alistair23-linux/samples/pidfd/pidfd-metadata.c

// SPDX-License-Identifier: GPL-2.0

#define _GNU_SOURCE
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <limits.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#ifndef CLONE_PIDFD
#define CLONE_PIDFD 0x00001000
#endif

#ifndef __NR_pidfd_send_signal
#define __NR_pidfd_send_signal -1
#endif

static int do_child(void *args)
{
	printf("%d\n", getpid());
	_exit(EXIT_SUCCESS);
}

static pid_t pidfd_clone(int flags, int *pidfd)
{
	size_t stack_size = 1024;
	char *stack[1024] = { 0 };

#ifdef __ia64__
	return __clone2(do_child, stack, stack_size, flags | SIGCHLD, NULL, pidfd);
#else
	return clone(do_child, stack + stack_size, flags | SIGCHLD, NULL, pidfd);
#endif
}

static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
					unsigned int flags)
{
	return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
}

static int pidfd_metadata_fd(pid_t pid, int pidfd)
{
	int procfd, ret;
	char path[100];

	snprintf(path, sizeof(path), "/proc/%d", pid);
	procfd = open(path, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
	if (procfd < 0) {
		warn("Failed to open %s\n", path);
		return -1;
	}

	/*
	 * Verify that the pid has not been recycled and our /proc/<pid> handle
	 * is still valid.
	 */
	ret = sys_pidfd_send_signal(pidfd, 0, NULL, 0);
	if (ret < 0) {
		switch (errno) {
		case EPERM:
			/* Process exists, just not allowed to signal it. */
			break;
		default:
			warn("Failed to signal process\n");
			close(procfd);
			procfd = -1;
		}
	}

	return procfd;
}

int main(int argc, char *argv[])
{
	int pidfd = -1, ret = EXIT_FAILURE;
	char buf[4096] = { 0 };
	pid_t pid;
	int procfd, statusfd;
	ssize_t bytes;

	pid = pidfd_clone(CLONE_PIDFD, &pidfd);
	if (pid < 0)
		err(ret, "CLONE_PIDFD");
	if (pidfd == -1) {
		warnx("CLONE_PIDFD is not supported by the kernel");
		goto out;
	}

	procfd = pidfd_metadata_fd(pid, pidfd);
	close(pidfd);
	if (procfd < 0)
		goto out;

	statusfd = openat(procfd, "status", O_RDONLY | O_CLOEXEC);
	close(procfd);
	if (statusfd < 0)
		goto out;

	bytes = read(statusfd, buf, sizeof(buf));
	if (bytes > 0)
		bytes = write(STDOUT_FILENO, buf, bytes);
	close(statusfd);
	ret = EXIT_SUCCESS;

out:
	(void)wait(NULL);

	exit(ret);
}
samples: show race-free pidfd metadata access This is a sample program showing userspace how to get race-free access to process metadata from a pidfd. It is rather easy to do and userspace can actually simply reuse code that currently parses a process's status file in procfs. The program can easily be extended into a generic helper suitable for inclusion in a libc to make it even easier for userspace to gain metadata access. Since this came up in a discussion because this API is going to be used in various service managers: A lot of programs will have a whitelist seccomp filter that returns <some-errno> for all new syscalls. This means that programs might get confused if CLONE_PIDFD works but the later pidfd_send_signal() syscall doesn't. Hence, here's a ahead of time check that pidfd_send_signal() is supported: bool pidfd_send_signal_supported() { int procfd = open("/proc/self", O_DIRECTORY \| O_RDONLY \| O_CLOEXEC); if (procfd < 0) return false; /* * A process is always allowed to signal itself so * pidfd_send_signal() should never fail this test. If it does * it must mean it is not available, blocked by an LSM, seccomp, * or other. */ return pidfd_send_signal(procfd, 0, NULL, 0) == 0; } Signed-off-by: Christian Brauner <christian@brauner.io> Co-developed-by: Jann Horn <jannh@google.com> Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Howells <dhowells@redhat.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: Andy Lutomirsky <luto@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> 2019-04-07 13:18:11 -06:00			`// SPDX-License-Identifier: GPL-2.0`

