Re: [PATCH 4/5] seccomp: Add SECCOMP_ADDFD_FLAG_MOVE flag to add fd ioctl

[PATCH 0/5] Add seccomp notifier ioctl that enables adding fds · Sargun Dhillon <hidden> · 2020-05-24
[PATCH 1/5] seccomp: Add find_notification helper · Sargun Dhillon <hidden> · 2020-05-24
Re: [PATCH 1/5] seccomp: Add find_notification helper · Tycho Andersen <hidden> · 2020-05-24
Re: [PATCH 1/5] seccomp: Add find_notification helper · Christian Brauner <hidden> · 2020-05-25
[PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Sargun Dhillon <hidden> · 2020-05-24
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Tycho Andersen <hidden> · 2020-05-24
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Tycho Andersen <hidden> · 2020-05-24
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Al Viro <viro@zeniv.linux.org.uk> · 2020-05-25
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Sargun Dhillon <hidden> · 2020-05-25
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Al Viro <viro@zeniv.linux.org.uk> · 2020-05-25
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Christian Brauner <hidden> · 2020-05-25
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Sargun Dhillon <hidden> · 2020-05-26
Re: [PATCH 2/5] seccomp: Introduce addfd ioctl to seccomp user notifier · Christian Brauner <hidden> · 2020-05-26
[PATCH 3/5] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD · Sargun Dhillon <hidden> · 2020-05-24
[PATCH 4/5] seccomp: Add SECCOMP_ADDFD_FLAG_MOVE flag to add fd ioctl · Sargun Dhillon <hidden> · 2020-05-24
Re: [PATCH 4/5] seccomp: Add SECCOMP_ADDFD_FLAG_MOVE flag to add fd ioctl · Christian Brauner <hidden> · 2020-05-25
Re: [PATCH 4/5] seccomp: Add SECCOMP_ADDFD_FLAG_MOVE flag to add fd ioctl · Sargun Dhillon <hidden> · 2020-05-26
[PATCH 5/5] selftests/seccomp: Add test for addfd move semantics · Sargun Dhillon <hidden> · 2020-05-24

From: Sargun Dhillon <hidden>
Date: 2020-05-26 06:08:58
Also in: lkml

quoted

+ * they are created in. Specifcally, sockets, and their interactions with the
+ * net_cls and net_prio cgroup v1 controllers. This "moves" the file descriptor
+ * so that it takes on the cgroup controller's configuration in the process
+ * that the file descriptor is being added to.
+ */
+#define SECCOMP_ADDFD_FLAG_MOVE              (1UL << 1)

I'm not happy about the name because "moving" has much more to do with
transferring ownership than what we are doing here. After a "move" the
fd shouldn't be valid anymore. But that might just be my thinking.

But why make this opt-in and not do it exactly like when you send around
fds and make this mandatory?

Based upon Tycho's comments in an offline thread, I'm going to make
this the default
(setting the cgroup metadata) to mirror what SCM_RIGHTS does, and then
if we come
up with a good use case where we need to preserve *cgroup v1*
metadata, then we can
add an opt-out flag in the future.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help