[PATCH RFC v3 0/2] pidfs: make the effective {g,u}id the owner of the inode

[Christian Brauner]

Hey,

This adds inode ownership and permission checking to pidfs.

Right now pidfs only supports trusted.* xattrs which require
CAP_SYS_ADMIN so there was never a need for real permission checking.
In order to support user.* xattrs and custom pidfs.* xattrs in the
future we need a permission model for pidfs inodes.

The effective {u,g}id of the target task becomes the owner of the pidfs
inode similar to what procfs does. Ownership is reported dynamically via
getattr since credentials may change due to setuid() and similar
operations. For kernel threads the owner is root, for exited tasks the
credentials saved at exit time via pidfs_exit() are used.

The permission callback checks access in two steps. First it verifies
the caller is either in the same thread group as the target or has
equivalent signal permissions reusing the same uid-based logic as
kill(). Then it performs standard POSIX permission checking via
generic_permission() against the inode's mode bits (S_IRWXU / 0700).

This is intentionally less strict than ptrace_may_access() because pidfs
currently does not allow operating on data that is completely private to
the process such as its mm or file descriptors. Additional checks can be
layered on once that changes.

The second patch adds selftests covering ownership reporting via fstat
and the permission model via user.* xattr operations which trigger
pidfs_permission() through xattr_permission(). The tests exercise live
credential changes, exited tasks with saved exit credentials, same-user
cross-process access, cross-user denial, and kernel thread denial.

Christian

Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
---
Changes in v3:
- Simplify pidfs_fill_owner() into pidfs_update_owner() writing directly
  to the inode via WRITE_ONCE() instead of using output parameters.
- Drop the separate pidfs_update_inode() helper and the
  security_task_to_inode() call.
- Update pidfs_getattr() to write ownership to the inode via
  pidfs_update_owner() instead of writing directly to stat.
- Update pidfs_permission() to also write ownership to the inode before
  calling generic_permission(), handling kernel threads with -EPERM.
- Drop VFS_WARN_ON_ONCE() for idmap check from pidfs_permission().
- Link to v2: https://patch.msgid.link/20260217-work-pidfs-inode-owner-v2-1-f04b5638315a@xxxxxxxxxx

Changes in v2:
- Fix an obvious null-deref during PIDFD_STALE (CLONE_PIDFD).
- Link to v1: https://patch.msgid.link/20260216-work-pidfs-inode-owner-v1-1-f8faa6b73983@xxxxxxxxxx

---
Christian Brauner (2):
      pidfs: add inode ownership and permission checks
      selftests/pidfd: add inode ownership and permission tests

 fs/pidfs.c                                         | 133 +++++++++-
 include/linux/cred.h                               |   2 +
 kernel/signal.c                                    |  19 +-
 tools/testing/selftests/pidfd/.gitignore           |   1 +
 tools/testing/selftests/pidfd/Makefile             |   2 +-
 .../selftests/pidfd/pidfd_inode_owner_test.c       | 289 +++++++++++++++++++++
 6 files changed, 427 insertions(+), 19 deletions(-)
---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260211-work-pidfs-inode-owner-0ca20de9ef23