Linux 7.1 Adds New Child Auto-Reap & PIDFD Auto-Kill Flags For clone3()
The clone3() system call in Linux 7.1 is adding three new flags for greater control over the creation of child processes.
One of the new flags for clone3() in Linux 7.1 is CLONE_AUTOREAP. Using the CLONE_AUTOREAP flag will make child processes auto-reap on exit without the chance of becoming a zombie process.
Another new flag is CLONE_PIDFD_AUTOKILL to tie the child's lifetime to the process ID file descriptor returned from the clone3() system call. The CLONE_PIDFD_AUTOKILL is intended to help with container runtimes, service managers, sandboxed sub-process execution and other workloads where the child processes should die if the parent process crashes.
There is also CLONE_NNP added to allow enforcing no new privileges beavhior (akin to the "no_new_privs" prctl flag on itself) on children at creation time, benefiting spawn-and-sandbox approaches.
These new clone3() flags have been merged via this pull request for Linux 7.1.
One of the new flags for clone3() in Linux 7.1 is CLONE_AUTOREAP. Using the CLONE_AUTOREAP flag will make child processes auto-reap on exit without the chance of becoming a zombie process.
Another new flag is CLONE_PIDFD_AUTOKILL to tie the child's lifetime to the process ID file descriptor returned from the clone3() system call. The CLONE_PIDFD_AUTOKILL is intended to help with container runtimes, service managers, sandboxed sub-process execution and other workloads where the child processes should die if the parent process crashes.
There is also CLONE_NNP added to allow enforcing no new privileges beavhior (akin to the "no_new_privs" prctl flag on itself) on children at creation time, benefiting spawn-and-sandbox approaches.
These new clone3() flags have been merged via this pull request for Linux 7.1.