Changes in pidfd_autoreap_test.c

07c3ef58223e2c75ea209d8c416b976ec30d9413 - Merge tag 'vfs-7.1-rc1.pidfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Mon, 13 Apr 2026 20:27:11 +0000

Merge tag 'vfs-7.1-rc1.pidfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfsPull clone and pidfs updates from Christian Brauner: "Add three new clone3() flags for pidfd-based process lifecycle management. CLONE_AUTOREAP: CLONE_AUTOREAP makes a child process auto-reap on exit without ever becoming a zombie. This is a per-process property in contrast to the existing auto-reap mechanism via SA_NOCLDWAIT or SIG_IGN for SIGCHLD which applies to all children of a given parent. Currently the only way to automatically reap children is to set SA_NOCLDWAIT or SIG_IGN on SIGCHLD. This is a parent-scoped property affecting all children which makes it unsuitable for libraries or applications that need selective auto-reaping of specific children while still being able to wait() on others. CLONE_AUTOREAP stores an autoreap flag in the child's signal_struct. When the child exits do_notify_parent() checks this flag and causes exit_notify() to transition the task directly to EXIT_DEAD. Since the flag lives on the child it survives reparenting: if the original parent exits and the child is reparented to a subreaper or init the child still auto-reaps when it eventually exits. This is cleaner than forcing the subreaper to get SIGCHLD and then reaping it. If the parent doesn't care the subreaper won't care. If there's a subreaper that would care it would be easy enough to add a prctl() that either just turns back on SIGCHLD and turns off auto-reaping or a prctl() that just notifies the subreaper whenever a child is reparented to it. CLONE_AUTOREAP can be combined with CLONE_PIDFD to allow the parent to monitor the child's exit via poll() and retrieve exit status via PIDFD_GET_INFO. Without CLONE_PIDFD it provides a fire-and-forget pattern. No exit signal is delivered so exit_signal must be zero. CLONE_THREAD and CLONE_PARENT are rejected: CLONE_THREAD because autoreap is a process-level property, and CLONE_PARENT because an autoreap child reparented via CLONE_PARENT could become an invisible zombie under a parent that never calls wait(). The flag is not inherited by the autoreap process's own children. Each child that should be autoreaped must be explicitly created with CLONE_AUTOREAP. CLONE_NNP: CLONE_NNP sets no_new_privs on the child at clone time. Unlike prctl(PR_SET_NO_NEW_PRIVS) which a process sets on itself, CLONE_NNP allows the parent to impose no_new_privs on the child at creation without affecting the parent's own privileges. CLONE_THREAD is rejected because threads share credentials. CLONE_NNP is useful on its own for any spawn-and-sandbox pattern but was specifically introduced to enable unprivileged usage of CLONE_PIDFD_AUTOKILL. CLONE_PIDFD_AUTOKILL: This flag ties a child's lifetime to the pidfd returned from clone3(). When the last reference to the struct file created by clone3() is closed the kernel sends SIGKILL to the child. A pidfd obtained via pidfd_open() for the same process does not keep the child alive and does not trigger autokill - only the specific struct file from clone3() has this property. This is useful for container runtimes, service managers, and sandboxed subprocess execution - any scenario where the child must die if the parent crashes or abandons the pidfd or just wants a throwaway helper process. CLONE_PIDFD_AUTOKILL requires both CLONE_PIDFD and CLONE_AUTOREAP. It requires CLONE_PIDFD because the whole point is tying the child's lifetime to the pidfd. It requires CLONE_AUTOREAP because a killed child with no one to reap it would become a zombie - the primary use case is the parent crashing or abandoning the pidfd so no one is around to call waitpid(). CLONE_THREAD is rejected because autokill targets a process not a thread. If CLONE_NNP is specified together with CLONE_PIDFD_AUTOKILL an unprivileged user may spawn a process that is autokilled. The child cannot escalate privileges via setuid/setgid exec after being spawned. If CLONE_PIDFD_AUTOKILL is specified without CLONE_NNP the caller must have have CAP_SYS_ADMIN in its user namespace"* tag 'vfs-7.1-rc1.pidfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: selftests: check pidfd_info->coredump_code correctness pidfds: add coredump_code field to pidfd_info kselftest/coredump: reintroduce null pointer dereference selftests/pidfd: add CLONE_PIDFD_AUTOKILL tests selftests/pidfd: add CLONE_NNP tests selftests/pidfd: add CLONE_AUTOREAP tests pidfd: add CLONE_PIDFD_AUTOKILL clone: add CLONE_NNP clone: add CLONE_AUTOREAP List of files: /linux/tools/testing/selftests/pidfd/pidfd_autoreap_test.c

