This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Supporting CLONE_NEWPID namespaces and process-shared mutexes supported?

From: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
To: libc-alpha at sourceware dot org
Date: Wed, 25 Oct 2017 11:23:20 -0200
Subject: Re: Supporting CLONE_NEWPID namespaces and process-shared mutexes supported?
Authentication-results: sourceware.org; auth=none
References: <4ad034eb-6eed-400e-9e9e-d30776157fad@redhat.com> <1508934836.26774.905.camel@redhat.com>

On 25/10/2017 10:33, Torvald Riegel wrote:
> On Tue, 2017-10-24 at 14:45 -0700, Carlos O'Donell wrote:
>> We use tid's in the internals of a mutex to identify owner. This is
>> considered unique for the system (though it has an ABA pid-reuse
>> problem).
> The owner is only required for some mutex types.  Are these types
> required for the intended use cases?
>

My understanding from previous discussion is to document the pitfalls
and limitation of using POSIX process-shared synchronization along 
with Linux only APIs that do not guarantee pid uniqueness.

Currently we have the following supported process-shared
synchronization:

  1. pthread_mutex_t with PTHREAD_PROCESS_SHARED
  2. pthread_rwlock_t with PTHREAD_PROCESS_SHARED
  3. pthread_cond_t with PTHREAD_PROCESS_SHARED
  4. pthread_barrier_t with PTHREAD_PROCESS_SHARED
  5. posix semaphore with positive pshared
  6. posix shared memory 
  7. SysV semaphore
  8. SysV shared memory

I think SysV API should work with CLONE_NEWPID unless user explicit
call clone with CLONE_NEWIPC.  Glibc posix shared memory will also 
work if the process shares the same filesystem with visibility to the
shmfs (and user can disable it by issuing clone with CLONE_NEWNS).

The other primitives are all based internally on futex on Linux
and afaik there is no namespace isolation for futex operations.
POSIX semaphore and pthread_barrier should not have issues
since they rely only futex values (no external system information
such as the process identifier).

With leads to shared pthread_mutex_t, pthread_rwlock_t, and
pthread_cond_t that does not actually work with CLONE_NEWPID.

What I think it might be controversial is exactly to provide
a process in a namespace external system information (in this
case a global identifier).  I am not sure about possible
security implication on this, but I do see that it is kinda
orthogonal of what CLONE_NEWPID is aiming as information
constriction.

Which lead to a question: what kind of process synchronization
we can not accomplish with current API that in theory should
work with CLONE_NEWPID?

References:
- Supporting CLONE_NEWPID namespaces and process-shared mutexes supported?
  - From: Carlos O'Donell
- Re: Supporting CLONE_NEWPID namespaces and process-shared mutexes supported?
  - From: Torvald Riegel

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]