Mercurial > hg > truffle
comparison src/os/linux/vm/perfMemory_linux.cpp @ 20781:42f27b59c550
Merge
author | asaha |
---|---|
date | Wed, 26 Nov 2014 08:57:40 -0800 |
parents | 833b0f92429a d7b6bdd51abe |
children | 7848fc12602b f3ffb37f88a6 |
comparison
equal
deleted
inserted
replaced
20771:9fa3bf3043a2 | 20781:42f27b59c550 |
---|---|
195 // successful conversion, return the pid | 195 // successful conversion, return the pid |
196 return pid; | 196 return pid; |
197 } | 197 } |
198 | 198 |
199 | 199 |
200 // check if the given path is considered a secure directory for | 200 // Check if the given statbuf is considered a secure directory for |
201 // the backing store files. Returns true if the directory is considered | |
202 // a secure location. Returns false if the statbuf is a symbolic link or | |
203 // if an error occurred. | |
204 // | |
205 static bool is_statbuf_secure(struct stat *statp) { | |
206 if (S_ISLNK(statp->st_mode) || !S_ISDIR(statp->st_mode)) { | |
207 // The path represents a link or some non-directory file type, | |
208 // which is not what we expected. Declare it insecure. | |
209 // | |
210 return false; | |
211 } | |
212 // We have an existing directory, check if the permissions are safe. | |
213 // | |
214 if ((statp->st_mode & (S_IWGRP|S_IWOTH)) != 0) { | |
215 // The directory is open for writing and could be subjected | |
216 // to a symlink or a hard link attack. Declare it insecure. | |
217 // | |
218 return false; | |
219 } | |
220 // See if the uid of the directory matches the effective uid of the process. | |
221 // | |
222 if (statp->st_uid != geteuid()) { | |
223 // The directory was not created by this user, declare it insecure. | |
224 // | |
225 return false; | |
226 } | |
227 return true; | |
228 } | |
229 | |
230 | |
231 // Check if the given path is considered a secure directory for | |
201 // the backing store files. Returns true if the directory exists | 232 // the backing store files. Returns true if the directory exists |
202 // and is considered a secure location. Returns false if the path | 233 // and is considered a secure location. Returns false if the path |
203 // is a symbolic link or if an error occurred. | 234 // is a symbolic link or if an error occurred. |
204 // | 235 // |
205 static bool is_directory_secure(const char* path) { | 236 static bool is_directory_secure(const char* path) { |
209 RESTARTABLE(::lstat(path, &statbuf), result); | 240 RESTARTABLE(::lstat(path, &statbuf), result); |
210 if (result == OS_ERR) { | 241 if (result == OS_ERR) { |
211 return false; | 242 return false; |
212 } | 243 } |
213 | 244 |
214 // the path exists, now check it's mode | 245 // The path exists, see if it is secure. |
215 if (S_ISLNK(statbuf.st_mode) || !S_ISDIR(statbuf.st_mode)) { | 246 return is_statbuf_secure(&statbuf); |
216 // the path represents a link or some non-directory file type, | 247 } |
217 // which is not what we expected. declare it insecure. | 248 |
218 // | 249 |
250 // Check if the given directory file descriptor is considered a secure | |
251 // directory for the backing store files. Returns true if the directory | |
252 // exists and is considered a secure location. Returns false if the path | |
253 // is a symbolic link or if an error occurred. | |
254 // | |
255 static bool is_dirfd_secure(int dir_fd) { | |
256 struct stat statbuf; | |
257 int result = 0; | |
258 | |
259 RESTARTABLE(::fstat(dir_fd, &statbuf), result); | |
260 if (result == OS_ERR) { | |
219 return false; | 261 return false; |
220 } | 262 } |
221 else { | 263 |
222 // we have an existing directory, check if the permissions are safe. | 264 // The path exists, now check its mode. |
