On Sun, Mar 31, 2019 at 3:03 PM Christian Brauner <christian@xxxxxxxxxx> wrote: > > Thanks for the input. The problem Jann and I saw with this is that it > would be awkward to have the kernel open a file in some procfs instance, > since then userspace would have to specify which procfs instance the fd > should come from. I would actually suggest we just make the rules be that the pidfd_open() always return the internal /proc entry regardless of any mount-point (or any "hidepid") but also suggest that exactly *because* it gives you visibility into the target pid, you'd basically require the strictest kind of control of the process you're trying to get the pidfd of. Ie likely something along the lines of ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS) kind of requirements. But honestly, just how much do you need pidfd_open()? If this is purely because somebody goes "oh, ASCII is expensive", then just stop doing it entirely. It's not. It's fine. Going throuigh a filesystem is a *good* thing, exactly because it allows MIS to control it. So it's entirely possible that the right answer is: "just open /proc/<pid>/", and accept the fact that everybody has it anyway, and people who don't have it don't get the new functionality (with the possible exception of clone(CLONE_PIDFD), which only gives you access to a child you created yourself. Linus