Re: [RESEND] RFC: pidfd_getfd(2) manual page

[Christian Brauner]

On Tue, Apr 07, 2020 at 08:49:35PM +0200, Michael Kerrisk (man-pages) wrote:
> [No response on my mail of a week ago, so I try again; the page
> text is unchanged since the draft sent out on 31 March]

Sorry for the delay.

> 
> Hello Sargun et al.
> 
> I've taken a shot at writing a manual page for pidfd_getfd().
> I would be happy to receive comments, suggestions for
> improvements, etc. The text is as follows (the groff source 
> is at the foot of this mail):

Thanks for that! Really appreciated. Just a few nits below.

> 
> NAME
>        pidfd_getfd  -  obtain  a  duplicate  of  another  process's  file
>        descriptor
> 
> SYNOPSIS
>        int pidfd_getfd(int pidfd, int targetfd, unsigned int flags);
> 
> DESCRIPTION
>        The pidfd_getfd() system call allocates a new file  descriptor  in
>        the  calling  process.  This new file descriptor is a duplicate of
>        an existing file descriptor, targetfd, in the process referred  to
>        by the PID file descriptor pidfd.
> 
>        The  duplicate  file  descriptor  refers  to  the  same  open file
>        description (see open(2)) as the original file descriptor  in  the
>        process referred to by pidfd.  The two file descriptors thus share
>        file status flags and file offset.  Furthermore, operations on the
>        underlying  file  object  (for  example, assigning an address to a
>        socket object using bind(2)) can be equally be performed  via  the

s/can be equally be performed/can be equally performed
?

>        duplicate file descriptor.
> 
>        The  close-on-exec  flag  (FD_CLOEXEC; see fcntl(2)) is set on the
>        file descriptor returned by pidfd_getfd().
> 
>        The flags argument is reserved for future use.  Currently, it must
>        be specified as 0.
> 
>        Permission  to duplicate another process's file descriptor is govâ
>        erned by a ptrace access mode  PTRACE_MODE_ATTACH_REALCREDS  check
>        (see ptrace(2)).
> 
> RETURN VALUE
>        On  success,  pidfd_getfd() returns a nonnegative file descriptor.

Imho, this makes it sound like there are negative file descriptor
numbers. But as a non-native speaker that might just be a subtle
misreading on my part. Maybe just like open() just mention:
"On success, pidfd_getfd() returns a file descriptor."

>        On error, -1 is returned and errno is set to indicate the cause of
>        the error.
> 
> ERRORS
>        EBADF  pidfd is not a valid PID file descriptor.
> 
>        EBADF  targetfd  is  not  an  open  file descriptor in the process
>               referred to by pidfd.
> 
>        EINVAL flags is not 0.
> 
>        EMFILE The per-process limit on the number of open  file  descripâ
>               tors has been reached (see the description of RLIMIT_NOFILE
>               in getrlimit(2)).
> 
>        ENFILE The system-wide limit on the total number of open files has
>               been reached.
> 
>        ESRCH  The  process  referred to by pidfd does not exist (i.e., it
>               has terminated and been waited on).

EPERM	The calling process did not have PTRACE_MODE_ATTACH_REALCREDS
	permissions (see ptrace(2)) over the process referred to by
	pidfd.

Technically, there should also be a disclaimer that other errno values
are possible because of LSM denials, e.g. selinux could return EACCES or
any other errno code in their file_receive() hook. But I'm not whether we
generally do this. In any case, I would find it useful as a developer.

(Is there actually a place where all LSMs are forced to record their
errno returns for their security hooks for each syscall they hook into and
that's visible to userspace? Because that'd be really useful...)

Christian