Re: Thread-, Signal- and Cancellation-safety documentation

[Florian Weimer <fweimer at redhat dot com>]

On 06/02/2013 07:20 PM, Alexandre Oliva wrote:
> Just like the other calls we mentioned before, when used in situations
> that assume and require some form of exclusivity that the black box
> library might break.  Or can you somehow assure the black box library
> won't call creat or rename or whatever in the dir that was supposed to
> be exclusively used for something else, but can't equally assure it
> won't call chdir?!?

It's easy to create a separate sub-namespace in the file system, just by 
using a specific directory tree for a clearly-defined purpose.  For 
applications like PostgreSQL, messing directly with files in their 
private data directories is like attaching to the process with ptrace 
and changing a few bits.  All bets are off.

With chdir, umask, signal masks etc., there is just no way to introduce 
a separate namespace in the same process (partly because we don't 
support the clone system call).  This even applies to cooperative, 
carefully written libraries.  They would probably use locking, but there 
is no single lock they could agree to acquire.

--
Florian Weimer / Red Hat Product Security Team