Google Git
Sign in
gn / gn.git / 8e9571434d417f68fdb6d31e7144bbc702b61e6d / . / base / memory / shared_memory_posix.cc
blob: f868eb2b5846b6319bbe3c649ba1a1fe84eca702 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/memory/shared_memory.h"
#include <errno.h>
#include <fcntl.h>
#include <stddef.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include "base/files/file_util.h"
#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/memory/shared_memory_helper.h"
#include "base/memory/shared_memory_tracker.h"
#include "base/posix/eintr_wrapper.h"
#include "base/posix/safe_strerror.h"
#include "base/process/process_metrics.h"
#include "base/scoped_generic.h"
#include "base/strings/utf_string_conversions.h"
#include "base/threading/thread_restrictions.h"
#include "base/unguessable_token.h"
#include "build_config.h"
#if defined(OS_ANDROID)
#include "base/os_compat_android.h"
#include "third_party/ashmem/ashmem.h"
#endif
#if defined(OS_MACOSX) && !defined(OS_IOS)
#error "MacOS uses shared_memory_mac.cc"
#endif
namespace base {
SharedMemory::SharedMemory() = default;
SharedMemory::SharedMemory(const SharedMemoryHandle& handle, bool read_only)
: shm_(handle), read_only_(read_only) {}
SharedMemory::~SharedMemory() {
Unmap();
Close();
}
// static
bool SharedMemory::IsHandleValid(const SharedMemoryHandle& handle) {
return handle.IsValid();
}
// static
void SharedMemory::CloseHandle(const SharedMemoryHandle& handle) {
DCHECK(handle.IsValid());
handle.Close();
}
// static
size_t SharedMemory::GetHandleLimit() {
return GetMaxFds();
}
// static
SharedMemoryHandle SharedMemory::DuplicateHandle(
const SharedMemoryHandle& handle) {
return handle.Duplicate();
}
// static
int SharedMemory::GetFdFromSharedMemoryHandle(
const SharedMemoryHandle& handle) {
return handle.GetHandle();
}
bool SharedMemory::CreateAndMapAnonymous(size_t size) {
return CreateAnonymous(size) && Map(size);
}
#if !defined(OS_ANDROID)
// Chromium mostly only uses the unique/private shmem as specified by
// "name == L"". The exception is in the StatsTable.
// TODO(jrg): there is no way to "clean up" all unused named shmem if
// we restart from a crash. (That isn't a new problem, but it is a problem.)
// In case we want to delete it later, it may be useful to save the value
// of mem_filename after FilePathForMemoryName().
bool SharedMemory::Create(const SharedMemoryCreateOptions& options) {
DCHECK(!shm_.IsValid());
if (options.size == 0) return false;
if (options.size > static_cast<size_t>(std::numeric_limits<int>::max()))
return false;
// This function theoretically can block on the disk, but realistically
// the temporary files we create will just go into the buffer cache
// and be deleted before they ever make it out to disk.
ThreadRestrictions::ScopedAllowIO allow_io;
bool fix_size = true;
ScopedFD fd;
ScopedFD readonly_fd;
FilePath path;
if (!options.name_deprecated || options.name_deprecated->empty()) {
bool result =
CreateAnonymousSharedMemory(options, &fd, &readonly_fd, &path);
if (!result)
return false;
} else {
if (!FilePathForMemoryName(*options.name_deprecated, &path))
return false;
// Make sure that the file is opened without any permission
// to other users on the system.
const mode_t kOwnerOnly = S_IRUSR | S_IWUSR;
// First, try to create the file.
fd.reset(HANDLE_EINTR(
open(path.value().c_str(), O_RDWR | O_CREAT | O_EXCL, kOwnerOnly)));
if (!fd.is_valid() && options.open_existing_deprecated) {
// If this doesn't work, try and open an existing file in append mode.
// Opening an existing file in a world writable directory has two main
// security implications:
// - Attackers could plant a file under their control, so ownership of
// the file is checked below.
// - Attackers could plant a symbolic link so that an unexpected file
// is opened, so O_NOFOLLOW is passed to open().
#if !defined(OS_AIX)
fd.reset(HANDLE_EINTR(
open(path.value().c_str(), O_RDWR | O_APPEND | O_NOFOLLOW)));
#else
// AIX has no 64-bit support for open flags such as -
// O_CLOEXEC, O_NOFOLLOW and O_TTY_INIT.
fd.reset(HANDLE_EINTR(open(path.value().c_str(), O_RDWR | O_APPEND)));
#endif
// Check that the current user owns the file.
