[lttng-tools.git] / src / common / shm.cpp

/*
 * Copyright (C) 2011 EfficiOS Inc.
 * Copyright (C) 2011 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
 *
 * SPDX-License-Identifier: GPL-2.0-only
 *
 */

#define _LGPL_SOURCE
#include "shm.hpp"

#include <common/error.hpp>

#include <fcntl.h>
#include <limits.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <urcu.h>

/*
 * We deal with the shm_open vs ftruncate race (happening when the sessiond owns
 * the shm and does not let everybody modify it, to ensure safety against
 * shm_unlink) by simply letting the mmap fail and retrying after a few
 * seconds. For global shm, everybody has rw access to it until the sessiond
 * starts.
 */
static int get_wait_shm(char *shm_path, size_t mmap_size, int global)
{
	int wait_shm_fd, ret;
	mode_t mode, old_mode;

	LTTNG_ASSERT(shm_path);

	/* Default permissions */
	mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP;

	/*
	 * Change owner of the shm path.
	 */
	if (global) {
		/*
		 * If global session daemon, any application can
		 * register. Make it initially writeable so applications
		 * registering concurrently can do ftruncate() by
		 * themselves.
		 */
		mode |= S_IROTH | S_IWOTH;
	}

	old_mode = umask(~mode);

	/*
	 * Try creating shm (or get rw access). We don't do an exclusive open,
	 * because we allow other processes to create+ftruncate it concurrently.
	 *
	 * A sysctl, fs.protected_regular may prevent the session daemon from
	 * opening a previously created shm when the O_CREAT flag is provided.
	 * Systemd enables this ABI-breaking change by default since v241.
	 *
	 * First, attempt to use the create-or-open semantic that is
	 * desired here. If this fails with EACCES, work around this broken
	 * behaviour and attempt to open the shm without the O_CREAT flag.
	 *
	 * The two attempts are made in this order since applications are
	 * expected to race with the session daemon to create this shm.
	 * Attempting an shm_open() without the O_CREAT flag first could fail
	 * because the file doesn't exist. It could then be created by an
	 * application, which would cause a second try with the O_CREAT flag to
	 * fail with EACCES.
	 *
	 * Note that this introduces a new failure mode where a user could
	 * launch an application (creating the shm) and unlink the shm while
	 * the session daemon is launching, causing the second attempt
	 * to fail. This is not recovered-from as unlinking the shm will
	 * prevent userspace tracing from succeeding anyhow: the sessiond would
	 * use a now-unlinked shm, while the next application would create
	 * a new named shm.
	 */
	wait_shm_fd = shm_open(shm_path, O_RDWR | O_CREAT, mode);
	if (wait_shm_fd < 0) {
		if (errno == EACCES) {
			/* Work around sysctl fs.protected_regular. */
			DBG("shm_open of %s returned EACCES, this may be caused "
			    "by the fs.protected_regular sysctl. "
			    "Attempting to open the shm without "
			    "creating it.",
			    shm_path);
			wait_shm_fd = shm_open(shm_path, O_RDWR, mode);
		}
		if (wait_shm_fd < 0) {
			PERROR("Failed to open \"wait\" shared memory object: path = '%s'",
			       shm_path);
			goto error;
		}
	}

	ret = ftruncate(wait_shm_fd, mmap_size);
	if (ret < 0) {
		PERROR("Failed to truncate \"wait\" shared memory object: fd = %d, size = %zu",
		       wait_shm_fd,
		       mmap_size);
		goto error;
	}

	if (global) {
		ret = fchown(wait_shm_fd, 0, 0);
		if (ret < 0) {
			PERROR("Failed to set ownership of \"wait\" shared memory object: fd = %d, owner = 0, group = 0",
			       wait_shm_fd);
			goto error;
		}
		/*
		 * If global session daemon, any application can
		 * register so the shm needs to be set in read-only mode
		 * for others.
		 */
		mode &= ~S_IWOTH;
		ret = fchmod(wait_shm_fd, mode);
		if (ret < 0) {
			PERROR("Failed to set the mode of the \"wait\" shared memory object: fd = %d, mode = %d",
			       wait_shm_fd,
			       mode);
			goto error;
		}
	} else {
		ret = fchown(wait_shm_fd, getuid(), getgid());
		if (ret < 0) {
			PERROR("Failed to set ownership of \"wait\" shared memory object: fd = %d, owner = %d, group = %d",
			       wait_shm_fd,
			       getuid(),
			       getgid());
			goto error;
		}
	}

