[foresto]

> determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.

The pidfd_open() man page doesn't list many things that can be done with a pidfd. What sort of validation do you have in mind?

I would love to have a reasonably snoop-proof secret storage service whose security model works with normal programs (as opposed to requiring Flatpaks or the like).

[jchw]

My reasoning behind the pidfd thing would just be as a way to try to avoid race conditions, though on second thought maybe it's not needed. I think you can take your pick on how exactly to validate the executable. My thought was to go (using /proc/.../exe) check that the file is root owned (and in a root owned directory structure) and then use its absolute path as a key. Seems like it would be a decent start that would get you somewhere on any OS.

I think it would also be feasible to add code signatures if we wanted to, though this would add additional challenges. As I noted elsewhere any scheme that wants to provide a true security boundary here would need to deal with potential bypasses like passing LD_PRELOAD. Still, I think that it has to be taken one step at a time.