Re: [capsicum] wait() and pdfork()

On 6 Mar 2014, at 00:10, Eitan Adler <lists at> wrote:

> This is confusing and leads to the same issues that the other
> wait calls have.  IMHO it would be better to implement pdwait() and
> deny waitpid().  This also leads to cleaner documentation: "the wait*
> calls do not work on process descriptors".

Except that there isn't a clear distinction.  Processes created with pdfork() have a pid that appears in the global PID namespace (visible to non-capsicum processes) and accessible via the pdgetpid() call.  Therefore, the distinction between a process created with pdfork() and one created with fork() is only visible to the process that spawned the child.

Preventing wait*() from working on pids for processes that are created with pdfork() is going to cause massive pain for any application (e.g. debuggers, init systems, and so on) that want to wait for processes that are not their immediate children.  

The wait*() calls work on a global namespace.  They are calls that are *only* useable by processes that are running with ambient authority.  They should not be restricted based on the way in which the PID was created, because this is not a globally visible property and would be a serious POLA violation.  


P.S. For debuggers, it would be incredibly helpful to have a pdopen() that would allow opening a file descriptor from a pid (only useable by processes with ambient authority) so that they can use pdwait4() and avoid the PID-reuse race.  

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.