223 // | 265 return is_statbuf_secure(&statbuf); |
224 if ((statbuf.st_mode & (S_IWGRP|S_IWOTH)) != 0) { | 266 } |
225 // the directory is open for writing and could be subjected | 267 |
226 // to a symlnk attack. declare it insecure. | 268 |
227 // | 269 // Check to make sure fd1 and fd2 are referencing the same file system object. |
228 return false; | 270 // |
229 } | 271 static bool is_same_fsobject(int fd1, int fd2) { |
272 struct stat statbuf1; | |
273 struct stat statbuf2; | |
274 int result = 0; | |
275 | |
276 RESTARTABLE(::fstat(fd1, &statbuf1), result); | |
277 if (result == OS_ERR) { | |
278 return false; | |
279 } | |
280 RESTARTABLE(::fstat(fd2, &statbuf2), result); | |
281 if (result == OS_ERR) { | |
282 return false; | |
283 } | |
284 | |
285 if ((statbuf1.st_ino == statbuf2.st_ino) && | |
286 (statbuf1.st_dev == statbuf2.st_dev)) { | |
287 return true; | |
288 } else { | |
289 return false; | |
290 } | |
291 } | |
292 | |
293 | |
294 // Open the directory of the given path and validate it. | |
295 // Return a DIR * of the open directory. | |
296 // | |
297 static DIR *open_directory_secure(const char* dirname) { | |
298 // Open the directory using open() so that it can be verified | |
299 // to be secure by calling is_dirfd_secure(), opendir() and then check | |
300 // to see if they are the same file system object. This method does not | |
301 // introduce a window of opportunity for the directory to be attacked that | |
302 // calling opendir() and is_directory_secure() does. | |
303 int result; | |
304 DIR *dirp = NULL; | |
305 RESTARTABLE(::open(dirname, O_RDONLY|O_NOFOLLOW), result); | |
306 if (result == OS_ERR) { | |
307 if (PrintMiscellaneous && Verbose) { | |
308 if (errno == ELOOP) { | |
309 warning("directory %s is a symlink and is not secure\n", dirname); | |
310 } else { | |
311 warning("could not open directory %s: %s\n", dirname, strerror(errno)); | |
312 } | |
313 } | |
314 return dirp; | |
315 } | |
316 int fd = result; | |
317 | |
318 // Determine if the open directory is secure. | |
319 if (!is_dirfd_secure(fd)) { | |
320 // The directory is not a secure directory. | |
321 os::close(fd); | |
322 return dirp; | |
323 } | |
324 | |
325 // Open the directory. | |
326 dirp = ::opendir(dirname); | |
327 if (dirp == NULL) { | |
328 // The directory doesn't exist, close fd and return. | |
329 os::close(fd); | |
330 return dirp; | |
331 } | |
332 | |
333 // Check to make sure fd and dirp are referencing the same file system object. | |
334 if (!is_same_fsobject(fd, dirfd(dirp))) { | |
335 // The directory is not secure. | |
336 os::close(fd); | |
337 os::closedir(dirp); | |
338 dirp = NULL; | |
339 return dirp; | |
340 } | |
341 | |
342 // Close initial open now that we know directory is secure | |
343 os::close(fd); | |
344 | |
345 return dirp; | |
346 } | |
347 | |
348 // NOTE: The code below uses fchdir(), open() and unlink() because | |
349 // fdopendir(), openat() and unlinkat() are not supported on all | |
350 // versions. Once the support for fdopendir(), openat() and unlinkat() | |
351 // is available on all supported versions the code can be changed | |
352 // to use these functions. | |
353 | |
354 // Open the directory of the given path, validate it and set the | |
355 // current working directory to it. | |
356 // Return a DIR * of the open directory and the saved cwd fd. | |
357 // | |
358 static DIR *open_directory_secure_cwd(const char* dirname, int *saved_cwd_fd) { | |
359 | |
360 // Open the directory. | |
361 DIR* dirp = open_directory_secure(dirname); | |
362 if (dirp == NULL) { | |
363 // Directory doesn't exist or is insecure, so there is nothing to cleanup. | |
