Unverified Commit 24baca56 authored by Christian Brauner's avatar Christian Brauner
Browse files

clone: add CLONE_NNP 

Add a new clone3() flag CLONE_NNP that sets no_new_privs on the child
process at clone time. This is analogous to prctl(PR_SET_NO_NEW_PRIVS)
but applied at process creation rather than requiring a separate step
after the child starts running.

CLONE_NNP is rejected with CLONE_THREAD. It's conceptually a lot simpler
if the whole thread-group is forced into NNP and not have single threads
running around with NNP.

Link: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-2-d148b984a989@kernel.org


Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 12ae2c81

include/uapi/linux/sched.h

+1 −0
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ 
#define CLONE_CLEAR_SIGHAND	(1ULL << 32) /* Clear any signal handler and reset to SIG_DFL. */

#define CLONE_INTO_CGROUP	(1ULL << 33) /* Clone into a specific cgroup given the right permissions. */

#define CLONE_AUTOREAP		(1ULL << 34) /* Auto-reap child on exit. */

#define CLONE_NNP		(1ULL << 35) /* Set no_new_privs on child. */



/*

 * cloning flags intersect with CSIGNAL so can be used with unshare and clone3

kernel/fork.c

+9 −1
Original line number Diff line number Diff line
@@ -2040,6 +2040,11 @@ __latent_entropy struct task_struct *copy_process( 
	if ((clone_flags & CLONE_PARENT) && current->signal->autoreap)

		return ERR_PTR(-EINVAL);



	if (clone_flags & CLONE_NNP) {

		if (clone_flags & CLONE_THREAD)

			return ERR_PTR(-EINVAL);

	}



	/*

	 * Force any signals received before this point to be delivered

	 * before the fork happens.  Collect up signals sent to multiple
@@ -2424,6 +2429,9 @@ __latent_entropy struct task_struct *copy_process( 
	 */

	copy_seccomp(p);



	if (clone_flags & CLONE_NNP)

		task_set_no_new_privs(p);



	init_task_pid_links(p);

	if (likely(p->pid)) {

		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
@@ -2912,7 +2920,7 @@ static bool clone3_args_valid(struct kernel_clone_args *kargs) 
	/* Verify that no unknown flags are passed along. */

	if (kargs->flags &

	    ~(CLONE_LEGACY_FLAGS | CLONE_CLEAR_SIGHAND | CLONE_INTO_CGROUP |

	      CLONE_AUTOREAP))

	      CLONE_AUTOREAP | CLONE_NNP))

		return false;



	/*