Re: [PATCH] POSIX message queues

From: pwaechtler@mac.com
Date: Sat Aug 31 2002 - 06:43:56 EST

Next message: Kai Henningsen: "Re: [PATCH] Introduce BSD-style user credential [3/3]"
Previous message: Lionel Bouton: "Re: SMB browser"
In reply to: Amos Waterland: "Re: [PATCH] POSIX message queues"
Next in thread: Krzysztof Benedyczak: "Re: [PATCH] POSIX message queues"
Reply: Krzysztof Benedyczak: "Re: [PATCH] POSIX message queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Freitag den, 30. August 2002, um 11:48, schrieb Amos Waterland:

> On Thu, Aug 29, 2002 at 11:53:50PM +0200, pwaechtler@mac.com wrote:
>> some comments as asked for:
>>
>> I know that it's nowhere stated, but POSIX mqueues are perfectly
>> designed to be implemented in userspace with locking facilities
>> provided by the system.
>
> I am not sure if this is correct. You can achieve proper locking in
> userspace, but I do not think you achieve proper security.

Well, I can't think of efficient inter process locks without
kernel/scheduler help.
Do you want to use a spinlock, with lowering priority or even sleep, use
a pipe/fifo/flock or waiting in sigsuspend? This all is implemented in
kernel space.
How would you implement entirely userspace locking?
With futexes (fast "userspace" locks) only the uncontented case is
handled
in userspace - if there's contention the process waits inside the
kernel - or
does get a notification from the kernel (AWAIT or FD)

> I assume you are proposing an implementation based on shared memory:
> which means that at least some pages of the shared memory must be
> writable. If the processes cooperate and only write to the shared pages
> through library routines which use sychronization, things are ok, but a
> malicious process could forge messages or perform DOS attacks etc. by
> bypassing the mq_*() functions and using write().

yes, of course that could be compromised by a process with the same uid.
This process could simply kill the other process too.
The shm_open() employs proper file system permission on the object.

> The mq_maxmsg and mq_msgsize members of the mq_attr structure required
> if O_CREAT is passed to mq_open() ensure that an implementation can
> prevent the kernel memory DoS you mention: a malicious application can
> only fill up the MQ memory.

And how many mqueues am I allowed to create?
You would need an extra resource limit for that.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kai Henningsen: "Re: [PATCH] Introduce BSD-style user credential [3/3]"
Previous message: Lionel Bouton: "Re: SMB browser"
In reply to: Amos Waterland: "Re: [PATCH] POSIX message queues"
Next in thread: Krzysztof Benedyczak: "Re: [PATCH] POSIX message queues"
Reply: Krzysztof Benedyczak: "Re: [PATCH] POSIX message queues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Aug 31 2002 - 22:00:33 EST