a2900f5aa4e7724a2bf56ddb1a4f816d4fcc0598 - Merge patch series "pidfd: add CLONE_AUTOREAP, CLONE_NNP, and CLONE_PIDFD_AUTOKILL"

Wed, 11 Mar 2026 22:24:31 +0000

Merge patch series "pidfd: add CLONE_AUTOREAP, CLONE_NNP, and CLONE_PIDFD_AUTOKILL"Christian Brauner says:Add three new clone3() flags for pidfd-based process lifecyclemanagement.=== CLONE_AUTOREAP ===CLONE_AUTOREAP makes a child process auto-reap on exit without everbecoming a zombie. This is a per-process property in contrast to theexisting auto-reap mechanism via SA_NOCLDWAIT or SIG_IGN for SIGCHLDwhich applies to all children of a given parent.Currently the only way to automatically reap children is to setSA_NOCLDWAIT or SIG_IGN on SIGCHLD. This is a parent-scoped propertyaffecting all children which makes it unsuitable for libraries orapplications that need selective auto-reaping of specific children whilestill being able to wait() on others.CLONE_AUTOREAP stores an autoreap flag in the child's signal_struct.When the child exits do_notify_parent() checks this flag and causesexit_notify() to transition the task directly to EXIT_DEAD. Since theflag lives on the child it survives reparenting: if the original parentexits and the child is reparented to a subreaper or init the child stillauto-reaps when it eventually exits. This is cleaner than forcing thesubreaper to get SIGCHLD and then reaping it. If the parent doesn't carethe subreaper won't care. If there's a subreaper that would care itwould be easy enough to add a prctl() that either just turns back onSIGCHLD and turns off auto-reaping or a prctl() that just notifies thesubreaper whenever a child is reparented to it.CLONE_AUTOREAP can be combined with CLONE_PIDFD to allow the parent tomonitor the child's exit via poll() and retrieve exit status viaPIDFD_GET_INFO. Without CLONE_PIDFD it provides a fire-and-forgetpattern. No exit signal is delivered so exit_signal must be zero.CLONE_THREAD and CLONE_PARENT are rejected: CLONE_THREAD becauseautoreap is a process-level property, and CLONE_PARENT because anautoreap child reparented via CLONE_PARENT could become an invisiblezombie under a parent that never calls wait().The flag is not inherited by the autoreap process's own children. Eachchild that should be autoreaped must be explicitly created withCLONE_AUTOREAP.=== CLONE_NNP ===CLONE_NNP sets no_new_privs on the child at clone time. Unlikeprctl(PR_SET_NO_NEW_PRIVS) which a process sets on itself, CLONE_NNPallows the parent to impose no_new_privs on the child at creationwithout affecting the parent's own privileges. CLONE_THREAD is rejectedbecause threads share credentials. CLONE_NNP is useful on its own forany spawn-and-sandbox pattern but was specifically introduced to enableunprivileged usage of CLONE_PIDFD_AUTOKILL.=== CLONE_PIDFD_AUTOKILL ===This flag ties a child's lifetime to the pidfd returned from clone3().When the last reference to the struct file created by clone3() is closedthe kernel sends SIGKILL to the child. A pidfd obtained via pidfd_open()for the same process does not keep the child alive and does not triggerautokill - only the specific struct file from clone3() has thisproperty. This is useful for container runtimes, service managers, andsandboxed subprocess execution - any scenario where the child must dieif the parent crashes or abandons the pidfd or just wants a throwawayhelper process.CLONE_PIDFD_AUTOKILL requires both CLONE_PIDFD and CLONE_AUTOREAP. Itrequires CLONE_PIDFD because the whole point is tying the child'slifetime to the pidfd. It requires CLONE_AUTOREAP because a killed childwith no one to reap it would become a zombie - the primary use case isthe parent crashing or abandoning the pidfd so no one is around to callwaitpid(). CLONE_THREAD is rejected because autokill targets a processnot a thread.If CLONE_NNP is specified together with CLONE_PIDFD_AUTOKILL anunprivileged user may spawn a process that is autokilled. The childcannot escalate privileges via setuid/setgid exec after being spawned.If CLONE_PIDFD_AUTOKILL is specified without CLONE_NNP the caller musthave have CAP_SYS_ADMIN in its user namespace.* patches from https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-0-d148b984a989@kernel.org: selftests/pidfd: add CLONE_PIDFD_AUTOKILL tests selftests/pidfd: add CLONE_NNP tests selftests/pidfd: add CLONE_AUTOREAP tests pidfd: add CLONE_PIDFD_AUTOKILL clone: add CLONE_NNP clone: add CLONE_AUTOREAPLink: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-0-d148b984a989@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/tools/testing/selftests/pidfd/pidfd_autoreap_test.c

