Linux 共享内存只允许读访问 [英] Linux shared memory only allow read access
问题描述
我有一个父进程分配共享内存并向其写入.它还启动仅读取共享内存的子进程.但是,我无法控制这些子进程的洞察力.它们是由其他程序员编写的.这些子进程不应该写入共享内存.所以我想知道我是否可以允许他们读取权限,但不允许写入权限.
I have a parent process that allocates shared memory and writes to it. It also starts child processes that only read the shared memory. However I don't have any control over the insights of those child processes. They are written by other programmers. These child processes are not supposed to write on the shared memory. So I wondered if I can allow them read permissions, but not write access.
但是使用 shmget 您只能指定一般权限,而无法区分读取和写入访问权限.
However with shmget you can only specify general permission without being able to distinguish between read and write access.
我也考虑过切换到 shm_open &mmap 因为它似乎可以使用 O_RDONLY 打开共享内存,这会强制在 PROT_READ(只读访问)中使用 >mmap 调用.是否可以在父进程中使用 shm_open 创建两个文件描述符:一个使用 O_RDONLY,另一个使用 O_RDWR 然后传递 O_RDONLY 一个到子进程,然后可以将其映射到他们的进程空间?当然,孩子们不应该拥有使用shm_open自行打开共享内存的权限,因为这将使他们能够使用O_RDWR打开它.
I also thought about switching to shm_open & mmap as it seems that you can open the shared memory with O_RDONLY which forces the use of PROT_READ (read-only access) in the mmap call. Is it somehow possible to create two file descriptors with shm_open in the parent process: one with O_RDONLY and one with O_RDWR and then passing the O_RDONLY one to the child processes which can then map it into their process space? Of course, the children shouldn't have the permission to open the shared memory on their own by using shm_open because that would enable them to open it with O_RDWR.
还是我理解错了?这是我想要的吗?
Or did I get the concept wrong? Is it what I want even possible?
推荐答案
[T]he children should not have the permission to open the shared memory on their own"暗示这是一个安全边界,所以共享内存是可能不合适.共享内存涉及各种奇怪的同步问题,您确实希望所有用户都能很好地相互协作.
"[T]he children shouldn't have the permission to open the shared memory on their own" implies that this is a security boundary, so shared memory is probably not appropriate. There are all sorts of odd synchronisation issues involved with shared memory, and you really want all users to play nicely with each other.
shm_open() 只不过是一个辅助函数,用于在/dev/shm"和 open() 中生成集合文件的名称.然后你自己去ftruncate() 和mmap().如果您在只读文件描述符上请求 PROT_WRITE,则 mmap() 调用将失败,这为您提供了所需的更精细控制.
shm_open() is little more than a helper function to generate the name of a rendezvous file within "/dev/shm" and open() it. You then get to ftruncate() and mmap() it yourself. The mmap() call will fail if you ask for PROT_WRITE on a read-only file descriptor, which gives you the finer control that you seek.
所以你可以做的一件事是在父级中 shm_open(..., O_RDWR) 并在关闭句柄之前为父级设置可写映射,然后 shm_open(..., O_RDONLY) 获得一个只读文件句柄,您将传递给孩子,然后是 shm_unlink() 以便孩子无法重新打开文件.然后孩子们将这个只读文件句柄用于他们自己的映射.
So one thing you can do is shm_open(..., O_RDWR) in the parent and set up a writable mapping for the parent before closing the handle, then shm_open(..., O_RDONLY) to get a read-only file handle which you will pass to the children, followed by a shm_unlink() so that the children cannot then re-open the file. Children then use this read-only file handle for their own mappings.
如果孩子在父母完成shm_unlink()后执行读写shm_open(),它将获得一个新的集合点文件,因此不能影响父级或其他子级中的映射.但是,确定的攻击者可以在父创建新映射时尝试利用竞争条件.这些子进程有多不可信?
If a child were to perform a read-write shm_open() after the parent has done a shm_unlink(), it would get a new rendezvous file and thus cannot affect the mapping in the parent or other children. However, a determined attacker could try and exploit a race condition when the parent creates a fresh mapping. How untrustworthy are these child processes?
您没有说明这些子进程是否是单独的可执行文件.如果是,您将希望使用 fcntl() 将 fd 复制到一个众所周知的未标记为 close-on-exec 的 fd 编号,以便孩子可以在执行时找到它已启动.
You do not say if these child processes are separate executables. If they are, you will want to want to use fcntl() to duplicate the fd to a well-known fd number that is not marked close-on-exec so that the child can find it when it is launched.
不过,如果您不信任子进程,我建议您重新考虑对共享内存的需求,并考虑通过管道或套接字对发送消息.
I do however recommend you reconsider your need for shared memory if you do not trust child processes, and look at sending messages over a pipe or socketpair instead.
这篇关于Linux 共享内存只允许读访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
