BACKPORT: clone: add CLONE_PIDFD

This patchset makes it possible to retrieve pid file descriptors at
process creation time by introducing the new flag CLONE_PIDFD to the
clone() system call.  Linus originally suggested to implement this as a
new flag to clone() instead of making it a separate system call.  As
spotted by Linus, there is exactly one bit for clone() left.

CLONE_PIDFD creates file descriptors based on the anonymous inode
implementation in the kernel that will also be used to implement the new
mount api.  They serve as a simple opaque handle on pids.  Logically,
this makes it possible to interpret a pidfd differently, narrowing or
widening the scope of various operations (e.g. signal sending).  Thus, a
pidfd cannot just refer to a tgid, but also a tid, or in theory - given
appropriate flag arguments in relevant syscalls - a process group or
session. A pidfd does not represent a privilege.  This does not imply it
cannot ever be that way but for now this is not the case.

A pidfd comes with additional information in fdinfo if the kernel supports
procfs.  The fdinfo file contains the pid of the process in the callers
pid namespace in the same format as the procfs status file, i.e. "Pid:\t%d".

As suggested by Oleg, with CLONE_PIDFD the pidfd is returned in the
parent_tidptr argument of clone.  This has the advantage that we can
give back the associated pid and the pidfd at the same time.

To remove worries about missing metadata access this patchset comes with
a sample program that illustrates how a combination of CLONE_PIDFD, and
pidfd_send_signal() can be used to gain race-free access to process
metadata through /proc/<pid>.  The sample program can easily be
translated into a helper that would be suitable for inclusion in libc so
that users don't have to worry about writing it themselves.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Christian Brauner <christian@brauner.io>
Co-developed-by: Jann Horn <jannh@google.com>
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Howells <dhowells@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Perry Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit b3e5838252665ee4cfa76b82bdf1198dca81e5be)

Conflicts:
        kernel/fork.c

(1. Replaced proc_pid_ns() with its direct implementation.)

Mot-CRs-fixed: (CR)

Bug: 135608568
Test: test program using syscall(__NR_sys_pidfd_open,..) and poll()
Change-Id: I3c804a92faea686e5bf7f99df893fe3a5d87ddf7
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reviewed-on: https://gerrit.mot.com/1505851
SLTApproved: Slta Waiver
SME-Granted: SME Approvals Granted
Tested-by: Jira Key
Reviewed-by: Wang Wang <wangwang1@lenovo.com>
Reviewed-by: Yonghui Jia <jiayh2@motorola.com>
Submit-Approved: Jira Key
Reviewed-on: https://gerrit.mot.com/1796159
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>

diff --git a/include/linux/pid.h b/include/linux/pid.h
index dfd684ce078754682c31e631146dc24368336a8b..b032d8cbd54b4e636e9cf6b01e022b1be0ab2267 100644 (file)
--- a/include/linux/pid.h
+++ b/include/linux/pid.h
@@ -75,6 +75,8 @@ struct pid_link
        struct pid *pid;
 };
 
+extern const struct file_operations pidfd_fops;
+
 static inline struct pid *get_pid(struct pid *pid)
 {
        if (pid)

diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
index 30a9e51bbb1e583fc5344ba0ef849cd4c464b72f..d9cc90a40cf3c4a14a85b278e796f697ae4bcb8a 100644 (file)
--- a/include/uapi/linux/sched.h
+++ b/include/uapi/linux/sched.h
@@ -10,6 +10,7 @@
 #define CLONE_FS       0x00000200      /* set if fs info shared between processes */
 #define CLONE_FILES    0x00000400      /* set if open files shared between processes */
 #define CLONE_SIGHAND  0x00000800      /* set if signal handlers and blocked signals shared */
+#define CLONE_PIDFD    0x00001000      /* set if a pidfd should be placed in parent */
 #define CLONE_PTRACE   0x00002000      /* set if we want to let tracing continue on the child too */
 #define CLONE_VFORK    0x00004000      /* set if the parent wants the child to wake it up on mm_release */
 #define CLONE_PARENT   0x00008000      /* set if we want to have the same parent as the cloner */

diff --git a/kernel/fork.c b/kernel/fork.c
index 5d81e13fe12796ff3bc113f9a1072972c7c42865..63acabe0007ef315be7a83e010cfc1dbe68f1f6c 100644 (file)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -11,6 +11,7 @@
  * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
  */
 
+#include <linux/anon_inodes.h>
 #include <linux/slab.h>
 #include <linux/sched/autogroup.h>
 #include <linux/sched/mm.h>
@@ -48,6 +49,7 @@
 #include <linux/security.h>
 #include <linux/hugetlb.h>
 #include <linux/seccomp.h>
+#include <linux/seq_file.h>
 #include <linux/swap.h>
 #include <linux/syscalls.h>
 #include <linux/jiffies.h>
@@ -1517,6 +1519,58 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
         task->pids[type].pid = pid;
 }
 