364 return dirp; | |
365 } | |
366 int fd = dirfd(dirp); | |
367 | |
368 // Open a fd to the cwd and save it off. | |
369 int result; | |
370 RESTARTABLE(::open(".", O_RDONLY), result); | |
371 if (result == OS_ERR) { | |
372 *saved_cwd_fd = -1; | |
373 } else { | |
374 *saved_cwd_fd = result; | |
375 } | |
376 | |
377 // Set the current directory to dirname by using the fd of the directory. | |
378 result = fchdir(fd); | |
379 | |
380 return dirp; | |
381 } | |
382 | |
383 // Close the directory and restore the current working directory. | |
384 // | |
385 static void close_directory_secure_cwd(DIR* dirp, int saved_cwd_fd) { | |
386 | |
387 int result; | |
388 // If we have a saved cwd change back to it and close the fd. | |
389 if (saved_cwd_fd != -1) { | |
390 result = fchdir(saved_cwd_fd); | |
391 ::close(saved_cwd_fd); | |
392 } | |
393 | |
394 // Close the directory. | |
395 os::closedir(dirp); | |
396 } | |
397 | |
398 // Check if the given file descriptor is considered a secure. | |
399 // | |
400 static bool is_file_secure(int fd, const char *filename) { | |
401 | |
402 int result; | |
403 struct stat statbuf; | |
404 | |
405 // Determine if the file is secure. | |
406 RESTARTABLE(::fstat(fd, &statbuf), result); | |
407 if (result == OS_ERR) { | |
408 if (PrintMiscellaneous && Verbose) { | |
409 warning("fstat failed on %s: %s\n", filename, strerror(errno)); | |
410 } | |
411 return false; | |
412 } | |
413 if (statbuf.st_nlink > 1) { | |
414 // A file with multiple links is not expected. | |
415 if (PrintMiscellaneous && Verbose) { | |
416 warning("file %s has multiple links\n", filename); | |
417 } | |
418 return false; | |
230 } | 419 } |
231 return true; | 420 return true; |
232 } | 421 } |
233 | 422 |
234 | 423 |
315 char* oldest_user = NULL; | 504 char* oldest_user = NULL; |
316 time_t oldest_ctime = 0; | 505 time_t oldest_ctime = 0; |
317 | 506 |
318 const char* tmpdirname = os::get_temp_directory(); | 507 const char* tmpdirname = os::get_temp_directory(); |
319 | 508 |
509 // open the temp directory | |
320 DIR* tmpdirp = os::opendir(tmpdirname); | 510 DIR* tmpdirp = os::opendir(tmpdirname); |
321 | 511 |
322 if (tmpdirp == NULL) { | 512 if (tmpdirp == NULL) { |
513 // Cannot open the directory to get the user name, return. | |
323 return NULL; | 514 return NULL; |
324 } | 515 } |
325 | 516 |
326 // for each entry in the directory that matches the pattern hsperfdata_*, | 517 // for each entry in the directory that matches the pattern hsperfdata_*, |
327 // open the directory and check if the file for the given vmid exists. | 518 // open the directory and check if the file for the given vmid exists. |
342 strlen(tmpdirname) + strlen(dentry->d_name) + 2, mtInternal); | 533 strlen(tmpdirname) + strlen(dentry->d_name) + 2, mtInternal); |
343 strcpy(usrdir_name, tmpdirname); | 534 strcpy(usrdir_name, tmpdirname); |
344 strcat(usrdir_name, "/"); | 535 strcat(usrdir_name, "/"); |
345 strcat(usrdir_name, dentry->d_name); | 536 strcat(usrdir_name, dentry->d_name); |
346 | 537 |
347 DIR* subdirp = os::opendir(usrdir_name); | 538 // open the user directory |
539 DIR* subdirp = open_directory_secure(usrdir_name); | |
348 | 540 |
349 if (subdirp == NULL) { | 541 if (subdirp == NULL) { |
350 FREE_C_HEAP_ARRAY(char, usrdir_name, mtInternal); | 542 FREE_C_HEAP_ARRAY(char, usrdir_name, mtInternal); |
351 continue; | 543 continue; |
352 } | 544 } |
463 } | 655 } |
464 } | 656 } |
465 } | 657 } |
466 | 658 |
467 | 659 |
468 // remove file | |
469 // | |
470 // this method removes the file with the given file name in the | |
471 // named directory. | |
472 // | |
