cvs commit: src/sys/kern kern_descrip.c uipc_sem.c uipc_shm.c
src/sys/modules/sem Makefile src/sys/security/mac mac_framework.h
mac_policy.h mac_posix_sem.c src/sys/security/mac_biba mac_biba.c
src/sys/security/mac_mls mac_mls.c src/sys/security/mac_stub ...
John Baldwin
jhb at FreeBSD.org
Fri Jun 27 05:45:11 UTC 2008
jhb 2008-06-27 05:39:04 UTC
FreeBSD src repository
Modified files:
sys/kern kern_descrip.c uipc_sem.c uipc_shm.c
sys/modules/sem Makefile
sys/security/mac mac_framework.h mac_policy.h
mac_posix_sem.c
sys/security/mac_biba mac_biba.c
sys/security/mac_mls mac_mls.c
sys/security/mac_stub mac_stub.c
sys/security/mac_test mac_test.c
sys/sys file.h ksem.h user.h
usr.bin/procstat procstat_files.c
Added files:
tools/regression/posixsem Makefile posixsem.c posixsem.t
test.c test.h
Log:
SVN rev 180059 on 2008-06-27 05:39:04Z by jhb
Rework the lifetime management of the kernel implementation of POSIX
semaphores. Specifically, semaphores are now represented as new file
descriptor type that is set to close on exec. This removes the need for
all of the manual process reference counting (and fork, exec, and exit
event handlers) as the normal file descriptor operations handle all of
that for us nicely. It is also suggested as one possible implementation
in the spec and at least one other OS (OS X) uses this approach.
Some bugs that were fixed as a result include:
- References to a named semaphore whose name is removed still work after
the sem_unlink() operation. Prior to this patch, if a semaphore's name
was removed, valid handles from sem_open() would get EINVAL errors from
sem_getvalue(), sem_post(), etc. This fixes that.
- Unnamed semaphores created with sem_init() were not cleaned up when a
process exited or exec'd. They were only cleaned up if the process
did an explicit sem_destroy(). This could result in a leak of semaphore
objects that could never be cleaned up.
- On the other hand, if another process guessed the id (kernel pointer to
'struct ksem' of an unnamed semaphore (created via sem_init)) and had
write access to the semaphore based on UID/GID checks, then that other
process could manipulate the semaphore via sem_destroy(), sem_post(),
sem_wait(), etc.
- As part of the permission check (UID/GID), the umask of the proces
creating the semaphore was not honored. Thus if your umask denied group
read/write access but the explicit mode in the sem_init() call allowed
it, the semaphore would be readable/writable by other users in the
same group, for example. This includes access via the previous bug.
- If the module refused to unload because there were active semaphores,
then it might have deregistered one or more of the semaphore system
calls before it noticed that there was a problem. I'm not sure if
this actually happened as the order that modules are discovered by the
kernel linker depends on how the actual .ko file is linked. One can
make the order deterministic by using a single module with a mod_event
handler that explicitly registers syscalls (and deregisters during
unload after any checks). This also fixes a race where even if the
sem_module unloaded first it would have destroyed locks that the
syscalls might be trying to access if they are still executing when
they are unloaded.
XXX: By the way, deregistering system calls doesn't do any blocking
to drain any threads from the calls.
- Some minor fixes to errno values on error. For example, sem_init()
isn't documented to return ENFILE or EMFILE if we run out of semaphores
the way that sem_open() can. Instead, it should return ENOSPC in that
case.
Other changes:
- Kernel semaphores now use a hash table to manage the namespace of
named semaphores nearly in a similar fashion to the POSIX shared memory
object file descriptors. Kernel semaphores can now also have names
longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
in their pathname.
- The UID/GID permission checks for access to a named semaphore are now
done via vaccess() rather than a home-rolled set of checks.
- Now that kernel semaphores have an associated file object, the various
MAC checks for POSIX semaphores accept both a file credential and an
active credential. There is also a new posixsem_check_stat() since it
is possible to fstat() a semaphore file descriptor.
- A small set of regression tests (using the ksem API directly) is present
in src/tools/regression/posixsem.
Reported by: kris (1)
Tested by: kris
Reviewed by: rwatson (lightly)
MFC after: 1 month
Revision Changes Path
1.335 +6 -0 src/sys/kern/kern_descrip.c
1.34 +563 -625 src/sys/kern/uipc_sem.c
1.5 +4 -0 src/sys/kern/uipc_shm.c
1.3 +1 -1 src/sys/modules/sem/Makefile
1.100 +8 -3 src/sys/security/mac/mac_framework.h
1.110 +13 -6 src/sys/security/mac/mac_policy.h
1.14 +24 -6 src/sys/security/mac/mac_posix_sem.c
1.120 +25 -6 src/sys/security/mac_biba/mac_biba.c
1.102 +25 -6 src/sys/security/mac_mls/mac_mls.c
1.83 +15 -6 src/sys/security/mac_stub/mac_stub.c
1.98 +26 -9 src/sys/security/mac_test/mac_test.c
1.80 +1 -0 src/sys/sys/file.h
1.4 +24 -18 src/sys/sys/ksem.h
1.76 +1 -0 src/sys/sys/user.h
1.1 +11 -0 src/tools/regression/posixsem/Makefile (new)
1.1 +1437 -0 src/tools/regression/posixsem/posixsem.c (new)
1.1 +5 -0 src/tools/regression/posixsem/posixsem.t (new)
1.1 +128 -0 src/tools/regression/posixsem/test.c (new)
1.1 +59 -0 src/tools/regression/posixsem/test.h (new)
1.6 +4 -0 src/usr.bin/procstat/procstat_files.c
More information about the cvs-src
mailing list