On Mon, Jan 24, 2022 at 03:15:36PM +0000, Mark Hemment wrote:
> From the code sample in your initial email (simplified), where a
> process creates a msharefs file with the anonymous mmap()ed region to
> be shared;
> addr = mmap(RDWR, ANON);
> mshare("testregion", addr, len, CREAT|RDWR|EXCL, 0600);
>
> Now, consider the case where the mmap() is named (that is, against a
> file). I believe this is the usecase for Oracle's SGA.
> My (simplified) code for msharing a named file ("SGA") using your
> proposed API (does not matter if the mapping is PRIVATE or SHARED);
> fd = open("SGA", RDWR);
> addr = mmap(RDWR, ..., fd);
> mshare("SGA-region", addr, len, CREAT|RDWR|EXCL, 0600);
Don't think of an mshared region as containing only one file.
It might easily contain dozens. Or none at the start. They're
dynamic; the mshare fd represents a chunk of address space, not
whatever is currently mapped there.
> If the permissions (usr/grp+perms+ACL) between the "SGA" file and the
> "SGA-region" msharefs are different, then it is very likely a serious
> security issue.
Only in the same sense that an application might open() a file that it
has permission to access and then open a pipe/socket to a process that
does not have permission and send the data to it.
