When container is being removed, podman iterates
through its exec sessions and checks whether exec
session pid is still alive.
The problem is that the pid can be reused for other processes,
so that it may not belong to exec session.
In this scenario podman may kill another process
This commit prevents it by doing following changes:
- Adds the PIDData string to ExecSession struct. This string
is used to store additional context for a PID to later verify
that the PID killed by the podman is really the one started by
it.
- Adds new package called pidhandle which implements the methods
generating the PIDData, and killing the PID with the PIDData
ensuring the right PID is killed by verifying the metadata.
The new code uses pidfd_open and name_to_handle_at when available.
It fallbacks to process start-time get using the gopsutil package.
Fixes: #25104
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
