On 16.04.19 23:31, Andy Lutomirski wrote: >> How exactly would the pidfd improve this scenario ? >> IMHO, would just need to pass the inherited fd's to that daemon (eg. >> via unix socket) which then sets them up in the new child process. > > It makes it easier to wait until the privileged program exits. > Without pidfd, you can't just wait(2) because the program that gets > spawned isn't a child. Ah, that is a cool thing ! I suppose that also works across namespaces ? What other things can be done via pidfd ? >> But: how can we handle things like cgroups ? > > Find a secure way to tell the daemon what cgroups to use? hmm, do we have some fd-handle to cgroups ? In that case a process could send a handle of his cgroup to some other process (eg. some "login" deamon) allowing him to join in. We could look at cgroups more as kind of capabilities instead of limitations (eg. things like: members of cgroup "net-foo1" are granted n% of network bandwith, etc). That would open up completely new approaches to security and resource control :) It could go even further: anybody can create new cgroups within his own, narrow down some limits and pass this to some other agent that acts on behalf of him and is allowed to use his share of the system resources for that. --mtx -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@xxxxxxxxx -- +49-151-27565287