On Sun, Nov 18, 2018 at 12:43 PM, Christian Brauner <christian@xxxxxxxxxx> wrote: > On Sun, Nov 18, 2018 at 01:28:41PM -0700, Andy Lutomirski wrote: >> >> >> > On Nov 18, 2018, at 12:44 PM, Daniel Colascione <dancol@xxxxxxxxxx> wrote: >> > >> >> > >> > That is, I'm proposing an API that looks like this: >> > >> > int process_kill(int procfs_dfd, int signo, const union sigval value) >> > >> > If, later, process_kill were to *also* accept process-capability FDs, >> > nothing would break. >> >> Except that this makes it ambiguous to the caller as to whether their current creds are considered. So it would need to be a different syscall or at least a flag. Otherwise a lot of those nice theoretical properties go away. > > I can add a flag argument > int process_signal(int procfs_dfd, int signo, siginfo_t *info, int flags) > The way I see it process_signal() should be equivalent to kill(pid, signal) for now. > That is siginfo_t is cleared and set to: > > info.si_signo = sig; > info.si_errno = 0; > info.si_code = SI_USER; > info.si_pid = task_tgid_vnr(current); > info.si_uid = from_kuid_munged(current_user_ns(), current_uid()); That makes sense. I just don't want to get into a situation where callers feel that they *have* to use the PID-based APIs to send a signal because process_kill doesn't offer some bit of functionality. Are you imagining something like requiring info t be NULL unless flags contains some "I have a siginfo_t" value? BTW: passing SI_USER to rt_sigqueueinfo *should* as long as the passed-in si_pid and si_uid match what the kernel would set them to in the kill(2) case. The whole point of SI_USER is that the recipient knows that it can trust the origin information embedded in the siginfo_t in the signal handler. If the kernel verifies that a signal sender isn't actually lying, why not let people send SI_USER with rt_sigqueueinfo?
