From: Simon Ser <contact@emersion.fr>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"oleg@redhat.com" <oleg@redhat.com>,
"christian@brauner.io" <christian@brauner.io>,
"ebiederm@xmission.com" <ebiederm@xmission.com>
Subject: Re: SO_PEERCRED and pidfd
Date: Wed, 18 Mar 2020 10:16:07 +0000 [thread overview]
Message-ID: <WuCKXl7CWZrfvKTWuYiwL6tkPq2YgA_j1lyVVczFB48s8ozWz_setJou9JO-VqsL2kJtRV8r4yOvyQhI5LsdCdIaSKYZpY1_9Bf3DwpQIMg=@emersion.fr> (raw)
In-Reply-To: <20200317181843.iq3jaboqid2xfktv@wittgenstein>
On Tuesday, March 17, 2020 7:18 PM, Christian Brauner <christian.brauner@ubuntu.com> wrote:
> On Tue, Mar 17, 2020 at 05:54:47PM +0000, Simon Ser wrote:
>
> > Hi all,
> > I'm a Wayland developer and I've been working on protocol security,
> > which involves identifying the process on the other end of a Unix
> > socket [1]. This is already done by e.g. D-Bus via the PID, however
> > this is racy [2].
> > Getting the PID is done via SO_PEERCRED. Would there be interest in
> > adding a way to get a pidfd out of a Unix socket to fix the race?
>
> Puh, I knew this would happen. I've been asked to add this feature by
> the systemd people as well and also at a conference last year. And
> honestly, I don't know yet. pidfds right now are mostly about
> guaranteeing (stable) identity and they come with the necessary
> restrictions in place to prevent shenanigans (such as signaling across
> pid namespaces a restriction I'd like to lift at some point). But I
> have been thinking about attaching some capability like features to
> pidfds soon as that has been an even more frequent request. At that
> point having them receivable this way might be problematic unless we put
> restrictions in place.
Wouldn't this new mechanism just be an atomic getsockopt+pidfd_open?
(It would make sure the process is still alive of course.)
Can you elaborate wrt. capabilities? I'm not sure I understand what
that means.
> I would like to go through codepaths for SO_PEERCRED as I don't have
> them in my head and so can't really say something definitely about this
> just now.
> (From the top of my head it seems that if we were to do this it might
> need to be a separate SO_* flag? Mainly so people don't suddenly receive
> fds they didn't expect.)
Yeah, this would need to be either a separate SO_* flag or a completely
different thing to prevent surprises.
next prev parent reply other threads:[~2020-03-18 10:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-17 17:54 SO_PEERCRED and pidfd Simon Ser
2020-03-17 18:18 ` Christian Brauner
2020-03-18 10:16 ` Simon Ser [this message]
2020-03-18 12:21 ` Christian Brauner
2020-03-17 18:58 ` Eric W. Biederman
2020-03-18 10:31 ` Simon Ser
2020-03-18 11:56 ` Christian Brauner
2020-03-18 13:07 ` Eric W. Biederman
2020-03-18 13:43 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='WuCKXl7CWZrfvKTWuYiwL6tkPq2YgA_j1lyVVczFB48s8ozWz_setJou9JO-VqsL2kJtRV8r4yOvyQhI5LsdCdIaSKYZpY1_9Bf3DwpQIMg=@emersion.fr' \
--to=contact@emersion.fr \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).