+static int pidfd_release(struct inode *inode, struct file *file)
+{
+       struct pid *pid = file->private_data;
+
+       file->private_data = NULL;
+       put_pid(pid);
+       return 0;
+}
+
+#ifdef CONFIG_PROC_FS
+static void pidfd_show_fdinfo(struct seq_file *m, struct file *f)
+{
+       struct pid_namespace *ns = file_inode(m->file)->i_sb->s_fs_info;
+       struct pid *pid = f->private_data;
+
+       seq_put_decimal_ull(m, "Pid:\t", pid_nr_ns(pid, ns));
+       seq_putc(m, '\n');
+}
+#endif
+
+const struct file_operations pidfd_fops = {
+       .release = pidfd_release,
+#ifdef CONFIG_PROC_FS
+       .show_fdinfo = pidfd_show_fdinfo,
+#endif
+};
+
+/**
+ * pidfd_create() - Create a new pid file descriptor.
+ *
+ * @pid:  struct pid that the pidfd will reference
+ *
+ * This creates a new pid file descriptor with the O_CLOEXEC flag set.
+ *
+ * Note, that this function can only be called after the fd table has
+ * been unshared to avoid leaking the pidfd to the new process.
+ *
+ * Return: On success, a cloexec pidfd is returned.
+ *         On error, a negative errno number will be returned.
+ */
+static int pidfd_create(struct pid *pid)
+{
+       int fd;
+
+       fd = anon_inode_getfd("[pidfd]", &pidfd_fops, get_pid(pid),
+                             O_RDWR | O_CLOEXEC);
+       if (fd < 0)
+               put_pid(pid);
+
+       return fd;
+}
+
 static inline void rcu_copy_process(struct task_struct *p)
 {
 #ifdef CONFIG_PREEMPT_RCU
@@ -1544,13 +1598,14 @@ static __latent_entropy struct task_struct *copy_process(
                                        unsigned long clone_flags,
                                        unsigned long stack_start,
                                        unsigned long stack_size,
+                                       int __user *parent_tidptr,
                                        int __user *child_tidptr,
                                        struct pid *pid,
                                        int trace,
                                        unsigned long tls,
                                        int node)
 {
-       int retval;
+       int pidfd = -1, retval;
        struct task_struct *p;
 
        if ((clone_flags & (CLONE_NEWNS|CLONE_FS)) == (CLONE_NEWNS|CLONE_FS))
@@ -1595,6 +1650,31 @@ static __latent_entropy struct task_struct *copy_process(
                        return ERR_PTR(-EINVAL);
        }
 
+       if (clone_flags & CLONE_PIDFD) {
+               int reserved;
+
+               /*
+                * - CLONE_PARENT_SETTID is useless for pidfds and also
+                *   parent_tidptr is used to return pidfds.
+                * - CLONE_DETACHED is blocked so that we can potentially
+                *   reuse it later for CLONE_PIDFD.
+                * - CLONE_THREAD is blocked until someone really needs it.
+                */
+               if (clone_flags &
+                   (CLONE_DETACHED | CLONE_PARENT_SETTID | CLONE_THREAD))
+                       return ERR_PTR(-EINVAL);
+
+               /*
+                * Verify that parent_tidptr is sane so we can potentially
+                * reuse it later.
+                */
+               if (get_user(reserved, parent_tidptr))
+                       return ERR_PTR(-EFAULT);
+
+               if (reserved != 0)
+                       return ERR_PTR(-EINVAL);
+       }
+
        retval = -ENOMEM;
        p = dup_task_struct(current, node);
        if (!p)
@@ -1783,6 +1863,22 @@ static __latent_entropy struct task_struct *copy_process(
                }
        }
 
+       /*
+        * This has to happen after we've potentially unshared the file
+        * descriptor table (so that the pidfd doesn't leak into the child
+        * if the fd table isn't shared).
+        */
+       if (clone_flags & CLONE_PIDFD) {
+               retval = pidfd_create(pid);
+               if (retval < 0)
+                       goto bad_fork_free_pid;
+
+               pidfd = retval;
+               retval = put_user(pidfd, parent_tidptr);
+               if (retval)
+                       goto bad_fork_put_pidfd;
+       }
+
 #ifdef CONFIG_BLOCK
        p->plug = NULL;
 #endif
@@ -1843,7 +1939,7 @@ static __latent_entropy struct task_struct *copy_process(
         */
        retval = cgroup_can_fork(p);
        if (retval)
-               goto bad_fork_free_pid;
+               goto bad_fork_put_pidfd;
 
        /*
         * From this point on we must avoid any synchronous user-space
@@ -1958,6 +2054,9 @@ bad_fork_cancel_cgroup:
        spin_unlock(&current->sighand->siglock);
        write_unlock_irq(&tasklist_lock);
        cgroup_cancel_fork(p);
+bad_fork_put_pidfd:
+       if (clone_flags & CLONE_PIDFD)
+               sys_close(pidfd);
 bad_fork_free_pid:
        cgroup_threadgroup_change_end(current);
        if (pid != &init_struct_pid)
@@ -2020,7 +2119,7 @@ static inline void init_idle_pids(struct pid_link *links)
 struct task_struct *fork_idle(int cpu)
 {
        struct task_struct *task;
-       task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0, 0,
+       task = copy_process(CLONE_VM, 0, 0, NULL, NULL, &init_struct_pid, 0, 0,
                            cpu_to_node(cpu));
        if (!IS_ERR(task)) {
                init_idle_pids(task->pids);
@@ -2065,7 +2164,7 @@ long _do_fork(unsigned long clone_flags,
                        trace = 0;
        }
 
-       p = copy_process(clone_flags, stack_start, stack_size,
+       p = copy_process(clone_flags, stack_start, stack_size, parent_tidptr,
                         child_tidptr, NULL, trace, tls, NUMA_NO_NODE);
        add_latent_entropy();
        /*