			`#define _GNU_SOURCE`
			`#include <err.h>`
			`#include <errno.h>`
			`#include <fcntl.h>`
			`#include <inttypes.h>`
			`#include <limits.h>`
			`#include <sched.h>`
			`#include <signal.h>`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <string.h>`
			`#include <sys/stat.h>`
			`#include <sys/syscall.h>`
			`#include <sys/types.h>`
			`#include <sys/wait.h>`
			`#include <unistd.h>`

			`#ifndef CLONE_PIDFD`
			`#define CLONE_PIDFD 0x00001000`
			`#endif`

samples: fix pidfd-metadata compilation Define __NR_pidfd_send_signal if it isn't to prevent a compilation error. To make pidfd-metadata compile on all arches, irrespective of whether or not syscall numbers are assigned, define the syscall number to -1. If it isn't defined this will cause the kernel to return -ENOSYS. Fixes: 43c6afee48d4 ("samples: show race-free pidfd metadata access") Reported-by: Arnd Bergmann <arnd@arndb.de> Reported-by: Guenter Roeck <linux@roeck-us.net> Cc: Christian Brauner <christian@brauner.io> Signed-off-by: Guenter Roeck <linux@roeck-us.net> [christian@brauner.io: tweak commit message] Signed-off-by: Christian Brauner <christian@brauner.io> 2019-05-30 05:40:47 -06:00			`#ifndef __NR_pidfd_send_signal`
			`#define __NR_pidfd_send_signal -1`
			`#endif`

samples: show race-free pidfd metadata access This is a sample program showing userspace how to get race-free access to process metadata from a pidfd. It is rather easy to do and userspace can actually simply reuse code that currently parses a process's status file in procfs. The program can easily be extended into a generic helper suitable for inclusion in a libc to make it even easier for userspace to gain metadata access. Since this came up in a discussion because this API is going to be used in various service managers: A lot of programs will have a whitelist seccomp filter that returns <some-errno> for all new syscalls. This means that programs might get confused if CLONE_PIDFD works but the later pidfd_send_signal() syscall doesn't. Hence, here's a ahead of time check that pidfd_send_signal() is supported: bool pidfd_send_signal_supported() { int procfd = open("/proc/self", O_DIRECTORY \| O_RDONLY \| O_CLOEXEC); if (procfd < 0) return false; /* * A process is always allowed to signal itself so * pidfd_send_signal() should never fail this test. If it does * it must mean it is not available, blocked by an LSM, seccomp, * or other. */ return pidfd_send_signal(procfd, 0, NULL, 0) == 0; } Signed-off-by: Christian Brauner <christian@brauner.io> Co-developed-by: Jann Horn <jannh@google.com> Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Howells <dhowells@redhat.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: Andy Lutomirsky <luto@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> 2019-04-07 13:18:11 -06:00			`static int do_child(void *args)`
			`{`
			`printf("%d\n", getpid());`
			`_exit(EXIT_SUCCESS);`
			`}`

			`static pid_t pidfd_clone(int flags, int *pidfd)`
			`{`
			`size_t stack_size = 1024;`
			`char *stack[1024] = { 0 };`

			`#ifdef __ia64__`
			`return __clone2(do_child, stack, stack_size, flags \| SIGCHLD, NULL, pidfd);`
			`#else`
			`return clone(do_child, stack + stack_size, flags \| SIGCHLD, NULL, pidfd);`
			`#endif`
			`}`

			`static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,`
			`unsigned int flags)`
			`{`
			`return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);`
			`}`

			`static int pidfd_metadata_fd(pid_t pid, int pidfd)`
			`{`
			`int procfd, ret;`
			`char path[100];`

			`snprintf(path, sizeof(path), "/proc/%d", pid);`
			`procfd = open(path, O_DIRECTORY \| O_RDONLY \| O_CLOEXEC);`
			`if (procfd < 0) {`
			`warn("Failed to open %s\n", path);`
			`return -1;`
			`}`

			`/*`
			`* Verify that the pid has not been recycled and our /proc/<pid> handle`
			`* is still valid.`
			`*/`
			`ret = sys_pidfd_send_signal(pidfd, 0, NULL, 0);`
			`if (ret < 0) {`
			`switch (errno) {`
			`case EPERM:`
			`/* Process exists, just not allowed to signal it. */`
			`break;`
			`default:`
			`warn("Failed to signal process\n");`
			`close(procfd);`
			`procfd = -1;`
			`}`
			`}`

