diff options
| author | Christian Brauner <brauner@kernel.org> | 2025-04-14 16:41:42 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2025-05-02 14:28:47 +0200 |
| commit | 4dd6566b5a8ca1e8c9ff2652c2249715d6c64217 (patch) | |
| tree | 19d4689861b1b941221e84cfea2a8ff23603a151 /net/unix/af_unix.c | |
| parent | e1b477c21300a928a7765a03cb96ca36c4dcf5ed (diff) | |
| parent | b5325b2a270fcaf7b2a9a0f23d422ca8a5a8bdea (diff) | |
Merge patch series "coredump: hand a pidfd to the usermode coredump helper"
Christian Brauner <brauner@kernel.org> says:
Give userspace a way to instruct the kernel to install a pidfd for the
crashing process into the process started as a usermode helper. There's
still tricky race-windows that cannot be easily or sometimes not closed
at all by userspace. There's various ways like looking at the start time
of a process to make sure that the usermode helper process is started
after the crashing process but it's all very very brittle and fraught
with peril.
The crashed-but-not-reaped process can be killed by userspace before
coredump processing programs like systemd-coredump have had time to
manually open a PIDFD from the PID the kernel provides them, which means
they can be tricked into reading from an arbitrary process, and they run
with full privileges as they are usermode helper processes.
Even if that specific race-window wouldn't exist it's still the safest
and cleanest way to let the kernel provide the pidfd directly instead of
requiring userspace to do it manually. In parallel with this commit we
already have systemd adding support for this in [1].
When the usermode helper process is forked we install a pidfd file
descriptor three into the usermode helper's file descriptor table so
it's available to the exec'd program.
Since usermode helpers are either children of the system_unbound_wq
workqueue or kthreadd we know that the file descriptor table is empty
and can thus always use three as the file descriptor number.
Note, that we'll install a pidfd for the thread-group leader even if a
subthread is calling do_coredump(). We know that task linkage hasn't
been removed yet and even if this @current isn't the actual thread-group
leader we know that the thread-group leader cannot be reaped until
@current has exited.
[1]: https://github.com/systemd/systemd/pull/37125
* patches from https://lore.kernel.org/20250414-work-coredump-v2-0-685bf231f828@kernel.org:
coredump: hand a pidfd to the usermode coredump helper
coredump: fix error handling for replace_fd()
pidfs: move O_RDWR into pidfs_alloc_file()
Link: https://lore.kernel.org/20250414-work-coredump-v2-0-685bf231f828@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions