implement pidfd_open

Author: azliu0

Diff for: pkg/abi/linux/wait.go

@@ -37,6 +37,7 @@ const (
 	P_ALL  = 0x0
 	P_PID  = 0x1
 	P_PGID = 0x2
+	P_PIDFD = 0x3
 )
 
 // WaitStatus represents a thread status, as returned by the wait* family of

Diff for: pkg/sentry/fsimpl/pidfd/BUILD

@@ -0,0 +1,19 @@
+load("//tools:defs.bzl", "go_library", "go_test")
+
+package(default_applicable_licenses = ["//:license"])
+
+licenses(["notice"])
+
+go_library(
+    name = "pidfd",
+    srcs = ["pidfd.go"],
+    visibility = ["//pkg/sentry:internal"],
+    deps = [
+        "//pkg/abi/linux",
+        "//pkg/context",
+        "//pkg/errors/linuxerr",
+        "//pkg/sentry/kernel",
+        "//pkg/sentry/vfs",
+        "//pkg/waiter",
+    ],
+)

Diff for: pkg/sentry/fsimpl/pidfd/pidfd.go

@@ -0,0 +1,116 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package pidfd implements process fds.
+package pidfd
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/context"
+	"gvisor.dev/gvisor/pkg/sentry/kernel"
+	"gvisor.dev/gvisor/pkg/sentry/vfs"
+	"gvisor.dev/gvisor/pkg/waiter"
+)
+
+// ProcessFileDescription implements vfs.FileDescriptionImpl for pidfds.
+//
+// +stateify savable
+type ProcessFileDescription struct {
+	vfsfd vfs.FileDescription
+	vfs.FileDescriptionDefaultImpl
+	vfs.DentryMetadataFileDescriptionImpl
+	vfs.NoLockFD
+
+	tid      kernel.ThreadID
+	k        *kernel.Kernel
+	pidns    *kernel.PIDNamespace
+	nonblock bool
+}
+
+// New creates a new process fd.
+func New(task *kernel.Task, flags uint32) (*vfs.FileDescription, error) {
+	fd := &ProcessFileDescription{
+		tid:      task.ThreadID(),
+		k:        task.Kernel(),
+		pidns:    task.PIDNamespace(),
+		nonblock: flags&linux.O_NONBLOCK != 0,
+	}
+
+	fileFlags := uint32(linux.O_RDWR)
+	if flags&linux.O_NONBLOCK != 0 {
+		fileFlags |= linux.O_NONBLOCK
+	}
+
+	vd := task.Kernel().VFS().NewAnonVirtualDentry("[pidfd]")
+	defer vd.DecRef(task)
+
+	if err := fd.vfsfd.Init(fd, fileFlags, vd.Mount(), vd.Dentry(), &vfs.FileDescriptionOptions{
+		UseDentryMetadata: true,
+	}); err != nil {
+		return nil, err
+	}
+
+	return &fd.vfsfd, nil
+}
+
+// PID returns the process ID associated with this pidfd.
+func (pfd *ProcessFileDescription) PID() kernel.ThreadID {
+	return pfd.tid
+}
+
+// Nonblocking returns whether this pidfd is nonblocking.
+func (pfd *ProcessFileDescription) Nonblocking() bool {
+	return pfd.nonblock
+}
+
+// TaskExited returns whether the task associated with this pidfd has exited.
+func (pfd *ProcessFileDescription) TaskExited() bool {
+	if task := pfd.pidns.TaskWithID(pfd.tid); task != nil {
+		return task.ExitState() != kernel.TaskExitNone
+	}
+	return true
+}
+
+// Release implements vfs.FileDescriptionImpl.Release.
+func (pfd *ProcessFileDescription) Release(context.Context) {
+}
+
+// Readiness implements waiter.Waitable.Readiness.
+func (pfd *ProcessFileDescription) Readiness(mask waiter.EventMask) waiter.EventMask {
+	ready := waiter.EventMask(0)
+	if pfd.TaskExited() {
+		ready |= waiter.ReadableEvents
+	}
+	return mask & ready
+}
+
+// EventRegister implements waiter.Waitable.EventRegister.
+func (pfd *ProcessFileDescription) EventRegister(e *waiter.Entry) error {
+	if task := pfd.pidns.TaskWithID(pfd.tid); task != nil {
+		task.PidfdEventRegister(e)
+	}
+	return nil
+}
+
+// EventUnregister implements waiter.Waitable.EventUnregister.
+func (pfd *ProcessFileDescription) EventUnregister(e *waiter.Entry) {
+	if task := pfd.pidns.TaskWithID(pfd.tid); task != nil {
+		task.PidfdEventUnregister(e)
+	}
+}
+
+// Epollable implements FileDescriptionImpl.Epollable.
+func (pfd *ProcessFileDescription) Epollable() bool {
+	return true
+}

Diff for: pkg/sentry/kernel/task.go

@@ -186,6 +186,9 @@ type Task struct {
 	// The task only broadcast a notification on signal delivery.
 	signalQueue waiter.Queue
 
+	// pidfdQueue is a set of registered waiters for pidfd-related events.
+	pidfdQueue waiter.Queue
+
 	// If groupStopPending is true, the task should participate in a group
 	// stop in the interrupt path.
 	//
@@ -877,3 +880,13 @@ func (t *Task) ResetKcov() {
 		t.kcov = nil
 	}
 }
+
+// PidfdEventRegister registers a waiter entry for pidfd events.
+func (t *Task) PidfdEventRegister(e *waiter.Entry) {
+	t.pidfdQueue.EventRegister(e)
+}
+
+// PidfdEventUnregister unregisters a waiter entry for pidfd events.
+func (t *Task) PidfdEventUnregister(e *waiter.Entry) {
+	t.pidfdQueue.EventUnregister(e)
+}

Diff for: pkg/sentry/kernel/task_exit.go

@@ -602,6 +602,9 @@ func (*runExitNotify) execute(t *Task) taskRunState {
 	defer t.tg.pidns.owner.mu.Unlock()
 	t.advanceExitStateLocked(TaskExitInitiated, TaskExitZombie)
 	t.tg.liveTasks--
+
+	t.pidfdQueue.Notify(waiter.ReadableEvents)
+
 	// Check if this completes a sibling's execve.
 	if t.tg.execing != nil && t.tg.liveTasks == 1 {
 		// execing blocks the addition of new tasks to the thread group, so

Diff for: pkg/sentry/syscalls/linux/BUILD

@@ -33,6 +33,7 @@ go_library(
         "sys_mount.go",
         "sys_mq.go",
         "sys_msgqueue.go",
+        "sys_pidfd.go",
         "sys_pipe.go",
         "sys_poll.go",
         "sys_prctl.go",
@@ -89,6 +90,7 @@ go_library(
         "//pkg/sentry/fsimpl/host",
         "//pkg/sentry/fsimpl/iouringfs",
         "//pkg/sentry/fsimpl/lock",
+        "//pkg/sentry/fsimpl/pidfd",
         "//pkg/sentry/fsimpl/pipefs",
         "//pkg/sentry/fsimpl/signalfd",
         "//pkg/sentry/fsimpl/timerfd",

Diff for: pkg/sentry/syscalls/linux/linux64.go

@@ -402,7 +402,7 @@ var AMD64 = &kernel.SyscallTable{
 		431: syscalls.ErrorWithEvent("fsconfig", linuxerr.ENOSYS, "", nil),
 		432: syscalls.ErrorWithEvent("fsmount", linuxerr.ENOSYS, "", nil),
 		433: syscalls.ErrorWithEvent("fspick", linuxerr.ENOSYS, "", nil),
-		434: syscalls.ErrorWithEvent("pidfd_open", linuxerr.ENOSYS, "", nil),
+		434: syscalls.Supported("pidfd_open", PidfdOpen),
 		435: syscalls.PartiallySupported("clone3", Clone3, "Options CLONE_PIDFD, CLONE_NEWCGROUP, CLONE_INTO_CGROUP, CLONE_NEWTIME, CLONE_CLEAR_SIGHAND, CLONE_PARENT, CLONE_SYSVSEM and, SetTid are not supported.", nil),
 		436: syscalls.Supported("close_range", CloseRange),
 		439: syscalls.Supported("faccessat2", Faccessat2),
@@ -723,7 +723,7 @@ var ARM64 = &kernel.SyscallTable{
 		431: syscalls.ErrorWithEvent("fsconfig", linuxerr.ENOSYS, "", nil),
 		432: syscalls.ErrorWithEvent("fsmount", linuxerr.ENOSYS, "", nil),
 		433: syscalls.ErrorWithEvent("fspick", linuxerr.ENOSYS, "", nil),
-		434: syscalls.ErrorWithEvent("pidfd_open", linuxerr.ENOSYS, "", nil),
+		434: syscalls.Supported("pidfd_open", PidfdOpen),
 		435: syscalls.PartiallySupported("clone3", Clone3, "Options CLONE_PIDFD, CLONE_NEWCGROUP, CLONE_INTO_CGROUP, CLONE_NEWTIME, CLONE_CLEAR_SIGHAND, CLONE_PARENT, CLONE_SYSVSEM and clone_args.set_tid are not supported.", nil),
 		436: syscalls.Supported("close_range", CloseRange),
 		439: syscalls.Supported("faccessat2", Faccessat2),

