1550891 - Re-add SHM_ANON support in IPC shared memory

Status: NEW

(Core :: IPC, enhancement, P3)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

In bug 1479960, adding shared memory freezing, to simplify the changes I'm removing the support for SHM_ANON (a FreeBSD extension to shm_open similar to Linux's memfd_create) that I previously added. It could be readded for the non-freezeable case, but it's not essential and I'm breaking it out into a separate bug.

Specifically, it means we can make one system call instead of two (shm_open + shm_unlink), and there's no chance of leaking a shared memory object in the unlikely case of a crash between those operations.

Comment 1

[Jan Beich]

FreeBSD 13.0 can use bug 1440203 for freezeable case, see https://reviews.freebsd.org/D21393.

Comment 2

[Val Packett]

Attachment: Bug 1550891 - re-add SHM_ANON support in IPC shared memory, freezing via capabilities

Comment 3

[Val Packett]

We can use cap_rights_limit for freezing and that's backwards compatible all the way to 10.x if not even 9.x, if I understand freezing correctly.

(and yes, this is not undoable even outside of the capability mode sandbox, I just tried to set CAP_READ first and then set CAP_MMAP_R — "Capabilities insufficient")

it means we can make one system call instead of two (shm_open + shm_unlink), and there's no chance of leaking a shared memory object in the unlikely case of a crash between those operations

Also, avoids any possible filesystem problems (e.g. posix_fallocate not being supported by ZFS… well, not supported by shm either, but with shm the behavior is consistent on all machines)

and is absolutely necessary for Capsicum sandboxing which I'm working on :)

Comment 4

[Jan Beich]

Comment on attachment 9119576 [details]
Bug 1550891 - re-add SHM_ANON support in IPC shared memory, freezing via capabilities

Applied downstream after fixing style issues:

#ifdef XP_FREEBSD

XP_* is cruft from Netscape days. If required for cross-compilation the whole tree needs to be converted.

#pragma GCC visibility push(default)
#  include <sys/capsicum.h>
#pragma GCC visibility pop

Add sys/capsicum.h to config/system-headers.mozbuild in order to avoid pragmas every time the file is used.

(In reply to greg v [:myfreeweb] from comment #3)

not undoable even outside of the capability mode sandbox

Calling dup before cap_rights_limit would retain write permissions e.g., for use by main process.

Comment 5

[Val Packett]

(In reply to Jan Beich from comment #4)

XP_* is cruft from Netscape days. If required for cross-compilation the whole tree needs to be converted.

Huh, I saw XP_*BSD was added recently (for OpenBSD's pledge or something like that), I thought it's sort of more "proper". It's used in the fairly recent sandboxing code (grep for defined(XP_LINUX) && defined(MOZ_SANDBOX))…

Add sys/capsicum.h to config/system-headers.mozbuild in order to avoid pragmas every time the file is used.

Wow, thanks for the tip! :)

Comment 6

[Jan Beich]

(In reply to greg v [:myfreeweb] from comment #5)

saw XP_*BSD was added recently

In bug 1457092, because Mozilla preprocessor doesn't have __OpenBSD__ (or similar) predefined macros. XP_* makes it PITA to reuse code elsewhere or reason about outside of Gecko. XP_LINUX in particular is notorious for confusing desktop Linux and Android, leading to https://wiki.mozilla.org/Platform/Platform-specific_build_defines

# How useful XP_LINUX usage actually is?
$ rg --sort-files -l -T rust -T cpp -T c XP_LINUX
browser/app/profile/firefox.js
browser/installer/package-manifest.in
browser/themes/shared/jar.inc.mn
build/moz.configure/init.configure
modules/libpref/init/StaticPrefList.yaml
modules/libpref/init/all.js
python/mozbuild/mozbuild/artifacts.py
toolkit/content/aboutSupport.xhtml
toolkit/content/license.html
toolkit/modules/AppConstants.jsm

It's used in the fairly recent sandboxing code

See OpenBSD example. Using XP_FREEBSD for setting default prefs should be fine.

