src/bin/lttng-sessiond/shm.c

   1 /*
   2  * Copyright (C) 2011 David Goulet <david.goulet@polymtl.ca>
   3  * Copyright (C) 2011 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
   4  *
   5  * SPDX-License-Identifier: GPL-2.0-only
   6  *
   7  */
   8
   9 #define _LGPL_SOURCE
  10 #include <fcntl.h>
  11 #include <limits.h>
  12 #include <sys/mman.h>
  13 #include <sys/stat.h>
  14 #include <sys/types.h>
  15 #include <sys/wait.h>
  16 #include <unistd.h>
  17 #include <urcu.h>
  18
  19 #include <common/error.h>
  20
  21 #include "shm.h"
  22
  23 /*
  24  * Using fork to set umask in the child process (not multi-thread safe). We
  25  * deal with the shm_open vs ftruncate race (happening when the sessiond owns
  26  * the shm and does not let everybody modify it, to ensure safety against
  27  * shm_unlink) by simply letting the mmap fail and retrying after a few
  28  * seconds. For global shm, everybody has rw access to it until the sessiond
  29  * starts.
  30  */
  31 static int get_wait_shm(char *shm_path, size_t mmap_size, int global)
  32 {
  33         int wait_shm_fd, ret;
  34         mode_t mode;
  35
  36         assert(shm_path);
  37
  38         /* Default permissions */
  39         mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP;
  40
  41         /*
  42          * Change owner of the shm path.
  43          */
  44         if (global) {
  45                 /*
  46                  * If global session daemon, any application can
  47                  * register. Make it initially writeable so applications
  48                  * registering concurrently can do ftruncate() by
  49                  * themselves.
  50                  */
  51                 mode |= S_IROTH | S_IWOTH;
  52         }
  53
  54         /*
  55          * We're alone in a child process, so we can modify the process-wide
  56          * umask.
  57          */
  58         umask(~mode);
  59
  60         /*
  61          * Try creating shm (or get rw access). We don't do an exclusive open,
  62          * because we allow other processes to create+ftruncate it concurrently.
  63          *
  64          * A sysctl, fs.protected_regular may prevent the session daemon from
  65          * opening a previously created shm when the O_CREAT flag is provided.
  66          * Systemd enables this ABI-breaking change by default since v241.
  67          *
  68          * First, attempt to use the create-or-open semantic that is
  69          * desired here. If this fails with EACCES, work around this broken
  70          * behaviour and attempt to open the shm without the O_CREAT flag.
  71          *
  72          * The two attempts are made in this order since applications are
  73          * expected to race with the session daemon to create this shm.
  74          * Attempting an shm_open() without the O_CREAT flag first could fail
  75          * because the file doesn't exist. It could then be created by an
  76          * application, which would cause a second try with the O_CREAT flag to
  77          * fail with EACCES.
  78          *
  79          * Note that this introduces a new failure mode where a user could
  80          * launch an application (creating the shm) and unlink the shm while
  81          * the session daemon is launching, causing the second attempt
  82          * to fail. This is not recovered-from as unlinking the shm will
  83          * prevent userspace tracing from succeeding anyhow: the sessiond would
  84          * use a now-unlinked shm, while the next application would create
  85          * a new named shm.
  86          */
  87         wait_shm_fd = shm_open(shm_path, O_RDWR | O_CREAT, mode);
  88         if (wait_shm_fd < 0) {
  89                 if (errno == EACCES) {
  90                         /* Work around sysctl fs.protected_regular. */
  91                         DBG("shm_open of %s returned EACCES, this may be caused "
  92                                         "by the fs.protected_regular sysctl. "
  93                                         "Attempting to open the shm without "
  94                                         "creating it.", shm_path);
  95                         wait_shm_fd = shm_open(shm_path, O_RDWR, mode);
  96                 }
  97                 if (wait_shm_fd < 0) {
  98                         PERROR("Failed to open wait shm at %s", shm_path);
  99                         goto error;
 100                 }
 101         }
 102
 103         ret = ftruncate(wait_shm_fd, mmap_size);
 104         if (ret < 0) {
 105                 PERROR("ftruncate wait shm");
 106                 exit(EXIT_FAILURE);
 107         }
 108
 109         if (global) {
 110                 ret = fchown(wait_shm_fd, 0, 0);
 111                 if (ret < 0) {
 112                         PERROR("fchown");
 113                         exit(EXIT_FAILURE);
 114                 }
 115                 /*
 116                  * If global session daemon, any application can
 117                  * register so the shm needs to be set in read-only mode
 118                  * for others.
 119                  */
 120                 mode &= ~S_IWOTH;
 121                 ret = fchmod(wait_shm_fd, mode);
 122                 if (ret < 0) {
 123                         PERROR("fchmod");
 124                         exit(EXIT_FAILURE);
 125                 }
 126         } else {
 127                 ret = fchown(wait_shm_fd, getuid(), getgid());
 128                 if (ret < 0) {
 129                         PERROR("fchown");
 130                         exit(EXIT_FAILURE);
 131                 }
 132         }
 133
 134         DBG("Got the wait shm fd %d", wait_shm_fd);
 135
 136         return wait_shm_fd;
 137
 138 error:
 139         DBG("Failing to get the wait shm fd");
 140
 141         return -1;
 142 }
 143
 144 /*
 145  * Return the wait shm mmap for UST application notification. The global
 146  * variable is used to indicate if the the session daemon is global
 147  * (root:tracing) or running with an unprivileged user.
 148  *
 149  * This returned value is used by futex_wait_update() in futex.c to WAKE all
 150  * waiters which are UST application waiting for a session daemon.
 151  */
 152 char *shm_ust_get_mmap(char *shm_path, int global)
 153 {
 154         size_t mmap_size;
 155         int wait_shm_fd, ret;
 156         char *wait_shm_mmap;
 157         long sys_page_size;
 158
 159         assert(shm_path);
 160
 161         sys_page_size = sysconf(_SC_PAGE_SIZE);
 162         if (sys_page_size < 0) {
 163                 PERROR("sysconf PAGE_SIZE");
 164                 goto error;
 165         }
 166         mmap_size = sys_page_size;
 167
 168         wait_shm_fd = get_wait_shm(shm_path, mmap_size, global);
 169         if (wait_shm_fd < 0) {
 170                 goto error;
 171         }
 172
 173         wait_shm_mmap = mmap(NULL, mmap_size, PROT_WRITE | PROT_READ,
 174                         MAP_SHARED, wait_shm_fd, 0);
 175
 176         /* close shm fd immediately after taking the mmap reference */
 177         ret = close(wait_shm_fd);
 178         if (ret) {
 179                 PERROR("Error closing fd");
 180         }
 181
 182         if (wait_shm_mmap == MAP_FAILED) {
 183                 DBG("mmap error (can be caused by race with ust).");
 184                 goto error;
 185         }
 186
 187         return wait_shm_mmap;
 188
 189 error:
 190         return NULL;
 191 }