	DBG("Wait shared memory file descriptor created successfully: path = '%s', mmap_size = %zu, global = %s, fd = %d",
	    shm_path,
	    mmap_size,
	    global ? "true" : "false",
	    wait_shm_fd);

end:
	(void) umask(old_mode);
	return wait_shm_fd;

error:
	DBG("Failing to get the wait shm fd");
	if (wait_shm_fd >= 0) {
		if (close(wait_shm_fd)) {
			PERROR("Failed to close wait shm file descriptor during error handling");
		}
	}

	wait_shm_fd = -1;
	goto end;
}

/*
 * Return the wait shm mmap for UST application notification. The global
 * variable is used to indicate if the the session daemon is global
 * (root:tracing) or running with an unprivileged user.
 *
 * This returned value is used by futex_wait_update() in futex.c to WAKE all
 * waiters which are UST application waiting for a session daemon.
 */
char *shm_ust_get_mmap(char *shm_path, int global)
{
	size_t mmap_size;
	int wait_shm_fd, ret;
	char *wait_shm_mmap;
	long sys_page_size;

	LTTNG_ASSERT(shm_path);

	sys_page_size = sysconf(_SC_PAGE_SIZE);
	if (sys_page_size < 0) {
		PERROR("Failed to get PAGE_SIZE of system");
		goto error;
	}
	mmap_size = sys_page_size;

	wait_shm_fd = get_wait_shm(shm_path, mmap_size, global);
	if (wait_shm_fd < 0) {
		goto error;
	}

	wait_shm_mmap =
		(char *) mmap(NULL, mmap_size, PROT_WRITE | PROT_READ, MAP_SHARED, wait_shm_fd, 0);

	/* close shm fd immediately after taking the mmap reference */
	ret = close(wait_shm_fd);
	if (ret) {
		PERROR("Failed to close \"wait\" shared memory object file descriptor: fd = %d",
		       wait_shm_fd);
	}

	if (wait_shm_mmap == MAP_FAILED) {
		DBG("Failed to mmap the \"wait\" shareed memory object (can be caused by race with ust): path = '%s', global = %s",
		    shm_path,
		    global ? "true" : "false");
		goto error;
	}

	return wait_shm_mmap;

error:
	return NULL;
}

/*
 * shm_create_anonymous is never called concurrently within a process.
 */
int shm_create_anonymous(const char *owner_name)
{
	char tmp_name[NAME_MAX];
	int shmfd, ret;

	ret = snprintf(tmp_name, NAME_MAX, "/shm-%s-%d", owner_name, getpid());
	if (ret < 0) {
		PERROR("Failed to format shm path: owner_name = '%s', pid = %d",
		       owner_name,
		       getpid());
		return -1;
	}

	/*
	 * Allocate shm, and immediately unlink its shm oject, keeping only the
	 * file descriptor as a reference to the object.
	 */
	shmfd = shm_open(tmp_name, O_CREAT | O_EXCL | O_RDWR, 0700);
	if (shmfd < 0) {
		PERROR("Failed to open shared memory object: path = '%s'", tmp_name);
		goto error_shm_open;
	}

	ret = shm_unlink(tmp_name);
	if (ret < 0 && errno != ENOENT) {
		PERROR("Failed to unlink shared memory object: path = '%s'", tmp_name);
		goto error_shm_release;
	}

	return shmfd;

