On Sun, Mar 31, 2019 at 08:13:38PM -0600, Andy Lutomirski wrote: > > > > On Mar 31, 2019, at 3:17 PM, Linus Torvalds <[email protected]> > > wrote: > > > >> On Sun, Mar 31, 2019 at 2:10 PM Christian Brauner <[email protected]> > >> wrote: > >> > >> I don't think that we want or can make them equivalent since that would > >> mean we depend on procfs. > > > > Sure we can. > > > > If /proc is enabled, then you always do that dance YOU ALREADY WROTE > > THE CODE FOR to do the stupid ioctl. > > > > And if /procfs isn't enabled, then you don't do that. > > > > Ta-daa. Done. No stupid ioctl, and now /proc and pidfd_open() return > > the same damn thing. > > > > And guess what? If /proc isn't enabled, then obviously pidfd_open() > > gives you the /proc-less thing, but at least there is no crazy "two > > different file descriptors for the same thing" situation, because then > > the /proc one doesn't exist. > > > > I wish we could do this, and, in a clean design, it would be a no-brainer. > But /proc has too much baggage. Just to mention two such things, there’s > “net” and “../sys”. This crud is why we have all kinds of crazy rules that > prevent programs in sandboxes from making a new mounts and mounting /proc in > it. If we make it possible to clone a new process and this access /proc > without having /proc mounted, we’ll open up a big can of worms. > > Maybe we could have a sanitized view of /proc and make a pidfd be a directory > fd pointing at that.
We can also just create something like an internal bind-mount without a parent, i.e. similar to open_tree(<internal-procfs-mount>, "<pid>", OPEN_TREE_CLONE); on a clone(CLONE_PIDFD); that would block any openat(fd, "..");