473 static void remove_file(const char* dirname, const char* filename) { | |
474 | |
475 size_t nbytes = strlen(dirname) + strlen(filename) + 2; | |
476 char* path = NEW_C_HEAP_ARRAY(char, nbytes, mtInternal); | |
477 | |
478 strcpy(path, dirname); | |
479 strcat(path, "/"); | |
480 strcat(path, filename); | |
481 | |
482 remove_file(path); | |
483 | |
484 FREE_C_HEAP_ARRAY(char, path, mtInternal); | |
485 } | |
486 | |
487 | |
488 // cleanup stale shared memory resources | 660 // cleanup stale shared memory resources |
489 // | 661 // |
490 // This method attempts to remove all stale shared memory files in | 662 // This method attempts to remove all stale shared memory files in |
491 // the named user temporary directory. It scans the named directory | 663 // the named user temporary directory. It scans the named directory |
492 // for files matching the pattern ^$[0-9]*$. For each file found, the | 664 // for files matching the pattern ^$[0-9]*$. For each file found, the |
494 // determine if the process is alive. If the process is not alive, | 666 // determine if the process is alive. If the process is not alive, |
495 // any stale file resources are removed. | 667 // any stale file resources are removed. |
496 // | 668 // |
497 static void cleanup_sharedmem_resources(const char* dirname) { | 669 static void cleanup_sharedmem_resources(const char* dirname) { |
498 | 670 |
499 // open the user temp directory | 671 int saved_cwd_fd; |
500 DIR* dirp = os::opendir(dirname); | 672 // open the directory |
501 | 673 DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd); |
502 if (dirp == NULL) { | 674 if (dirp == NULL) { |
503 // directory doesn't exist, so there is nothing to cleanup | 675 // directory doesn't exist or is insecure, so there is nothing to cleanup |
504 return; | |
505 } | |
506 | |
507 if (!is_directory_secure(dirname)) { | |
508 // the directory is not a secure directory | |
509 return; | 676 return; |
510 } | 677 } |
511 | 678 |
512 // for each entry in the directory that matches the expected file | 679 // for each entry in the directory that matches the expected file |
513 // name pattern, determine if the file resources are stale and if | 680 // name pattern, determine if the file resources are stale and if |
517 // loop under these conditions is dependent upon the implementation of | 684 // loop under these conditions is dependent upon the implementation of |
518 // opendir/readdir. | 685 // opendir/readdir. |
519 // | 686 // |
520 struct dirent* entry; | 687 struct dirent* entry; |
521 char* dbuf = NEW_C_HEAP_ARRAY(char, os::readdir_buf_size(dirname), mtInternal); | 688 char* dbuf = NEW_C_HEAP_ARRAY(char, os::readdir_buf_size(dirname), mtInternal); |
689 | |
522 errno = 0; | 690 errno = 0; |
523 while ((entry = os::readdir(dirp, (struct dirent *)dbuf)) != NULL) { | 691 while ((entry = os::readdir(dirp, (struct dirent *)dbuf)) != NULL) { |
524 | 692 |
525 pid_t pid = filename_to_pid(entry->d_name); | 693 pid_t pid = filename_to_pid(entry->d_name); |
526 | 694 |
527 if (pid == 0) { | 695 if (pid == 0) { |
528 | 696 |
529 if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0) { | 697 if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0) { |
530 | |
531 // attempt to remove all unexpected files, except "." and ".." | 698 // attempt to remove all unexpected files, except "." and ".." |
532 remove_file(dirname, entry->d_name); | 699 unlink(entry->d_name); |
533 } | 700 } |
534 | 701 |
535 errno = 0; | 702 errno = 0; |
536 continue; | 703 continue; |
537 } | 704 } |
549 // be stale and are removed because the resources for such a | 716 // be stale and are removed because the resources for such a |