			`return procfd;`
			`}`

			`int main(int argc, char *argv[])`
			`{`
samples: make pidfd-metadata fail gracefully on older kernels Initialize pidfd to an invalid descriptor, to fail gracefully on those kernels that do not implement CLONE_PIDFD and leave pidfd unchanged. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Christian Brauner <christian@brauner.io> 2019-06-23 05:28:00 -06:00			`int pidfd = -1, ret = EXIT_FAILURE;`
samples: show race-free pidfd metadata access This is a sample program showing userspace how to get race-free access to process metadata from a pidfd. It is rather easy to do and userspace can actually simply reuse code that currently parses a process's status file in procfs. The program can easily be extended into a generic helper suitable for inclusion in a libc to make it even easier for userspace to gain metadata access. Since this came up in a discussion because this API is going to be used in various service managers: A lot of programs will have a whitelist seccomp filter that returns <some-errno> for all new syscalls. This means that programs might get confused if CLONE_PIDFD works but the later pidfd_send_signal() syscall doesn't. Hence, here's a ahead of time check that pidfd_send_signal() is supported: bool pidfd_send_signal_supported() { int procfd = open("/proc/self", O_DIRECTORY \| O_RDONLY \| O_CLOEXEC); if (procfd < 0) return false; /* * A process is always allowed to signal itself so * pidfd_send_signal() should never fail this test. If it does * it must mean it is not available, blocked by an LSM, seccomp, * or other. */ return pidfd_send_signal(procfd, 0, NULL, 0) == 0; } Signed-off-by: Christian Brauner <christian@brauner.io> Co-developed-by: Jann Horn <jannh@google.com> Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Howells <dhowells@redhat.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: Andy Lutomirsky <luto@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> 2019-04-07 13:18:11 -06:00			`char buf[4096] = { 0 };`
			`pid_t pid;`
			`int procfd, statusfd;`
			`ssize_t bytes;`

			`pid = pidfd_clone(CLONE_PIDFD, &pidfd);`
			`if (pid < 0)`
samples: make pidfd-metadata fail gracefully on older kernels Initialize pidfd to an invalid descriptor, to fail gracefully on those kernels that do not implement CLONE_PIDFD and leave pidfd unchanged. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Christian Brauner <christian@brauner.io> 2019-06-23 05:28:00 -06:00			`err(ret, "CLONE_PIDFD");`
			`if (pidfd == -1) {`
			`warnx("CLONE_PIDFD is not supported by the kernel");`
			`goto out;`
			`}`
samples: show race-free pidfd metadata access This is a sample program showing userspace how to get race-free access to process metadata from a pidfd. It is rather easy to do and userspace can actually simply reuse code that currently parses a process's status file in procfs. The program can easily be extended into a generic helper suitable for inclusion in a libc to make it even easier for userspace to gain metadata access. Since this came up in a discussion because this API is going to be used in various service managers: A lot of programs will have a whitelist seccomp filter that returns <some-errno> for all new syscalls. This means that programs might get confused if CLONE_PIDFD works but the later pidfd_send_signal() syscall doesn't. Hence, here's a ahead of time check that pidfd_send_signal() is supported: bool pidfd_send_signal_supported() { int procfd = open("/proc/self", O_DIRECTORY \| O_RDONLY \| O_CLOEXEC); if (procfd < 0) return false; /* * A process is always allowed to signal itself so * pidfd_send_signal() should never fail this test. If it does * it must mean it is not available, blocked by an LSM, seccomp, * or other. */ return pidfd_send_signal(procfd, 0, NULL, 0) == 0; } Signed-off-by: Christian Brauner <christian@brauner.io> Co-developed-by: Jann Horn <jannh@google.com> Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: David Howells <dhowells@redhat.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: Andy Lutomirsky <luto@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> 2019-04-07 13:18:11 -06:00
			`procfd = pidfd_metadata_fd(pid, pidfd);`
			`close(pidfd);`
			`if (procfd < 0)`
			`goto out;`

			`statusfd = openat(procfd, "status", O_RDONLY \| O_CLOEXEC);`
			`close(procfd);`
			`if (statusfd < 0)`
			`goto out;`

			`bytes = read(statusfd, buf, sizeof(buf));`
			`if (bytes > 0)`
			`bytes = write(STDOUT_FILENO, buf, bytes);`
			`close(statusfd);`
			`ret = EXIT_SUCCESS;`

			`out:`
			`(void)wait(NULL);`

			`exit(ret);`
			`}`