error_shm_release:
	ret = close(shmfd);
	if (ret) {
		PERROR("Failed to close shared memory object file descriptor: fd = %d, path = '%s'",
		       shmfd,
		       tmp_name);
	}
error_shm_open:
	return -1;
}
Commit	Line	Data
0fdd1e2c	1	/*
21cf9b6b	2	* Copyright (C) 2011 EfficiOS Inc.
ab5be9fa	3	* Copyright (C) 2011 Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
0fdd1e2c	4	*
ab5be9fa	5	* SPDX-License-Identifier: GPL-2.0-only
0fdd1e2c	6	*
0fdd1e2c DG	7	*/
0fdd1e2c DG	8
6c1c0768	9	#define _LGPL_SOURCE
28ab034a JG	10	#include "shm.hpp"
	11
	12	#include <common/error.hpp>
	13
0fdd1e2c DG	14	#include <fcntl.h>
	15	#include <limits.h>
	16	#include <sys/mman.h>
	17	#include <sys/stat.h>
	18	#include <sys/types.h>
	19	#include <sys/wait.h>
	20	#include <unistd.h>
	21	#include <urcu.h>
	22
0fdd1e2c	23	/*
de5abcb0	24	* We deal with the shm_open vs ftruncate race (happening when the sessiond owns
0fdd1e2c DG	25	* the shm and does not let everybody modify it, to ensure safety against
	26	* shm_unlink) by simply letting the mmap fail and retrying after a few
	27	* seconds. For global shm, everybody has rw access to it until the sessiond
	28	* starts.
	29	*/
	30	static int get_wait_shm(char *shm_path, size_t mmap_size, int global)
	31	{
	32	int wait_shm_fd, ret;
de5abcb0	33	mode_t mode, old_mode;
0fdd1e2c	34
a0377dfe	35	LTTNG_ASSERT(shm_path);
0525e9ae	36
0fdd1e2c DG	37	/* Default permissions */
	38	mode = S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IWGRP;
	39
7972d619 DG	40	/*
	41	* Change owner of the shm path.
	42	*/
0fdd1e2c	43	if (global) {
0fdd1e2c	44	/*
7972d619 DG	45	* If global session daemon, any application can
	46	* register. Make it initially writeable so applications
	47	* registering concurrently can do ftruncate() by
	48	* themselves.
0fdd1e2c	49	*/
7972d619	50	mode \|= S_IROTH \| S_IWOTH;
0fdd1e2c DG	51	}
0fdd1e2c DG	52
de5abcb0	53	old_mode = umask(~mode);
0fdd1e2c	54
7d051034 DG	55	/*
	56	* Try creating shm (or get rw access). We don't do an exclusive open,
	57	* because we allow other processes to create+ftruncate it concurrently.
cf86ff2c JG	58	*
	59	* A sysctl, fs.protected_regular may prevent the session daemon from
	60	* opening a previously created shm when the O_CREAT flag is provided.
	61	* Systemd enables this ABI-breaking change by default since v241.
	62	*
	63	* First, attempt to use the create-or-open semantic that is
	64	* desired here. If this fails with EACCES, work around this broken
	65	* behaviour and attempt to open the shm without the O_CREAT flag.
	66	*
	67	* The two attempts are made in this order since applications are
	68	* expected to race with the session daemon to create this shm.
	69	* Attempting an shm_open() without the O_CREAT flag first could fail
	70	* because the file doesn't exist. It could then be created by an
	71	* application, which would cause a second try with the O_CREAT flag to
	72	* fail with EACCES.
	73	*
	74	* Note that this introduces a new failure mode where a user could
	75	* launch an application (creating the shm) and unlink the shm while
