pgrep: Add support for ignoring ancestors with -A/--ignore-ancestors (!160) · Merge requests · procps-ng / procps

Chris Down requested to merge cdown/procps:cdown/2022-08-10/ancestors into newlib Aug 10, 2022

pgrep and friends naturally filter their own processes from their matches. The same issue can occur when elevating with tools like sudo or doas, where the elevating shim layers linger as a parent and are returned in the results. For example:

% sudo pkill -9 -cf someelevatedcmdline
1
zsh: killed     sudo pkill -9 -cf someelevatedcmdline

This is a situation we've actually seen in production, where some poor soul changes how permission management works (for example with Linux's hidepid option), needs to elevate a pgrep or pkill call, and now ends up with more than they bargained for. Even after the issue is noticed, resolving it requires reinventing some of the pgrep logic, which is unfortunate.

This commit adds the -A/--ignore-ancestors option which excludes pgrep's ancestors from the results:

% sudo ./pkill -9 -Acf someelevatedcmdline
0

We looks at multiple layers of the process hierarchy because, while things like sudo only have one layer of shimming, some mechanisms (like those found in a typical container manager like those found in Docker or Kubernetes) may have many more.

Signed-off-by: Chris Down chris@chrisdown.name

pgrep: Add support for ignoring ancestors with -A/--ignore-ancestors

Merge request reports