On Tue, Dec 17, 2019 at 12:58:45AM +0000, Sargun Dhillon wrote: > This patchset introduces a mechanism to capture file descriptors from other > processes by pidfd and ioctl. Although this can be achieved using I like the idea in general as it's quite useful in general. And also for the seccomp notifier and probably for CRIU too. A few things that crossed my mind. A thing I'm worried about is that this will be a stepping stone for people argue for an fd-replacement feature though I think that fd-injection not replacement might be sufficient. I wonder whether we need to worry about special file descriptors, i.e. anything anon-inode based, or devpts devices but I guess those concerns already apply to ptrace anyway. One more thing, with GETFD it seems useful to me that later we can add a new flag - like I suggested in the previous version - to the seccomp notifier that would allow a caller to request that with each seccomp message received via the notifier ioctl() from the kernel a pidfd is sent along. This would make it quite elegant to get fds for the supervised task. Christian