Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL

Next message: Mark Pearson: "Re: [PATCH v2 0/6] platform-x86: lenovo-wmi: Add fixes and enhancement"
Previous message: Jann Horn: "Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL"
In reply to: Jann Horn: "Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL"
Next in thread: Christian Brauner: "Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Linus Torvalds

Date: Tue Feb 17 2026 - 18:45:24 EST

On Tue, 17 Feb 2026 at 15:38, Jann Horn <jannh@xxxxxxxxxx> wrote:
>
> You can already send SIGHUP to such binaries through things like job
> control, right?

But at least those can be blocked, and people can disassociate
themselves from a tty if they care etc.

This seems like it can't be blocked any way, although I guess you can
just do the double fork dance to distance yourself from your parent.

> Also, on a Linux system with systemd, I believe a normal user, when
> running in the context of a user session (but not when running in the
> context of a system service), can already SIGKILL anything they launch
> by launching it in a systemd user service, then doing something [...]

Ugh. But at least it's not the kernel that does it, and we have rules
for sending signals.

> I agree that this would be a change to the security model, but I'm not
> sure if it would be that big a change.

I would expect most normal binaries to expect to be killed with ^C etc
anyway, so in that sense this is indeed likely not a big deal. But at
least those are well-known and traditional ways of getting signals
that people kind of expecy.

But it does seem to violate all the normal 'kill()' checks, and it
smells horribly bad.

Linus