On Wed, Mar 27, 2019 at 7:38 PM Jonathan Kowalski <bl0pbl33p@xxxxxxxxx> wrote: > ... > ... the process cannot get it out > of thin air on its own (and you already mentioned it has nothing to do > with security). What I do worry about is one can use NS_GET_PARENT disregard this, it works as it should. > ioctl to get the parent pidns if the owning userns is the same, and > just passing that gives me back a pidfd for the task. **So, you might > want to add the constraint that the PID is actually reachable by the > current task as well, apart from being reachable in the passed in > namespace.** > > Lastly, I also see no need of /proc/<PID> dir fd to pidfd conversion, > I would even recommend getting rid of that, so we only have one type > of pidfd, the anon inode one. What is the usecase behind that? It > would only be needed if you did not have a way to be able to metadata > access through a pidfd, which would be the case only prior to this > patch. > > I think this would simplify a lot of things, and ioctl_ns(2) is > probably already the place to do comparison operations and query > operations on hierarichal namespaces, just adding the relative PID bit > will make it gain feature parity with translate_pid.