* Christian Brauner: > On Fri, Dec 08, 2023 at 02:15:58PM +0100, Florian Weimer wrote: >> * Christian Brauner: >> >> > File descriptors are reachable for all processes/threads that share a >> > file descriptor table. Changing that means breaking core userspace >> > assumptions about how file descriptors work. That's not going to happen >> > as far as I'm concerned. >> >> It already has happened, though? Threads are free to call >> unshare(CLONE_FILES). I'm sure that we have applications out there that > > If you unshare a file descriptor table it will affect all file > descriptors of a given task. We don't allow hiding individual or ranges > of file descriptors from close/dup. That's akin to a partially shared > file descriptor table which is conceptually probably doable but just > plain weird and nasty to get right imho. > > This really is either LSM territory to block such operations or use > stuff like io_uring gives you. Sorry, I misunderstood. I'm imagining for something that doesn't share partial tables and relies on explicit action to make available a descriptor from a separate different table in another table, based on some unique identifier (that is a bit more random than a file descriptor). So a bit similar to the the existing systemd service, but not targeted at service restarts. Thanks, Florian
