On Sun, Mar 31, 2019 at 3:16 PM Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > > I would actually suggest we just make the rules be that the > pidfd_open() always return the internal /proc entry regardless of any > mount-point (or any "hidepid") The clever alternative, which might be the RightWay(tm) is to just create a completely unattached dentry, and basically tie it into the actual /proc filesystem hierarchy at lookup() time when somebody does the openat() using it for the first time. You'd get a very simple callback: since the dentry would be unattached, you'd be guaranteed to get a "lookup()" from the VFS layer, and that lookup would then do the "hook into the actual /proc filesystem". We already kind of do things like that in the VFS layer when we have unattached dentries (because of "look up by filehandle" etc). In many ways the "pidfd_open()" really is exactly a "look up by file handle" operation, it just so happens that the "file handle" is just the pid/namespace combination. And if the splice alias (which is what the VFS layer calls that "tie aliased dentry to the parent" operation) fails, because the /proc filesystem isn't mounted or whatever, then trying to look up names off the thing will also fail. It's a tiny bit too clever for my taste, and it's not *exactly* the same thing as our normal inode alias handling, but it's pretty close conceptually (and even practically). So it would basically do something very similar to the ioctl, but it would do it implicitly and automatically at that first lookup. That would also mean that you'd not actually pay the cost of doing any of this *unless* you also end up trying to open things in /proc using that pidfd. Linus