// If uid != euid, then a more complex permission model is used and this
// API is not appropriate.
const uid_t real_uid = getuid();
const uid_t effective_uid = geteuid();
struct stat sb;
if (fd.is_valid() &&
(fstat(fd.get(), &sb) != 0 || sb.st_uid != real_uid ||
sb.st_uid != effective_uid)) {
LOG(ERROR) <<
"Invalid owner when opening existing shared memory file.";
close(fd.get());
return false;
}
// An existing file was opened, so its size should not be fixed.
fix_size = false;
}
if (options.share_read_only) {
// Also open as readonly so that we can GetReadOnlyHandle.
readonly_fd.reset(HANDLE_EINTR(open(path.value().c_str(), O_RDONLY)));
if (!readonly_fd.is_valid()) {
DPLOG(ERROR) << "open(\"" << path.value() << "\", O_RDONLY) failed";
close(fd.get());
return false;
}
}
if (fd.is_valid()) {
// "a+" is always appropriate: if it's a new file, a+ is similar to w+.
if (!fdopen(fd.get(), "a+")) {
PLOG(ERROR) << "Creating file stream in " << path.value() << " failed";
return false;
}
}
}
if (fd.is_valid() && fix_size) {
// Get current size.
struct stat stat;
if (fstat(fd.get(), &stat) != 0)
return false;
const size_t current_size = stat.st_size;
if (current_size != options.size) {
if (HANDLE_EINTR(ftruncate(fd.get(), options.size)) != 0)
return false;
}
requested_size_ = options.size;
}
if (!fd.is_valid()) {
PLOG(ERROR) << "Creating shared memory in " << path.value() << " failed";
FilePath dir = path.DirName();
if (access(dir.value().c_str(), W_OK | X_OK) < 0) {
PLOG(ERROR) << "Unable to access(W_OK|X_OK) " << dir.value();
if (dir.value() == "/dev/shm") {
LOG(FATAL) << "This is frequently caused by incorrect permissions on "
<< "/dev/shm. Try 'sudo chmod 1777 /dev/shm' to fix.";
}
}
return false;
}
int mapped_file = -1;
int readonly_mapped_file = -1;
bool result = PrepareMapFile(std::move(fd), std::move(readonly_fd),
&mapped_file, &readonly_mapped_file);
shm_ = SharedMemoryHandle(FileDescriptor(mapped_file, false), options.size,
UnguessableToken::Create());
readonly_shm_ =
SharedMemoryHandle(FileDescriptor(readonly_mapped_file, false),
options.size, shm_.GetGUID());
return result;
}
// Our current implementation of shmem is with mmap()ing of files.
// These files need to be deleted explicitly.
// In practice this call is only needed for unit tests.
bool SharedMemory::Delete(const std::string& name) {
FilePath path;
if (!FilePathForMemoryName(name, &path))
return false;
if (PathExists(path))
return DeleteFile(path, false);
// Doesn't exist, so success.
return true;
}
bool SharedMemory::Open(const std::string& name, bool read_only) {
FilePath path;
if (!FilePathForMemoryName(name, &path))
return false;
read_only_ = read_only;
int mode = read_only ? O_RDONLY : O_RDWR;
ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(), mode)));
ScopedFD readonly_fd(HANDLE_EINTR(open(path.value().c_str(), O_RDONLY)));
if (!readonly_fd.is_valid()) {
DPLOG(ERROR) << "open(\"" << path.value() << "\", O_RDONLY) failed";
return false;
}
int mapped_file = -1;
int readonly_mapped_file = -1;
bool result = PrepareMapFile(std::move(fd), std::move(readonly_fd),
&mapped_file, &readonly_mapped_file);
// This form of sharing shared memory is deprecated. https://crbug.com/345734.
// However, we can't get rid of it without a significant refactor because its
// used to communicate between two versions of the same service process, very
// early in the life cycle.
// Technically, we should also pass the GUID from the original shared memory
// region. We don't do that - this means that we will overcount this memory,
// which thankfully isn't relevant since Chrome only communicates with a
// single version of the service process.
