kernel: kill all pidns processes when their init terminates.

avagin · gvisor-bot · commit 5917d21e73d1 · 2025-08-05T17:57:45.000-07:00
This CL fixes an issue where processes in a PID namespace were not being properly terminated when the namespace's init process exited. Previously, if a "subreaper" process existed, it would adopt the orphaned processes from the PID namespace. The correct behavior is for all processes in the PID namespace to be killed when their init process dies. The fix involves modifying findReparentTargetLocked to ensure that if the exiting process is the init process for its PID namespace, no reparenting target is returned. This leads to the termination of all other processes in the namespace. Fixes #11981 PiperOrigin-RevId: 791442773
diff --git a/pkg/sentry/kernel/task_exit.go b/pkg/sentry/kernel/task_exit.go
@@ -35,8 +35,9 @@ import (
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.dev/gvisor/pkg/sentry/seccheck"
-	pb "gvisor.dev/gvisor/pkg/sentry/seccheck/points/points_go_proto"
 	"gvisor.dev/gvisor/pkg/waiter"
+
+	pb "gvisor.dev/gvisor/pkg/sentry/seccheck/points/points_go_proto"
 )
 
 // TaskExitState represents a step in the task exit path.
@@ -435,6 +436,10 @@ func (t *Task) findReparentTargetLocked() *Task {
 		return t2
 	}
 
+	if t.tg.isInitInLocked(t.PIDNamespace()) {
+		return nil // The init process is terminating.
+	}
+
 	if !t.tg.hasChildSubreaper {
 		// No child subreaper exists. We can immediately return the
 		// init process in this PID namespace if it exists.
diff --git a/test/syscalls/linux/setns.cc b/test/syscalls/linux/setns.cc
@@ -12,9 +12,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+#include <linux/prctl.h>
 #include <sched.h>
 #include <signal.h>
 #include <stdio.h>
+#include <sys/prctl.h>
 #include <sys/wait.h>
 
 #include <cstdint>
@@ -96,6 +98,9 @@ TEST(SetnsTest, ChangePIDNamespace) {
     return 0;
   };
 
+  // Check that a subreaper doesn't affect how pidns is destroyed.
+  ASSERT_THAT(prctl(PR_SET_CHILD_SUBREAPER, 1), SyscallSucceeds());
+
   // Fork a test process in a new PID namespace, because it needs to manipulate
   // with reparented processes.
   struct clone_arg {
@@ -139,6 +144,8 @@ TEST(SetnsTest, ChangePIDNamespace) {
   ASSERT_THAT(RetryEINTR(waitpid)(pid, &status, 0),
               SyscallSucceedsWithValue(pid));
   EXPECT_EQ(WEXITSTATUS(status), 5);
+
+  ASSERT_THAT(prctl(PR_SET_CHILD_SUBREAPER, 0), SyscallSucceeds());
 }
 
 }  // namespace
