This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Thread-, Signal- and Cancellation-safety documentation
- From: Florian Weimer <fweimer at redhat dot com>
- To: Alexandre Oliva <aoliva at redhat dot com>
- Cc: Rich Felker <dalias at aerifal dot cx>, Torvald Riegel <triegel at redhat dot com>, KOSAKI Motohiro <kosaki dot motohiro at gmail dot com>, libc-alpha <libc-alpha at sourceware dot org>
- Date: Tue, 04 Jun 2013 14:42:59 +0200
- Subject: Re: Thread-, Signal- and Cancellation-safety documentation
- References: <20130402134325 dot GO20323 at brightrain dot aerifal dot cx> <CAHGf_=q=2sM0C5kLazsVWiRfRvO0NX-sDRX2-SfoJkkCix9vzQ at mail dot gmail dot com> <1368788825 dot 3054 dot 3182 dot camel at triegel dot csb> <ora9nrh1cz dot fsf at livre dot home> <51A328F0 dot 5020003 at redhat dot com> <ora9ncqlg4 dot fsf at livre dot home> <51A86363 dot 2000900 at redhat dot com> <orip1yq3ek dot fsf at livre dot home> <20130601025934 dot GJ20323 at brightrain dot aerifal dot cx> <or61xxi33w dot fsf at livre dot home> <20130602142028 dot GL20323 at brightrain dot aerifal dot cx> <orli6sh1ju dot fsf at livre dot home>
On 06/02/2013 07:20 PM, Alexandre Oliva wrote:
Just like the other calls we mentioned before, when used in situations
that assume and require some form of exclusivity that the black box
library might break. Or can you somehow assure the black box library
won't call creat or rename or whatever in the dir that was supposed to
be exclusively used for something else, but can't equally assure it
won't call chdir?!?
It's easy to create a separate sub-namespace in the file system, just by
using a specific directory tree for a clearly-defined purpose. For
applications like PostgreSQL, messing directly with files in their
private data directories is like attaching to the process with ptrace
and changing a few bits. All bets are off.
With chdir, umask, signal masks etc., there is just no way to introduce
a separate namespace in the same process (partly because we don't
support the clone system call). This even applies to cooperative,
carefully written libraries. They would probably use locking, but there
is no single lock they could agree to acquire.
--
Florian Weimer / Red Hat Product Security Team