From: Eric Wong <e@80x24.org>
To: Junio C Hamano <gitster@pobox.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jeff King <peff@peff.net>, Git Mailing List <git@vger.kernel.org>,
Lars Schneider <larsxschneider@gmail.com>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: [PATCH v3 2/3] sha1_file: open window into packfiles with O_CLOEXEC
Date: Fri, 28 Oct 2016 05:51:59 +0000 [thread overview]
Message-ID: <20161028055159.GA25950@starla> (raw)
In-Reply-To: <xmqq60od42s0.fsf@gitster.mtv.corp.google.com>
Junio C Hamano <gitster@pobox.com> wrote:
> Junio C Hamano <gitster@pobox.com> writes:
>
> > Linus Torvalds <torvalds@linux-foundation.org> writes:
> >
> >> On Thu, Oct 27, 2016 at 4:36 PM, Junio C Hamano <gitster@pobox.com> wrote:
> >>>
> >>> Would the best endgame shape for this function be to open with
> >>> O_NOATIME (and retry without), and then add CLOEXEC with fcntl(2)
> >>> but ignoring an error from it, I guess? That would be the closest
> >>> to what we historically had, I would think.
> >>
> >> I think that's the best model.
Actually, I would flip the order of flags. O_CLOEXEC is more
important from a correctness standpoint.
> > OK, so perhaps like this.
>
> Hmph. This may not fly well in practice, though.
>
> To Unix folks, CLOEXEC is not a huge correctness issue. A child
> process may hold onto an open file descriptor a bit longer than the
> lifetime of the parent but as long as the child eventually exits,
I'm not too familiar with C internals of git; but I know we use
threads in some places, and fork+execve in others.
If our usage of threads and execve intersects, and we run
untrusted code in an execve-ed child, then only having cloexec
on open() will save us time when auditing for leaking FDs.
fcntl(fd, F_SETFD, O_CLOEXEC) is racy in if there are other
threads doing execve; so I wouldn't rely on it as a first
choice.
So I suppose something like this:
static int noatime = 1;
int fd = open(... | O_CLOEXEC);
...error checking and retrying...
if (fd >= 0 && noatime && fcntl(fd, F_SETFL, O_NOATIME) != 0)
noatime = 0;
return fd;
next prev parent reply other threads:[~2016-10-28 5:52 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-24 18:02 [PATCH v2 0/2] Use CLOEXEC to avoid fd leaks larsxschneider
2016-10-24 18:02 ` [PATCH v2 1/2] sha1_file: open window into packfiles with CLOEXEC larsxschneider
2016-10-25 10:27 ` Johannes Schindelin
2016-10-25 16:58 ` Junio C Hamano
2016-10-24 18:03 ` [PATCH v2 2/2] read-cache: make sure file handles are not inherited by child processes larsxschneider
2016-10-24 18:39 ` Eric Wong
2016-10-24 19:53 ` Junio C Hamano
2016-10-25 10:33 ` Johannes Schindelin
2016-10-25 17:02 ` Junio C Hamano
2016-10-24 19:22 ` Johannes Sixt
2016-10-24 19:53 ` Lars Schneider
2016-10-25 21:39 ` Johannes Sixt
2016-10-24 18:23 ` [PATCH v2 0/2] Use CLOEXEC to avoid fd leaks Junio C Hamano
2016-10-25 11:27 ` Johannes Schindelin
2016-10-25 18:16 ` [PATCH v3 0/3] quick reroll of Lars's git_open() w/ O_CLOEXEC Junio C Hamano
2016-10-25 18:16 ` [PATCH v3 1/3] sha1_file: rename git_open_noatime() to git_open() Junio C Hamano
2016-10-25 18:16 ` [PATCH v3 2/3] sha1_file: open window into packfiles with O_CLOEXEC Junio C Hamano
2016-10-26 4:25 ` Jeff King
2016-10-26 16:23 ` Junio C Hamano
2016-10-26 16:47 ` Jeff King
2016-10-26 17:52 ` Junio C Hamano
2016-10-26 20:17 ` Jeff King
2016-10-26 21:15 ` Junio C Hamano
2016-10-27 10:24 ` Jeff King
2016-10-27 21:49 ` Junio C Hamano
2016-10-27 22:38 ` Linus Torvalds
2016-10-27 22:56 ` Junio C Hamano
2016-10-27 23:09 ` Linus Torvalds
2016-10-27 23:19 ` Linus Torvalds
2016-10-27 23:36 ` Junio C Hamano
2016-10-27 23:44 ` Linus Torvalds
2016-10-28 1:08 ` Junio C Hamano
2016-10-28 2:37 ` Junio C Hamano
2016-10-28 5:51 ` Eric Wong [this message]
2016-10-28 11:11 ` Johannes Schindelin
2016-10-28 16:13 ` Linus Torvalds
2016-10-28 16:48 ` Junio C Hamano
2016-10-28 17:38 ` Linus Torvalds
2016-10-28 17:47 ` Junio C Hamano
2016-10-29 1:26 ` Junio C Hamano
2016-10-29 8:25 ` Johannes Schindelin
2016-10-29 17:06 ` Linus Torvalds
2016-10-31 17:37 ` Junio C Hamano
2016-10-31 13:56 ` Jeff King
2016-10-31 17:55 ` Junio C Hamano
2016-10-31 18:05 ` Jeff King
2016-10-28 13:32 ` Junio C Hamano
2016-10-28 13:33 ` Junio C Hamano
2016-10-28 7:51 ` Jeff King
2016-10-25 18:16 ` [PATCH v3 3/3] read-cache: make sure file handles are not inherited by child processes Junio C Hamano
2016-10-25 21:33 ` Eric Wong
2016-10-25 22:54 ` Junio C Hamano
2016-10-25 21:48 ` [PATCH v3 0/3] quick reroll of Lars's git_open() w/ O_CLOEXEC Lars Schneider
2016-10-25 22:56 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161028055159.GA25950@starla \
--to=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=larsxschneider@gmail.com \
--cc=peff@peff.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.