Comment 7

[Jan Beich]

EDIT: needs rebase to avoid accidentally omitting ro_file = mapped_file_;

Appears to cause a crash since Firefox 76:

(lldb) bt
* thread #1, name = 'firefox', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
  * frame #0: 0x0000000808006c1d libxul.so`mozilla::dom::ipc::SharedStringMap::SharedStringMap(mozilla::dom::ipc::SharedStringMapBuilder&&) + 93
    frame #1: 0x0000000805efebbb libxul.so`(anonymous namespace)::SharedStringBundle::LoadProperties() + 971
    frame #2: 0x0000000805efedde libxul.so`(anonymous namespace)::SharedStringBundle::GetStringImpl(nsTSubstring<char> const&, nsTSubstring<char16_t>&) + 46
    frame #3: 0x0000000805efbbfb libxul.so`nsStringBundleBase::GetStringFromName(char const*, nsTSubstring<char16_t>&) + 123
    frame #4: 0x000000080829a99d libxul.so`mozilla::widget::WidgetUtils::GetBrandShortName(nsTSubstring<char16_t>&) + 109
    frame #5: 0x00000008082f1b79 libxul.so`nsAppShell::Init() + 473
    frame #6: 0x0000000808318a76 libxul.so`nsWidgetGtk2ModuleCtor() + 102
    frame #7: 0x0000000805e25f28 libxul.so`mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) + 7672
    frame #8: 0x0000000805e34620 libxul.so`nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) + 704
    frame #9: 0x0000000805e30d27 libxul.so`nsComponentManagerImpl::GetService(nsID const&, nsID const&, void**) + 151
    frame #10: 0x0000000805e36887 libxul.so`nsGetServiceByCIDWithError::operator()(nsID const&, void**) const + 39
    frame #11: 0x0000000805dc111e libxul.so`nsCOMPtr_base::assign_from_gs_cid_with_error(nsGetServiceByCIDWithError const&, nsID const&) + 46
    frame #12: 0x00000008090b6455 libxul.so`nsAppStartup::Init() + 69
    frame #13: 0x0000000805e25487 libxul.so`mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) + 4951
    frame #14: 0x0000000805e34620 libxul.so`nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) + 704
    frame #15: 0x0000000805e349a0 libxul.so`nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) + 352
    frame #16: 0x0000000805e2bd9f libxul.so`mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const + 31
    frame #17: 0x0000000805dc131e libxul.so`nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) + 46
    frame #18: 0x0000000809161d43 libxul.so`ScopedXPCOMStartup::SetWindowCreator(nsINativeAppSupport*) + 99
    frame #19: 0x000000080916739d libxul.so`XREMain::XRE_mainRun() + 45
    frame #20: 0x0000000809168451 libxul.so`XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) + 993
    frame #21: 0x000000080916876e libxul.so`XRE_main(int, char**, mozilla::BootstrapConfig const&) + 174
    frame #22: 0x0000000001030469 firefox`main + 585
    frame #23: 0x000000000102ff55 firefox`_start(ap=<unavailable>, cleanup=<unavailable>) at crt1.c:76:7

Comment 8

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Sorry for losing track of this. It was going to (and will) conflict with bug 1440203 (and semi-related cleanup extracted into bug 1662564), so I was going to deal with both of them at the same time, but 1440203 has spent a lot of time waiting to not be interrupted by something else.

The other thing about bug 1440203 is that, inspired by comment #1 here, I added a case for FreeBSD 13's memfd_create, also using Capsicum for freezing / read-only copy (same idea as this patch but I think I wrote it before that); it's basically the same structure as the Linux case, which also has to do OS-specific things to get a “dup but read-only” operation. (File seals aren't quite enough; see bug 1550900 and bug 1440203 comment #10.)

But what I haven't done is support SHM_ANON for older OS versions, so that still leaves something for this bug to do. It should be relatively simple once the dust settles.