Java heap file on daxfs should be more secure
Yasumasa Suenaga
suenaga at oss.nttdata.com
Thu Dec 19 11:31:56 UTC 2019
Hi Florian,
On 2019/12/19 18:08, Florian Weimer wrote:
> * Yasumasa Suenaga:
>
>> HotSpot allocates Java heap on daxfs if we pass -XX:AllocateHeapAt.
>> It performs open(2) and unlink(2) on daxfs, and it is used via mmap'ed
>> address.
>>
>> mmap(2) would be called with MAP_SHARED, and it is not atomically
>> between open(2) and unlink(2). If malicious user open Java heap file
>> before unlink(2), it might be exposed.
>
> The existing code uses mkstemp, so the content is not exposed to other
> users. The same user can still access the file through /proc, with and
> without O_TMPFILE.
Same user cannot access through procfs after unlink(2) call because the file is deleted.
Symlink in /proc/<pid>/fd is dead link.
If we pass O_TMPFILE to open(2), all user (includes root) cannot access it because
Linux Kernel seems not to link file path to inode. It is the reason why I think O_TMPFILE is secure.
https://github.com/torvalds/linux/blob/master/fs/namei.c#L3530
In fact, tmp file is already deleted when open(2) with O_TMPFILE returned.
>> So I think we can use open(2) with O_TMPFILE instead of mkstemp(3) as below.
>>
>> http://cr.openjdk.java.net/~ysuenaga/dax/
>
> Old systems have neither __O_TMPFILE nor O_TMPFILE, so this will result
> in a compilation error there.
We can avoid it with preprocessor.
If this proposal is accepted, I will add it to webrev.
Thanks,
Yasumasa
> Thanks,
> Florian
>
More information about the hotspot-runtime-dev
mailing list