 ++-
 samples/seccomp/user-trap-helper.c   |  84 ++++++++++++
 samples/seccomp/user-trap-helper.h   |  13 ++
 samples/seccomp/user-trap-pidfd.c    | 190 +++++++++++++++++++++++++++
 samples/seccomp/user-trap.c          |  85 +-----------
 12 files changed, 424 insertions(+), 88 deletions(-)
 create mode 100644 include/uapi/linux/pid.h
 create mode 100644 samples/seccomp/user-trap-helper.c
 create mode 100644 samples/seccomp/user-trap-helper.h
 create mode 100644 samples/seccomp/user-trap-pidfd.c

Comments

Christian Brauner Dec. 17, 2019, 3:02 a.m. UTC | #1
On Tue, Dec 17, 2019 at 12:58:45AM +0000, Sargun Dhillon wrote:
> This patchset introduces a mechanism to capture file descriptors from other
> processes by pidfd and ioctl. Although this can be achieved using

I like the idea in general as it's quite useful in general. And also for
the seccomp notifier and probably for CRIU too.
A few things that crossed my mind.
A thing I'm worried about is that this will be a stepping stone for
people argue for an fd-replacement feature though I think that
fd-injection not replacement might be sufficient.

I wonder whether we need to worry about special file descriptors, i.e.
anything anon-inode based, or devpts devices but I guess those concerns
already apply to ptrace anyway.

One more thing, with GETFD it seems useful to me that later we can add
a new flag - like I suggested in the previous version - to the seccomp
notifier that would allow a caller to request that with each seccomp
message received via the notifier ioctl() from the kernel a pidfd is
sent along. This would make it quite elegant to get fds for the
supervised task.

Christian