From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Herrmann Subject: Re: [PATCH v3 0/7] File Sealing & memfd_create() Date: Fri, 13 Jun 2014 17:33:56 +0200 Message-ID: References: <1402655819-14325-1-git-send-email-dh.herrmann@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Andy Lutomirski Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Michael Kerrisk , Ryan Lortie , Linus Torvalds , Andrew Morton , "linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org" , Linux FS Devel , Linux API , Greg Kroah-Hartman , John Stultz , Lennart Poettering , Daniel Mack , Kay Sievers , Hugh Dickins , Tony Battersby List-Id: linux-api@vger.kernel.org Hi On Fri, Jun 13, 2014 at 5:17 PM, Andy Lutomirski wrote: > On Fri, Jun 13, 2014 at 8:15 AM, David Herrmann wrote: >> Hi >> >> On Fri, Jun 13, 2014 at 5:10 PM, Andy Lutomirski wrote: >>> On Fri, Jun 13, 2014 at 3:36 AM, David Herrmann wrote: >>>> Hi >>>> >>>> This is v3 of the File-Sealing and memfd_create() patches. You can find v1 with >>>> a longer introduction at gmane: >>>> http://thread.gmane.org/gmane.comp.video.dri.devel/102241 >>>> An LWN article about memfd+sealing is available, too: >>>> https://lwn.net/Articles/593918/ >>>> v2 with some more discussions can be found here: >>>> http://thread.gmane.org/gmane.linux.kernel.mm/115713 >>>> >>>> This series introduces two new APIs: >>>> memfd_create(): Think of this syscall as malloc() but it returns a >>>> file-descriptor instead of a pointer. That file-descriptor is >>>> backed by anon-memory and can be memory-mapped for access. >>>> sealing: The sealing API can be used to prevent a specific set of operations >>>> on a file-descriptor. You 'seal' the file and give thus the >>>> guarantee, that it cannot be modified in the specific ways. >>>> >>>> A short high-level introduction is also available here: >>>> http://dvdhrm.wordpress.com/2014/06/10/memfd_create2/ >>> >>> Potentially silly question: is it guaranteed that mmapping and reading >>> a SEAL_SHRINKed fd within size bounds will not SIGBUS? If so, should >>> this be documented? (The particular issue here would be reading >>> holes. It should work by using the zero page, but, if so, we should >>> probably make it a real documented guarantee.) >> >> No, this is not guaranteed. See the previous discussion in v2 on Patch >> 2/4 between Hugh and me. >> >> Summary is: If you want mmap-reads to not fail, use mlock(). There are >> many situations where a fault might fail (think: OOM) and sealing is >> not meant to protect against that. Btw., holes are automatically >> filled with fresh pages by shmem. So a read only fails in OOM >> situations (or memcg limits, etc.). >> > > Isn't the point of SEAL_SHRINK to allow servers to mmap and read > safely without worrying about SIGBUS? No, I don't think so. The point of SEAL_SHRINK is to prevent a file from shrinking. SIGBUS is an effect, not a cause. It's only a coincidence that "OOM during reads" and "reading beyond file-boundaries" has the same effect: SIGBUS. We only protect against reading beyond file-boundaries due to shrinking. Therefore, OOM-SIGBUS is unrelated to SEAL_SHRINK. Anyone dealing with mmap() _has_ to use mlock() to protect against OOM-SIGBUS. Making SEAL_SHRINK protect against OOM-SIGBUS would be redundant, because you can achieve the same with SEAL_SHRINK+mlock(). Thanks David