550 // process should be in a different user specific directory. | 717 // process should be in a different user specific directory. |
551 // | 718 // |
552 if ((pid == os::current_process_id()) || | 719 if ((pid == os::current_process_id()) || |
553 (kill(pid, 0) == OS_ERR && (errno == ESRCH || errno == EPERM))) { | 720 (kill(pid, 0) == OS_ERR && (errno == ESRCH || errno == EPERM))) { |
554 | 721 unlink(entry->d_name); |
555 remove_file(dirname, entry->d_name); | |
556 } | 722 } |
557 errno = 0; | 723 errno = 0; |
558 } | 724 } |
559 os::closedir(dirp); | 725 |
726 // close the directory and reset the current working directory | |
727 close_directory_secure_cwd(dirp, saved_cwd_fd); | |
728 | |
560 FREE_C_HEAP_ARRAY(char, dbuf, mtInternal); | 729 FREE_C_HEAP_ARRAY(char, dbuf, mtInternal); |
561 } | 730 } |
562 | 731 |
563 // make the user specific temporary directory. Returns true if | 732 // make the user specific temporary directory. Returns true if |
564 // the directory exists and is secure upon return. Returns false | 733 // the directory exists and is secure upon return. Returns false |
611 // could not make/find the directory or the found directory | 780 // could not make/find the directory or the found directory |
612 // was not secure | 781 // was not secure |
613 return -1; | 782 return -1; |
614 } | 783 } |
615 | 784 |
785 int saved_cwd_fd; | |
786 // open the directory and set the current working directory to it | |
787 DIR* dirp = open_directory_secure_cwd(dirname, &saved_cwd_fd); | |
788 if (dirp == NULL) { | |
789 // Directory doesn't exist or is insecure, so cannot create shared | |
790 // memory file. | |
791 return -1; | |
792 } | |
793 | |
794 // Open the filename in the current directory. | |
795 // Cannot use O_TRUNC here; truncation of an existing file has to happen | |
796 // after the is_file_secure() check below. | |
616 int result; | 797 int result; |
617 | 798 RESTARTABLE(::open(filename, O_RDWR|O_CREAT|O_NOFOLLOW, S_IREAD|S_IWRITE), result); |
618 RESTARTABLE(::open(filename, O_RDWR|O_CREAT|O_TRUNC, S_IREAD|S_IWRITE), result); | |
619 if (result == OS_ERR) { | 799 if (result == OS_ERR) { |
620 if (PrintMiscellaneous && Verbose) { | 800 if (PrintMiscellaneous && Verbose) { |
621 warning("could not create file %s: %s\n", filename, strerror(errno)); | 801 if (errno == ELOOP) { |
622 } | 802 warning("file %s is a symlink and is not secure\n", filename); |
803 } else { | |
804 warning("could not create file %s: %s\n", filename, strerror(errno)); | |
805 } | |
806 } | |
807 // close the directory and reset the current working directory | |
808 close_directory_secure_cwd(dirp, saved_cwd_fd); | |
809 | |
623 return -1; | 810 return -1; |
624 } | 811 } |
812 // close the directory and reset the current working directory | |
813 close_directory_secure_cwd(dirp, saved_cwd_fd); | |
625 | 814 |
626 // save the file descriptor | 815 // save the file descriptor |
627 int fd = result; | 816 int fd = result; |
628 | 817 |
818 // check to see if the file is secure | |
819 if (!is_file_secure(fd, filename)) { | |
820 ::close(fd); | |
821 return -1; | |
822 } | |
823 | |
824 // truncate the file to get rid of any existing data | |
825 RESTARTABLE(::ftruncate(fd, (off_t)0), result); | |
826 if (result == OS_ERR) { | |
827 if (PrintMiscellaneous && Verbose) { | |
828 warning("could not truncate shared memory file: %s\n", strerror(errno)); | |
829 } | |
830 ::close(fd); | |
831 return -1; | |
832 } | |
629 // set the file size | 833 // set the file size |
630 RESTARTABLE(::ftruncate(fd, (off_t)size), result); | 834 RESTARTABLE(::ftruncate(fd, (off_t)size), result); |