	76	* the session daemon is launching, causing the second attempt
	77	* to fail. This is not recovered-from as unlinking the shm will
	78	* prevent userspace tracing from succeeding anyhow: the sessiond would
	79	* use a now-unlinked shm, while the next application would create
	80	* a new named shm.
7d051034 DG	81	*/
	82	wait_shm_fd = shm_open(shm_path, O_RDWR \| O_CREAT, mode);
	83	if (wait_shm_fd < 0) {
cf86ff2c JG	84	if (errno == EACCES) {
	85	/* Work around sysctl fs.protected_regular. */
	86	DBG("shm_open of %s returned EACCES, this may be caused "
28ab034a JG	87	"by the fs.protected_regular sysctl. "
	88	"Attempting to open the shm without "
	89	"creating it.",
	90	shm_path);
cf86ff2c JG	91	wait_shm_fd = shm_open(shm_path, O_RDWR, mode);
	92	}
	93	if (wait_shm_fd < 0) {
28ab034a JG	94	PERROR("Failed to open \"wait\" shared memory object: path = '%s'",
28ab034a JG	95	shm_path);
cf86ff2c JG	96	goto error;
cf86ff2c JG	97	}
7d051034	98	}
0fdd1e2c	99
7d051034 DG	100	ret = ftruncate(wait_shm_fd, mmap_size);
7d051034 DG	101	if (ret < 0) {
6c33300e	102	PERROR("Failed to truncate \"wait\" shared memory object: fd = %d, size = %zu",
28ab034a JG	103	wait_shm_fd,
28ab034a JG	104	mmap_size);
de5abcb0	105	goto error;
7d051034	106	}
0fdd1e2c	107
7972d619 DG	108	if (global) {
	109	ret = fchown(wait_shm_fd, 0, 0);
	110	if (ret < 0) {
6c33300e	111	PERROR("Failed to set ownership of \"wait\" shared memory object: fd = %d, owner = 0, group = 0",
28ab034a	112	wait_shm_fd);
de5abcb0	113	goto error;
7972d619 DG	114	}
	115	/*
	116	* If global session daemon, any application can
	117	* register so the shm needs to be set in read-only mode
	118	* for others.
	119	*/
	120	mode &= ~S_IWOTH;
	121	ret = fchmod(wait_shm_fd, mode);
	122	if (ret < 0) {
6c33300e	123	PERROR("Failed to set the mode of the \"wait\" shared memory object: fd = %d, mode = %d",
28ab034a JG	124	wait_shm_fd,
28ab034a JG	125	mode);
de5abcb0	126	goto error;
7972d619 DG	127	}
	128	} else {
	129	ret = fchown(wait_shm_fd, getuid(), getgid());
	130	if (ret < 0) {
6c33300e	131	PERROR("Failed to set ownership of \"wait\" shared memory object: fd = %d, owner = %d, group = %d",
28ab034a JG	132	wait_shm_fd,
	133	getuid(),
	134	getgid());
de5abcb0	135	goto error;
7972d619	136	}
0fdd1e2c DG	137	}
0fdd1e2c DG	138
6c33300e	139	DBG("Wait shared memory file descriptor created successfully: path = '%s', mmap_size = %zu, global = %s, fd = %d",
28ab034a JG	140	shm_path,
	141	mmap_size,
	142	global ? "true" : "false",
	143	wait_shm_fd);
0fdd1e2c	144
de5abcb0 JR	145	end:
de5abcb0 JR	146	(void) umask(old_mode);
0fdd1e2c DG	147	return wait_shm_fd;
	148
	149	error:
de5abcb0 JR	150	DBG("Failing to get the wait shm fd");
	151	if (wait_shm_fd >= 0) {
	152	if (close(wait_shm_fd)) {
	153	PERROR("Failed to close wait shm file descriptor during error handling");
	154	}
	155	}
0fdd1e2c	156
de5abcb0 JR	157	wait_shm_fd = -1;
de5abcb0 JR	158	goto end;
0fdd1e2c DG	159	}
	160
	161	/*
	162	* Return the wait shm mmap for UST application notification. The global
	163	* variable is used to indicate if the the session daemon is global
