Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Apr 2006 18:55:41 +1000
From:      Peter Jeremy <peterjeremy@optushome.com.au>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        freebsd-current@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: new feature: private IPC for every jail
Message-ID:  <20060405085541.GC699@turion.vk2pj.dyndns.org>
In-Reply-To: <20060404124313.B76562@fledge.watson.org>
References:  <20060403003318.K947@ganymede.hub.org> <20060403163220.F36756@fledge.watson.org> <20060404100750.GG683@turion.vk2pj.dyndns.org> <20060404112938.G76562@fledge.watson.org> <20060404114107.GJ683@turion.vk2pj.dyndns.org> <20060404124313.B76562@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2006-Apr-04 12:46:58 +0100, Robert Watson wrote:
>On Tue, 4 Apr 2006, Peter Jeremy wrote:
>>By merging the prison ID into the IPC ID, a non-jailed process can be 
>>allowed to see (and control) jailed IPC without needing any changes to 
>>ipcs/ipcrm.  A non-jailed process won't be able to attach by key but would 
>>be able to attach by ID.
>
>I guess I'm asking a more specific question: you're suggesting treating the 
>prison ID as a logical, but transparent, extension to the key.  Are you 
>suggesting actually changing the way values for the ID field are assigned, 
>or are you suggesting we continue to allocate and manage IDs as we do 
>currently?

Currently, the ID number comprises a pool number and a generation
number (16 bits of each).  I'm suggesting that the algorithm be
changed so that the ID number comprises a pool number, a generation
number and a prison ID (or 0 if outside a prison).  My initial
suggestion is 10, 10 and 12 bits, respectively, but they will
probably need to be tunable since I gather some users run very
large numbers of jails.

>Would it make more sense to simply allocate ID's sequentially, and simply 
>not allow access to objects with a non-matching prison?  If the ID value is 
>entirely opaque, there's no real reason to assign a meaning to it, 
>especially if it leads to potential collisions if, say, the prison ID space 
>becomes large and sparse (due to lots of stopping and starting of prisons 
>over a long run).

The difficulty of a totally opaque ID is mapping it to an actual
instance. Currently, all SysV IPC types have fixed, system-wide limits
on the number of identifiers that exist: msgmni, semmni and shmmni.
FreeBSD (and probably other implementations) therefore allocate fixed-
size arrays of identifiers and use a simple/cheap algorithm to map
from an ID to the array slot (modulo in Tru64, masking in FreeBSD),
combined with a generation count to catch attempts to reuse an old
identifier.

I believe that the IPCID_TO_{IX,SEQ}() and IXSEQ_TO_IPCID() macros
are used for all translations so changing the mapping algorithm
is not out of the question.  The requirements are:
- Given an ID, it must be cheap to locate the IPC object instance.
  (This operation has to be carried out on each IPCop() call).
- It must be possible to determine if the number of existing objects
  is at the system limit and, if not, allocate a new object instance.
- A management tool (ipcs) much be able to determine all the valid IDs.

Given a suitable hashing algorithm then a totally opaque ID does offer
advantages because there are no longer any arbitrary restrictions on
parts of the ID.

-- 
Peter Jeremy



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060405085541.GC699>