631 if (result == OS_ERR) { | 835 if (result == OS_ERR) { |
632 if (PrintMiscellaneous && Verbose) { | 836 if (PrintMiscellaneous && Verbose) { |
633 warning("could not set shared memory file size: %s\n", strerror(errno)); | 837 warning("could not set shared memory file size: %s\n", strerror(errno)); |
681 } | 885 } |
682 else { | 886 else { |
683 THROW_MSG_(vmSymbols::java_io_IOException(), strerror(errno), OS_ERR); | 887 THROW_MSG_(vmSymbols::java_io_IOException(), strerror(errno), OS_ERR); |
684 } | 888 } |
685 } | 889 } |
686 | 890 int fd = result; |
687 return result; | 891 |
892 // check to see if the file is secure | |
893 if (!is_file_secure(fd, filename)) { | |
894 ::close(fd); | |
895 return -1; | |
896 } | |
897 | |
898 return fd; | |
688 } | 899 } |
689 | 900 |
690 // create a named shared memory region. returns the address of the | 901 // create a named shared memory region. returns the address of the |
691 // memory region on success or NULL on failure. A return value of | 902 // memory region on success or NULL on failure. A return value of |
692 // NULL will ultimately disable the shared memory feature. | 903 // NULL will ultimately disable the shared memory feature. |
713 if (user_name == NULL) | 924 if (user_name == NULL) |
714 return NULL; | 925 return NULL; |
715 | 926 |
716 char* dirname = get_user_tmp_dir(user_name); | 927 char* dirname = get_user_tmp_dir(user_name); |
717 char* filename = get_sharedmem_filename(dirname, vmid); | 928 char* filename = get_sharedmem_filename(dirname, vmid); |
929 // get the short filename | |
930 char* short_filename = strrchr(filename, '/'); | |
931 if (short_filename == NULL) { | |
932 short_filename = filename; | |
933 } else { | |
934 short_filename++; | |
935 } | |
718 | 936 |
719 // cleanup any stale shared memory files | 937 // cleanup any stale shared memory files |
720 cleanup_sharedmem_resources(dirname); | 938 cleanup_sharedmem_resources(dirname); |
721 | 939 |
722 assert(((size > 0) && (size % os::vm_page_size() == 0)), | 940 assert(((size > 0) && (size % os::vm_page_size() == 0)), |
723 "unexpected PerfMemory region size"); | 941 "unexpected PerfMemory region size"); |
724 | 942 |
725 fd = create_sharedmem_resources(dirname, filename, size); | 943 fd = create_sharedmem_resources(dirname, short_filename, size); |
726 | 944 |
727 FREE_C_HEAP_ARRAY(char, user_name, mtInternal); | 945 FREE_C_HEAP_ARRAY(char, user_name, mtInternal); |
728 FREE_C_HEAP_ARRAY(char, dirname, mtInternal); | 946 FREE_C_HEAP_ARRAY(char, dirname, mtInternal); |
729 | 947 |
730 if (fd == -1) { | 948 if (fd == -1) { |
835 | 1053 |
836 // map the high level access mode to the appropriate permission | 1054 // map the high level access mode to the appropriate permission |
837 // constructs for the file and the shared memory mapping. | 1055 // constructs for the file and the shared memory mapping. |
838 if (mode == PerfMemory::PERF_MODE_RO) { | 1056 if (mode == PerfMemory::PERF_MODE_RO) { |
839 mmap_prot = PROT_READ; | 1057 mmap_prot = PROT_READ; |
840 file_flags = O_RDONLY; | 1058 file_flags = O_RDONLY | O_NOFOLLOW; |
841 } | 1059 } |
842 else if (mode == PerfMemory::PERF_MODE_RW) { | 1060 else if (mode == PerfMemory::PERF_MODE_RW) { |
843 #ifdef LATER | 1061 #ifdef LATER |
844 mmap_prot = PROT_READ | PROT_WRITE; | 1062 mmap_prot = PROT_READ | PROT_WRITE; |
845 file_flags = O_RDWR; | 1063 file_flags = O_RDWR | O_NOFOLLOW; |
846 #else | 1064 #else |
847 THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(), | 1065 THROW_MSG(vmSymbols::java_lang_IllegalArgumentException(), |
848 "Unsupported access mode"); | 1066 "Unsupported access mode"); |
849 #endif | 1067 #endif |
850 } | 1068 } |