Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?
valdis.kletnieks at vt.edu
valdis.kletnieks at vt.edu
Tue Nov 14 11:59:13 EST 2017
On Tue, 14 Nov 2017 14:18:42 +0300, Lev Olshvang said:
> The difference between executable and file that executable may crash. while
> shared lib can not.
Oh, a shared lib can indeed crash (or more correctly cause a crash in the process
that is using it).
> Still there are unknown for me what happen with opened files and mmaped files
> when crash occurs
Same thing as an executable or a mapped shared library (.so's are just mmap() under
the covers), Reference counts are reference counts.
> I used to think that kernel decrease reference counts and closes files,
> whether application exits normally or crashed.
Right. And you change those reference counts on your own at your own peril.
> Now I add some facts about executables from kernel code:
> fss/binfmt_misc.c: deny_write_access(interp_file);
> fs/exec.c: err = deny_write_access(file);
> fs/exec.c: ret = deny_write_access(file);
>
> And I found following explanatioin in old kernel list archive:
> https://lists.gt.net/linux/kernel/222875
>
> The reason the kernel refuses to honour it, is that MAP_DENYWRITE is an
> > > excellent DoS-vehicle - you just mmap("/etc/passwd") with MAP_DENYWRITE,
> > > and even root cannot write to it.. Vary nasty.
Right - so DENYWRITE is restricted to executables (where it makes sense anyhow)
However, shared libraries are just mmap() - so there's no easy way to say
"only allow DENYWRITE for .so images". (Hint - a shared library doesn't
have to be called something.so - and in fact is usually 'something.so.versionstring")
> And I still confused because shared libraries are mapped with PROT_EXEC flag
> and so they differ
> from regular file like /etc/passwd and generally have -r-x file system
> permissions.
Actually, most shared libraries will end up with several mmap() segments - one
for .txt, one for .bss (uninitialized variables), and one for .data (initialized
variables) - and they will be mapped with different flags.
Do an 'strace /bin/echo foo' and ponder what actually happens.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20171114/3667e94c/attachment.bin
More information about the Kernelnewbies
mailing list