From: Jeff Dike <jdike@addtoit.com>
To: Zach Brown <zach.brown@oracle.com>, Ingo Molnar <mingo@elte.hu>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: Syslets, signals, and security
Date: Mon, 4 Jun 2007 12:31:45 -0400 [thread overview]
Message-ID: <20070604163145.GA7144@c2.user-mode-linux.org> (raw)
Syslets seem like a fundamentally good idea to me, but the current
implementation, using CLONE_THREAD threads, seems like a basic
problem.
First, there are signals. If the app has an interval timer enabled,
every thread will inherit it and you will have 32 threads getting
alarms, which seems surprising and wasteful. I can imagine other
signals (like SIGWINCH and SIGHUP) which might be surprising to
receive multiple times in an obstensibly single-threaded process.
Second, security. What happens if a well-written server starts life
as root, does some (async) I/O, and setuids to a non-root uid? There
will be a bunch of async threads still running as root, with the
result that async operations (and the main thread) will more than
occassionally regain root privs.
You can fix this by going around to all the threads in the thread
group and changing their ->uid, but that seems somewhat kludgy. You
could also fix this by killing off the async threads on a setuid, and
make the app recreate the async threads under its new uid. However,
the current interface has no way to give the userspace stacks back to
the process, so this would force a memory leak on the process.
There's also ptrace, which (as I think Zach already mentioned) gets
along badly with syslets.
Offhand, it seems to me that the underlying problem is that the
threads all have their own task_structs and userspaces.
If only the main thread can receive signals and exit to userspace, the
signal surprises go away.
Similarly, if they all share a task structure, the setuid problem goes
away.
There are also warts in the current interface due to all of the
threads possibly being able to return to userspace:
they all need to be provided with userspace stacks
they need to be given an user IP to execute
there is a new system call for them to call when they land in
userspace.
Since the basic schedulable unit is currently a task_struct, and
syslets would prefer to have multiple schedulable units per
task_struct, this would imply some surgery on the task_struct and the
scheduler. What I think we'd want is for the basic schedulable unit
to be not much more than a kernel stack and a register set. A
(non-kernel-thread) task_struct would still be associated 1-1 with a
userspace, but could have multiple schedulable units, one of which is
allowed to exit to userspace.
Jeff
--
Work email - jdike at linux dot intel dot com
next reply other threads:[~2007-06-04 16:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-04 16:31 Jeff Dike [this message]
2007-06-04 17:16 ` Syslets, signals, and security Ulrich Drepper
2007-06-04 17:45 ` Zach Brown
2007-06-04 19:13 ` Jeff Dike
2007-06-04 20:57 ` Andi Kleen
2007-06-04 22:44 ` Alan Cox
2007-06-05 11:11 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070604163145.GA7144@c2.user-mode-linux.org \
--to=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=zach.brown@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox