File sealing

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

File sealing

Simon Ser
Hi all,

File sealing is a Linux-specific safety mechanism that can be used when
sharing memory between two processes.

In this scenario, one process typically calls shm_open(SHM_ANON), mmaps
the result in its address space, writes interesting things in this slice
of memory, sends the file descriptor over a Unix socket to another
process. The other process then mmaps the file descriptor to its own
address space and reads the shared memory.

Sometimes the two processes don't trust each other, for instance in the
case of Wayland. Bad clients may try to crash the compositor.

One way to crash the compositor is to send a shared memory file descriptor
and then shrink the file. When the compositor tries to read the
now-unmapped part of the file it'll receive SIGBUS.

What the compositor currently does is that it handles SIGBUS and ignores it
if it's about a memory slice mmapped from IPC. Apart from being a hack,
this makes things complicated because:

* There are multiple Wayland interfaces that need to mmap a file descriptor
  sent over IPC. Collecting the list of IPC-mmapped regions is currently not
  possible with libwayland.
* Since SIGBUS is global state, handling it is difficult. Some other IPC
  mechanisms might need to add more regions to the list. Threads make this
  even more annoying.

See [1]

I'd like to know if there are plans to add a feature similar to file
sealing [2] in OpenBSD.

Thanks,

--
Simon Ser
https://emersion.fr

[1]: https://gitlab.freedesktop.org/wayland/wayland/issues/53#note_24663
[2]: https://lwn.net/Articles/591108/

Reply | Threaded
Open this post in threaded view
|

Re: File sealing

Ted Unangst-6
Simon Ser wrote:
> Hi all> I'd like to know if there are plans to add a feature similar to file
> sealing [2] in OpenBSD.

I don't think so. You explained a possible use, but didn't actually explain if
code using file sealing already exists.

Reply | Threaded
Open this post in threaded view
|

Re: File sealing

Simon Ser
Hi,

On Thursday, November 1, 2018 6:25 PM, Ted Unangst <[hidden email]> wrote:
> Simon Ser wrote:
>
> > Hi all> I'd like to know if there are plans to add a feature similar to file
> > sealing [2] in OpenBSD.
>
> I don't think so. You explained a possible use, but didn't actually explain if
> code using file sealing already exists.

Thanks for your reply. Indeed, code using file sealing exists, for instance
GTK+ [1] and GLFW [2].

I've been told that for this same use-case, another mechanism has already been
implemented on OpenBSD. It's an additional parameter that can be passed to mmap
and makes truncated regions appear as zeros instead of triggering SIGBUS. However
I couldn't find any more info about this. Can you tell me more about this?

Thanks,

Simon Ser

[1]: https://gitlab.gnome.org/GNOME/gtk/blob/master/gdk/wayland/gdkdisplay-wayland.c#L1223
[2]: https://github.com/glfw/glfw/blob/master/src/wl_window.c#L156

Reply | Threaded
Open this post in threaded view
|

Re: File sealing

Ted Unangst-6
In reply to this post by Simon Ser
Simon Ser wrote:

> Sometimes the two processes don't trust each other, for instance in the
> case of Wayland. Bad clients may try to crash the compositor.
>
> One way to crash the compositor is to send a shared memory file descriptor
> and then shrink the file. When the compositor tries to read the
> now-unmapped part of the file it'll receive SIGBUS.
>
> What the compositor currently does is that it handles SIGBUS and ignores it
> if it's about a memory slice mmapped from IPC. Apart from being a hack,
> this makes things complicated because:

I'be been reminded that there's a different way to solve this problem in OpenBSD.

The secret __MAP_NOFAULT flag to mmap. See for instance use in libxshmfence.

Reply | Threaded
Open this post in threaded view
|

Re: File sealing

Simon Ser
On Thursday, November 1, 2018 6:49 PM, Ted Unangst <[hidden email]> wrote:
> I'be been reminded that there's a different way to solve this problem in OpenBSD.
>
> The secret __MAP_NOFAULT flag to mmap. See for instance use in libxshmfence.

Oh, thanks! That's what I've been searching for.