Diff for: pkg/sentry/syscalls/linux/sys_pidfd.go

@@ -0,0 +1,66 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
+	"gvisor.dev/gvisor/pkg/sentry/arch"
+	"gvisor.dev/gvisor/pkg/sentry/kernel"
+	"gvisor.dev/gvisor/pkg/sentry/fsimpl/pidfd"
+)
+
+// PidfdOpen implements Linux syscall pidfd_open(2).
+func PidfdOpen(t *kernel.Task, sysno uintptr, args arch.SyscallArguments) (uintptr, *kernel.SyscallControl, error) {
+	pid := kernel.ThreadID(args[0].Int())
+	flags := args[1].Int()
+	
+	fd, err := pidfd_open(t, pid, flags)
+	if err != nil {
+		return 0, nil, err
+	}
+	
+	return uintptr(fd), nil, nil
+}
+
+func pidfd_open(t *kernel.Task, pid kernel.ThreadID, flags int32) (int32, error) {
+	if flags & ^linux.O_NONBLOCK != 0 {
+		return 0, linuxerr.EINVAL
+	}
+
+	if pid <= 0 {
+		return 0, linuxerr.EINVAL
+	}
+
+	targetTask := t.PIDNamespace().TaskWithID(pid)
+	if targetTask == nil {
+		return 0, linuxerr.ESRCH
+	}
+
+	file, err := pidfd.New(targetTask, uint32(flags))
+	if err != nil {
+		return 0, err
+	}
+	defer file.DecRef(t)
+
+	fd, err := t.NewFDFrom(0, file, kernel.FDFlags{
+		CloseOnExec: true,
+	})
+	if err != nil {
+		return 0, err
+	}
+
+	return fd, nil
+}

Diff for: pkg/sentry/syscalls/linux/sys_thread.go

@@ -21,6 +21,7 @@ import (
 	"gvisor.dev/gvisor/pkg/hostarch"
 	"gvisor.dev/gvisor/pkg/marshal/primitive"
 	"gvisor.dev/gvisor/pkg/sentry/arch"
+	"gvisor.dev/gvisor/pkg/sentry/fsimpl/pidfd"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/sched"
 	"gvisor.dev/gvisor/pkg/sentry/loader"
@@ -381,6 +382,23 @@ func Waitid(t *kernel.Task, sysno uintptr, args arch.SyscallArguments) (uintptr,
 		wopts.SpecificTID = kernel.ThreadID(id)
 	case linux.P_PGID:
 		wopts.SpecificPGID = kernel.ProcessGroupID(id)
+	case linux.P_PIDFD:
+		file := t.GetFile(int32(id))
+		if file == nil {
+			return 0, nil, linuxerr.EINVAL
+		}
+		defer file.DecRef(t)
+
+		pfd, ok := file.Impl().(*pidfd.ProcessFileDescription)
+		if !ok {
+			return 0, nil, linuxerr.EINVAL
+		}
+
+		if pfd.Nonblocking() && !pfd.TaskExited() {
+			return 0, nil, linuxerr.EAGAIN
+		}
+
+		wopts.SpecificTID = pfd.PID()
 	default:
 		return 0, nil, linuxerr.EINVAL
 	}

Diff for: test/syscalls/BUILD

@@ -479,6 +479,10 @@ syscall_test(
     test = "//test/syscalls/linux:pause_test",
 )
 
+syscall_test(
+    test = "//test/syscalls/linux:pidfd_test",
+)
+
 syscall_test(
     size = "medium",
     add_hostinet = True,

Diff for: test/syscalls/linux/BUILD

@@ -1674,6 +1674,20 @@ cc_binary(
     ],
 )
 
+cc_binary(
+    name = "pidfd_test",
+    testonly = 1,
+    srcs = ["pidfd.cc"],
+    linkstatic = 1,
+    malloc = "//test/util:errno_safe_allocator",
+    deps = select_gtest() + [
+        "//test/util:test_main",
+        "//test/util:test_util",
+        "//test/util:thread_util",
+        "//test/util:time_util",
+    ],
+)
+
 cc_binary(
     name = "ping_socket_test",
     testonly = 1,