On Sun, Aug 28, 2016 at 11:15 PM, Richard Braun
<rbraun@sceen.net> wrote:
On Sun, Aug 28, 2016 at 05:12:35PM -1000, Brent W. Baccala wrote:
> The obvious additional client would be a remote kernel, but as the exploit
> program that I posted shows, it could just as easily be an unprivileged
> process. You don't need much permission to get a memory object, just read
> access on the file.
OK, this comes from the fact that io_map directly provides memory
objects indeed... Do we actually want to pass them around ? How
come calls like memory_object_init (specifically meant to be used
between the kernel and the pager) can be made from any client ?
Good question!
How could we authenticate the kernel to avoid unprivileged access?
The changes involved here are heavy, which is one reason we'd want
to avoid them. It also makes the system slightly slower by adding
a new layer of abstraction. So we may just want to support multiple
clients at the pager level, but I really don't see the benefit
other than "it works". You really need to justify why it's a good
thing that any unprivileged client is allowed to perform memory
object management calls...
I don't see why unprivileged clients should be able to participate in this protocol.
We need multi-client support so that multiple privileged clients can participate.
My goal is to build a single system image Hurd cluster. We need to support multiple processes mmap'ing the same file, for basic POSIX compatibility. If those processes are on different nodes, then the file server needs to handle multiple kernels as paging clients.
In addition, I've just thought about something else : if we handle
multiple clients, how do we make sure that two kernels, caching the
same file, don't just completely corrupt its content ? We'd need
some kind of cooperation to prevent the file being mapped more than
once I suppose, right ?
They can already do that with ordinary io_write's. It's not that clients can trash the file if they don't have write access; they can't. It's a denial of service issue.