// We pass the size |0|, which is a dummy size and wrong, but otherwise
// harmless.
shm_ = SharedMemoryHandle(FileDescriptor(mapped_file, false), 0u,
UnguessableToken::Create());
readonly_shm_ = SharedMemoryHandle(
FileDescriptor(readonly_mapped_file, false), 0, shm_.GetGUID());
return result;
}
#endif // !defined(OS_ANDROID)
bool SharedMemory::MapAt(off_t offset, size_t bytes) {
if (!shm_.IsValid())
return false;
if (bytes > static_cast<size_t>(std::numeric_limits<int>::max()))
return false;
if (memory_)
return false;
#if defined(OS_ANDROID)
// On Android, Map can be called with a size and offset of zero to use the
// ashmem-determined size.
if (bytes == 0) {
DCHECK_EQ(0, offset);
int ashmem_bytes = ashmem_get_size_region(shm_.GetHandle());
if (ashmem_bytes < 0)
return false;
bytes = ashmem_bytes;
}
// Sanity check. This shall catch invalid uses of the SharedMemory APIs
// but will not protect against direct mmap() attempts.
if (shm_.IsReadOnly()) {
// Use a DCHECK() to call writable mappings with read-only descriptors
// in debug builds immediately. Return an error for release builds
// or during unit-testing (assuming a ScopedLogAssertHandler was installed).
DCHECK(read_only_)
<< "Trying to map a region writable with a read-only descriptor.";
if (!read_only_) {
return false;
}
if (!shm_.SetRegionReadOnly()) { // Ensure the region is read-only.
return false;
}
}
#endif
memory_ = mmap(nullptr, bytes, PROT_READ | (read_only_ ? 0 : PROT_WRITE),
MAP_SHARED, shm_.GetHandle(), offset);
bool mmap_succeeded = memory_ && memory_ != reinterpret_cast<void*>(-1);
if (mmap_succeeded) {
mapped_size_ = bytes;
mapped_id_ = shm_.GetGUID();
DCHECK_EQ(0U,
reinterpret_cast<uintptr_t>(memory_) &
(SharedMemory::MAP_MINIMUM_ALIGNMENT - 1));
SharedMemoryTracker::GetInstance()->IncrementMemoryUsage(*this);
} else {
memory_ = nullptr;
}
return mmap_succeeded;
}
bool SharedMemory::Unmap() {
if (!memory_)
return false;
SharedMemoryTracker::GetInstance()->DecrementMemoryUsage(*this);
munmap(memory_, mapped_size_);
memory_ = nullptr;
mapped_size_ = 0;
mapped_id_ = UnguessableToken();
return true;
}
SharedMemoryHandle SharedMemory::handle() const {
return shm_;
}
SharedMemoryHandle SharedMemory::TakeHandle() {
SharedMemoryHandle handle_copy = shm_;
handle_copy.SetOwnershipPassesToIPC(true);
Unmap();
shm_ = SharedMemoryHandle();
return handle_copy;
}
#if !defined(OS_ANDROID)
void SharedMemory::Close() {
if (shm_.IsValid()) {
shm_.Close();
shm_ = SharedMemoryHandle();
}
if (readonly_shm_.IsValid()) {
readonly_shm_.Close();
readonly_shm_ = SharedMemoryHandle();
}
}
// For the given shmem named |mem_name|, return a filename to mmap()
// (and possibly create). Modifies |filename|. Return false on
// error, or true of we are happy.
bool SharedMemory::FilePathForMemoryName(const std::string& mem_name,
FilePath* path) {
// mem_name will be used for a filename; make sure it doesn't
// contain anything which will confuse us.
DCHECK_EQ(std::string::npos, mem_name.find('/'));
DCHECK_EQ(std::string::npos, mem_name.find('\0'));
FilePath temp_dir;
if (!GetShmemTempDir(false, &temp_dir))
return false;
#if defined(GOOGLE_CHROME_BUILD)
static const char kShmem[] = "com.google.Chrome.shmem.";
#else
static const char kShmem[] = "org.chromium.Chromium.shmem.";
#endif
CR_DEFINE_STATIC_LOCAL(const std::string, name_base, (kShmem));
*path = temp_dir.AppendASCII(name_base + mem_name);
return true;
}
SharedMemoryHandle SharedMemory::GetReadOnlyHandle() const {
CHECK(readonly_shm_.IsValid());
return readonly_shm_.Duplicate();
}
#endif // !defined(OS_ANDROID)
} // namespace base