cvs commit: src/sys/kern kern_descrip.c uipc_sem.c uipc_shm.c src/sys/modules/sem Makefile src/sys/security/mac mac_framework.h mac_policy.h mac_posix_sem.c src/sys/security/mac_biba mac_biba.c src/sys/security/mac_mls mac_mls.c src/sys/security/mac_stub ...

John Baldwin jhb at
Fri Jun 27 05:45:11 UTC 2008

jhb         2008-06-27 05:39:04 UTC

  FreeBSD src repository

  Modified files:
    sys/kern             kern_descrip.c uipc_sem.c uipc_shm.c 
    sys/modules/sem      Makefile 
    sys/security/mac     mac_framework.h mac_policy.h 
    sys/security/mac_biba mac_biba.c 
    sys/security/mac_mls mac_mls.c 
    sys/security/mac_stub mac_stub.c 
    sys/security/mac_test mac_test.c 
    sys/sys              file.h ksem.h user.h 
    usr.bin/procstat     procstat_files.c 
  Added files:
    tools/regression/posixsem Makefile posixsem.c posixsem.t 
                              test.c test.h 
  SVN rev 180059 on 2008-06-27 05:39:04Z by jhb
  Rework the lifetime management of the kernel implementation of POSIX
  semaphores.  Specifically, semaphores are now represented as new file
  descriptor type that is set to close on exec.  This removes the need for
  all of the manual process reference counting (and fork, exec, and exit
  event handlers) as the normal file descriptor operations handle all of
  that for us nicely.  It is also suggested as one possible implementation
  in the spec and at least one other OS (OS X) uses this approach.
  Some bugs that were fixed as a result include:
  - References to a named semaphore whose name is removed still work after
    the sem_unlink() operation.  Prior to this patch, if a semaphore's name
    was removed, valid handles from sem_open() would get EINVAL errors from
    sem_getvalue(), sem_post(), etc.  This fixes that.
  - Unnamed semaphores created with sem_init() were not cleaned up when a
    process exited or exec'd.  They were only cleaned up if the process
    did an explicit sem_destroy().  This could result in a leak of semaphore
    objects that could never be cleaned up.
  - On the other hand, if another process guessed the id (kernel pointer to
    'struct ksem' of an unnamed semaphore (created via sem_init)) and had
    write access to the semaphore based on UID/GID checks, then that other
    process could manipulate the semaphore via sem_destroy(), sem_post(),
    sem_wait(), etc.
  - As part of the permission check (UID/GID), the umask of the proces
    creating the semaphore was not honored.  Thus if your umask denied group
    read/write access but the explicit mode in the sem_init() call allowed
    it, the semaphore would be readable/writable by other users in the
    same group, for example.  This includes access via the previous bug.
  - If the module refused to unload because there were active semaphores,
    then it might have deregistered one or more of the semaphore system
    calls before it noticed that there was a problem.  I'm not sure if
    this actually happened as the order that modules are discovered by the
    kernel linker depends on how the actual .ko file is linked.  One can
    make the order deterministic by using a single module with a mod_event
    handler that explicitly registers syscalls (and deregisters during
    unload after any checks).  This also fixes a race where even if the
    sem_module unloaded first it would have destroyed locks that the
    syscalls might be trying to access if they are still executing when
    they are unloaded.
    XXX: By the way, deregistering system calls doesn't do any blocking
    to drain any threads from the calls.
  - Some minor fixes to errno values on error.  For example, sem_init()
    isn't documented to return ENFILE or EMFILE if we run out of semaphores
    the way that sem_open() can.  Instead, it should return ENOSPC in that
  Other changes:
  - Kernel semaphores now use a hash table to manage the namespace of
    named semaphores nearly in a similar fashion to the POSIX shared memory
    object file descriptors.  Kernel semaphores can now also have names
    longer than 14 chars (up to MAXPATHLEN) and can include subdirectories
    in their pathname.
  - The UID/GID permission checks for access to a named semaphore are now
    done via vaccess() rather than a home-rolled set of checks.
  - Now that kernel semaphores have an associated file object, the various
    MAC checks for POSIX semaphores accept both a file credential and an
    active credential.  There is also a new posixsem_check_stat() since it
    is possible to fstat() a semaphore file descriptor.
  - A small set of regression tests (using the ksem API directly) is present
    in src/tools/regression/posixsem.
  Reported by:    kris (1)
  Tested by:      kris
  Reviewed by:    rwatson (lightly)
  MFC after:      1 month
  Revision  Changes    Path
  1.335     +6 -0      src/sys/kern/kern_descrip.c
  1.34      +563 -625  src/sys/kern/uipc_sem.c
  1.5       +4 -0      src/sys/kern/uipc_shm.c
  1.3       +1 -1      src/sys/modules/sem/Makefile
  1.100     +8 -3      src/sys/security/mac/mac_framework.h
  1.110     +13 -6     src/sys/security/mac/mac_policy.h
  1.14      +24 -6     src/sys/security/mac/mac_posix_sem.c
  1.120     +25 -6     src/sys/security/mac_biba/mac_biba.c
  1.102     +25 -6     src/sys/security/mac_mls/mac_mls.c
  1.83      +15 -6     src/sys/security/mac_stub/mac_stub.c
  1.98      +26 -9     src/sys/security/mac_test/mac_test.c
  1.80      +1 -0      src/sys/sys/file.h
  1.4       +24 -18    src/sys/sys/ksem.h
  1.76      +1 -0      src/sys/sys/user.h
  1.1       +11 -0     src/tools/regression/posixsem/Makefile (new)
  1.1       +1437 -0   src/tools/regression/posixsem/posixsem.c (new)
  1.1       +5 -0      src/tools/regression/posixsem/posixsem.t (new)
  1.1       +128 -0    src/tools/regression/posixsem/test.c (new)
  1.1       +59 -0     src/tools/regression/posixsem/test.h (new)
  1.6       +4 -0      src/usr.bin/procstat/procstat_files.c

More information about the cvs-src mailing list