ec26879e6d89983b31fdb27d149854f42ee8d689 - selftests/pidfd: add CLONE_PIDFD_AUTOKILL tests

Thu, 26 Feb 2026 13:51:04 +0000

selftests/pidfd: add CLONE_PIDFD_AUTOKILL testsAdd tests for CLONE_PIDFD_AUTOKILL:- autokill_basic: Verify closing the clone3 pidfd kills the child.- autokill_requires_pidfd: Verify AUTOKILL without CLONE_PIDFD fails.- autokill_requires_autoreap: Verify AUTOKILL without CLONE_AUTOREAP fails.- autokill_rejects_thread: Verify AUTOKILL with CLONE_THREAD fails.- autokill_pidfd_open_no_effect: Verify only the clone3 pidfd triggers autokill, not pidfd_open().- autokill_requires_cap_sys_admin: Verify AUTOKILL without CLONE_NNP fails with -EPERM for an unprivileged caller.- autokill_without_nnp_with_cap: Verify AUTOKILL without CLONE_NNP succeeds with CAP_SYS_ADMIN.Link: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-6-d148b984a989@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/tools/testing/selftests/pidfd/pidfd_autoreap_test.c

2a4d85aa1c0a894d962a15dc75e8489f1e91f5f6 - selftests/pidfd: add CLONE_NNP tests

Thu, 26 Feb 2026 13:51:03 +0000

selftests/pidfd: add CLONE_NNP testsAdd tests for the new CLONE_NNP flag:- nnp_sets_no_new_privs: Verify a child created with CLONE_NNP has no_new_privs set while the parent does not.- nnp_rejects_thread: Verify CLONE_NNP | CLONE_THREAD is rejected with -EINVAL since threads share credentials.- autoreap_no_new_privs_unset: Verify a plain CLONE_AUTOREAP child does not get no_new_privs.Link: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-5-d148b984a989@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/tools/testing/selftests/pidfd/pidfd_autoreap_test.c

76d46ad2c52a4d7631274a35777ac4601103e2aa - selftests/pidfd: add CLONE_AUTOREAP tests

Thu, 26 Feb 2026 13:51:02 +0000

selftests/pidfd: add CLONE_AUTOREAP testsAdd tests for the new CLONE_AUTOREAP clone3() flag:- autoreap_without_pidfd: CLONE_AUTOREAP without CLONE_PIDFD works (fire-and-forget)- autoreap_rejects_exit_signal: CLONE_AUTOREAP with non-zero exit_signal fails- autoreap_rejects_parent: CLONE_AUTOREAP with CLONE_PARENT fails- autoreap_rejects_thread: CLONE_AUTOREAP with CLONE_THREAD fails- autoreap_basic: child exits, pidfd poll works, PIDFD_GET_INFO returns correct exit code, waitpid() returns -ECHILD- autoreap_signaled: child killed by signal, exit info correct via pidfd- autoreap_reparent: autoreap grandchild reparented to subreaper still auto-reaps- autoreap_multithreaded: autoreap process with sub-threads auto-reaps after last thread exits- autoreap_no_inherit: grandchild forked without CLONE_AUTOREAP becomes a regular zombieLink: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-4-d148b984a989@kernel.orgSigned-off-by: Christian Brauner List of files: /linux/tools/testing/selftests/pidfd/pidfd_autoreap_test.c