pidns: Don't allow new processes in a dead pid namespace.

By adding a flag to track when a pid namespace is dead, and
by testing that flag just before a process attaches to the
pid namespace, it is possible to guarantee that processes
never enter a dead pid namespace.  Currently sending SIGKILL
to all of the process in a dead pid namespace gives us this
guarantee but we need something a little strong to support
unsharing and joining a pid namespace.

To ensure that this does not slow down the common case I
tested this code with lat_proc from lm_bench and I did
not see any increase in the fork overhead.

Signed-off-by: Eric W. Biederman <>
4 files changed