Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL

Next message: Frieder Schrempf: "[PATCH 2/4] arm64: dts: imx8mp-kontron: Fix SD card supply on SMARC eval carrier"
Previous message: Frieder Schrempf: "[PATCH 0/4] Kontron i.MX8MP OSM Devicetree Fixups"
In reply to: Theodore Tso: "Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL"
Next in thread: Christian Brauner: "Re: [PATCH RFC v3 2/4] pidfd: add CLONE_PIDFD_AUTOKILL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Theodore Tso

Date: Wed Feb 18 2026 - 08:32:06 EST

On Tue, Feb 17, 2026 at 03:44:52PM -0800, Linus Torvalds wrote:
> On Tue, 17 Feb 2026 at 15:38, Jann Horn <jannh@xxxxxxxxxx> wrote:
> >
> > You can already send SIGHUP to such binaries through things like job
> > control, right?
>
> But at least those can be blocked, and people can disassociate
> themselves from a tty if they care etc.

Does CLONE_PIDFD_AUTOKILL need to send a SIGKILL? Could it be
something that could be trapped/blocked, like SIGHUP or SIGTERM? Or
maybe we could do the SIGHUP, wait 30 seconds (+/- a random delay), if
it hasn't exited, send SIGTERM, wait another 30 seconds (+/- a random
delay) if it hasn't exited send a SIGKILL. That's still a change in
the security model, but it's less likely to cause problems if the goal
is to try to catch a setuid program while it is in the middle of
editing some critical file such as /etc/sudo.conf or /etc/passwd or
some such.

I bet we'll still see some zero days coming out of this, but we can at
least mitigate likelihood of security breach.

- Ted