	164	* (root:tracing) or running with an unprivileged user.
	165	*
	166	* This returned value is used by futex_wait_update() in futex.c to WAKE all
	167	* waiters which are UST application waiting for a session daemon.
	168	*/
	169	char shm_ust_get_mmap(char shm_path, int global)
	170	{
6c699394	171	size_t mmap_size;
0fdd1e2c DG	172	int wait_shm_fd, ret;
0fdd1e2c DG	173	char *wait_shm_mmap;
6c699394	174	long sys_page_size;
0fdd1e2c	175
a0377dfe	176	LTTNG_ASSERT(shm_path);
0525e9ae	177
6c699394 DG	178	sys_page_size = sysconf(_SC_PAGE_SIZE);
6c699394 DG	179	if (sys_page_size < 0) {
6c33300e	180	PERROR("Failed to get PAGE_SIZE of system");
6c699394 DG	181	goto error;
	182	}
	183	mmap_size = sys_page_size;
	184
0fdd1e2c DG	185	wait_shm_fd = get_wait_shm(shm_path, mmap_size, global);
	186	if (wait_shm_fd < 0) {
	187	goto error;
	188	}
	189
28ab034a JG	190	wait_shm_mmap =
28ab034a JG	191	(char *) mmap(NULL, mmap_size, PROT_WRITE \| PROT_READ, MAP_SHARED, wait_shm_fd, 0);
7d051034	192
0fdd1e2c DG	193	/* close shm fd immediately after taking the mmap reference */
	194	ret = close(wait_shm_fd);
	195	if (ret) {
6c33300e	196	PERROR("Failed to close \"wait\" shared memory object file descriptor: fd = %d",
28ab034a	197	wait_shm_fd);
0fdd1e2c DG	198	}
	199
	200	if (wait_shm_mmap == MAP_FAILED) {
6c33300e	201	DBG("Failed to mmap the \"wait\" shareed memory object (can be caused by race with ust): path = '%s', global = %s",
28ab034a JG	202	shm_path,
28ab034a JG	203	global ? "true" : "false");
0fdd1e2c DG	204	goto error;
	205	}
	206
	207	return wait_shm_mmap;
	208
	209	error:
	210	return NULL;
	211	}
b7fc068d FD	212
	213	/*
	214	* shm_create_anonymous is never called concurrently within a process.
	215	*/
	216	int shm_create_anonymous(const char *owner_name)
	217	{
	218	char tmp_name[NAME_MAX];
	219	int shmfd, ret;
	220
	221	ret = snprintf(tmp_name, NAME_MAX, "/shm-%s-%d", owner_name, getpid());
	222	if (ret < 0) {
6c33300e	223	PERROR("Failed to format shm path: owner_name = '%s', pid = %d",
28ab034a JG	224	owner_name,
28ab034a JG	225	getpid());
b7fc068d FD	226	return -1;
b7fc068d FD	227	}
6c33300e	228
b7fc068d FD	229	/*
	230	* Allocate shm, and immediately unlink its shm oject, keeping only the
	231	* file descriptor as a reference to the object.
	232	*/
	233	shmfd = shm_open(tmp_name, O_CREAT \| O_EXCL \| O_RDWR, 0700);
	234	if (shmfd < 0) {
6c33300e	235	PERROR("Failed to open shared memory object: path = '%s'", tmp_name);
b7fc068d FD	236	goto error_shm_open;
b7fc068d FD	237	}
6c33300e	238
b7fc068d FD	239	ret = shm_unlink(tmp_name);
b7fc068d FD	240	if (ret < 0 && errno != ENOENT) {
28ab034a	241	PERROR("Failed to unlink shared memory object: path = '%s'", tmp_name);
b7fc068d FD	242	goto error_shm_release;
b7fc068d FD	243	}
6c33300e	244
b7fc068d FD	245	return shmfd;
	246
	247	error_shm_release:
	248	ret = close(shmfd);
	249	if (ret) {
6c33300e	250	PERROR("Failed to close shared memory object file descriptor: fd = %d, path = '%s'",
28ab034a JG	251	shmfd,
28ab034a JG	252	tmp_name);
b7fc068d FD	253	}
	254	error_shm_open:
	255	return -1;
	256	}