Re: [PATCH RFC v3 0/4] pidfd: add CLONE_AUTOREAP and CLONE_PIDFD_AUTOKILL

Next message: bot+bpf-ci: "Re: [PATCH bpf-next v2 2/2] selftests/bpf: Add trampolines multi-level pointer params test coverage"
Previous message: Ahmed S. Darwish: "Re: [PATCH 6/6] x86/sev: Add debugfs support for RMPOPT"
In reply to: Christian Brauner: "[PATCH RFC v3 4/4] selftests/pidfd: add CLONE_PIDFD_AUTOKILL tests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Brauner

Date: Tue Feb 17 2026 - 17:47:15 EST

> CLONE_PIDFD_AUTOKILL ties a child's lifetime to the pidfd returned from
> clone3(). When the last reference to the struct file created by clone3()
> is closed the kernel sends SIGKILL to the child.

So this is for me one of the most useful features that I've been
pondering for a long time but always put off. It's usefulness is
intimately tied to the fact that the kill-on-close contract cannot be
flaunted no matter what gets executed (freebsd has the same behavior for
pdfork()).

If the parent says to SIGKILL the child once the fd is closed then it
isn't reset no matter if privileged exec or credential change. This is
in contrast to related mechanisms such as pdeath_signal which gets reset
by all kinds of crap but then can be set again and it's just cumbersome
and not super useful. Not even signal delivery is guaranteed as
permission are checked for that as well.

My ideal model for kill-on-close is to just ruthlessly enforce that the
kernel murders anything once the file is released. But I would really
like to get some thoughts on this.