Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD

From: Christian Brauner
Date: Tue Feb 20 2024 - 08:01:19 EST

Next message: Anup Patel: "Re: [PATCH v13 06/13] irqchip: Add RISC-V incoming MSI controller early driver"
Previous message: Abel Vesa: "[PATCH RFC v4 4/4] spmi: pmic-arb: Add multi bus support"
In reply to: Oleg Nesterov: "Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD"
Next in thread: Oleg Nesterov: "Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 20, 2024 at 12:00:12PM +0100, Oleg Nesterov wrote:
> On 02/20, Christian Brauner wrote:
> >
> > On Tue, Feb 20, 2024 at 10:02:56AM +0100, Oleg Nesterov wrote:
> > >
> > > Ah. IIRC criu uses this hack to restore the pending (arbitrary) signals
> > > collected at dump time.
> > >
> > > I was a bit surprise sys_pidfd_send_signal() allows this hack too, I don't
> >
> > I think that we simply mirrored the restrictions in the other system
> > calls.
> >
> > > think that criu uses pidfd at restore time, but I do not know.
> >
> > Hm, I just checked and it doesn't use pidfd_send_signal(). It uses
> > pidfds but only for pid reuse detection for RPC clients.
>
> But perhaps something else already uses pidfd_send_signal() with info != NULL
> or with info->si_code == SI_USER, we can't know. Please see below.
>
> > So right now si_code is blocked for >= 0 and for SI_TKILL. If we were to
> > simply ensure that si_code can't be < 0 then this amounts to effectively
> > blocking @info from being filled in by userspace at all. Because 0 is a
> > valid value.
>
> I'am afraid I misunderstand you again... 0 == SI_USER is not a valid value
> when siginfo != NULL.

Yes, I know. We're on the same page. I would just have preferred to
restrict remulating si_code completely because we don't know whether
that's actually used for pidfd_send_signal(). The point I was trying to
make is that si_code has no value that means "unset" so restricting
si_code further means always rejecting @info when it's passed.

>
> Perhaps we can kill the "task_pid(current) != pid" check and just return
> EPERM if "kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL", I don't think
> anobody needs pidfd_send_send_signal() to signal yourself. See below.

Yeah.

>
> > + /* Currently unused. */
> > + if (info)
> > + return -EINVAL;
>
> Well, to me this looks like the unnecessary restriction... And why?

Because right now we aren't sure that it's used and we aren't sure what
use-cases are there.

>
> But whatever we do,
>
> > - /* Only allow sending arbitrary signals to yourself. */
> > - ret = -EPERM;
> > - if ((task_pid(current) != pid) &&
> > - (kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
> > - goto err;
>
> Can I suggest to fix this check in your tree (add type > PIDTYPE_TGID as
> we discussed) first, then do other changes on top?

Yes, absolutely. That was always the plan. See appended patch I put on top.
I put you as author since you did spot this. Let me know if you don't
want that.

Next message: Anup Patel: "Re: [PATCH v13 06/13] irqchip: Add RISC-V incoming MSI controller early driver"
Previous message: Abel Vesa: "[PATCH RFC v4 4/4] spmi: pmic-arb: Add multi bus support"
In reply to: Oleg Nesterov: "Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD"
Next in thread: Oleg Nesterov: "Re: [PATCH v2 2/2] pidfd: change pidfd_send_signal() to respect PIDFD_THREAD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]