On Wed, Jun 25, 2025 at 12:07:45AM +0100, Al Viro wrote: > On Tue, Jun 24, 2025 at 10:29:13AM +0200, Christian Brauner wrote: > > Various filesystems such as pidfs (and likely drm in the future) have a > > use-case to support opening files purely based on the handle without > > having to require a file descriptor to another object. That's especially > > the case for filesystems that don't do any lookup whatsoever and there's > > zero relationship between the objects. Such filesystems are also > > singletons that stay around for the lifetime of the system meaning that > > they can be uniquely identified and accessed purely based on the file > > handle type. Enable that so that userspace doesn't have to allocate an > > object needlessly especially if they can't do that for whatever reason. > > Whoa... Two notes: > 1) you really want to make sure that no _directories_ on those > filesystems are decodable. No directories exist on any of the obvious candidates (certainly not pidfs) and it's easy to add an assertion there. It's obvioulsy only going to work for specific filesystems. > 2) do you want to get the damn things bound somewhere? For the obvious cases either bind-mounts aren't supported or having a bind-mount would not constitute a problem. For starter pidfds can be created purely based on pidfd_open() which means you can always open a pidfd for process even if the bind-mount in question would not be accessible to you. Are there other concerns about bind-mounts that I'm missing?
