From: Eric Wong <e@80x24.org>
To: Junio C Hamano <gitster@pobox.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jeff King <peff@peff.net>, Git Mailing List <git@vger.kernel.org>,
Lars Schneider <larsxschneider@gmail.com>,
Johannes Schindelin <johannes.schindelin@gmx.de>
Subject: Re: [PATCH v3 2/3] sha1_file: open window into packfiles with O_CLOEXEC
Date: Fri, 28 Oct 2016 05:51:59 +0000 [thread overview]
Message-ID: <20161028055159.GA25950@starla> (raw)
In-Reply-To: <xmqq60od42s0.fsf@gitster.mtv.corp.google.com>
Junio C Hamano <gitster@pobox.com> wrote:
> Junio C Hamano <gitster@pobox.com> writes:
>
> > Linus Torvalds <torvalds@linux-foundation.org> writes:
> >
> >> On Thu, Oct 27, 2016 at 4:36 PM, Junio C Hamano <gitster@pobox.com> wrote:
> >>>
> >>> Would the best endgame shape for this function be to open with
> >>> O_NOATIME (and retry without), and then add CLOEXEC with fcntl(2)
> >>> but ignoring an error from it, I guess? That would be the closest
> >>> to what we historically had, I would think.
> >>
> >> I think that's the best model.
Actually, I would flip the order of flags. O_CLOEXEC is more
important from a correctness standpoint.
> > OK, so perhaps like this.
>
> Hmph. This may not fly well in practice, though.
>
> To Unix folks, CLOEXEC is not a huge correctness issue. A child
> process may hold onto an open file descriptor a bit longer than the
> lifetime of the parent but as long as the child eventually exits,
I'm not too familiar with C internals of git; but I know we use
threads in some places, and fork+execve in others.
If our usage of threads and execve intersects, and we run
untrusted code in an execve-ed child, then only having cloexec
on open() will save us time when auditing for leaking FDs.
fcntl(fd, F_SETFD, O_CLOEXEC) is racy in if there are other
threads doing execve; so I wouldn't rely on it as a first
choice.
So I suppose something like this:
static int noatime = 1;
int fd = open(... | O_CLOEXEC);
...error checking and retrying...
if (fd >= 0 && noatime && fcntl(fd, F_SETFL, O_NOATIME) != 0)
noatime = 0;
return fd;
next prev parent reply other threads:[~2016-10-28 5:52 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-24 18:02 [PATCH v2 0/2] Use CLOEXEC to avoid fd leaks larsxschneider
2016-10-24 18:02 ` [PATCH v2 1/2] sha1_file: open window into packfiles with CLOEXEC larsxschneider
2016-10-25 10:27 ` Johannes Schindelin
2016-10-25 16:58 ` Junio C Hamano
2016-10-24 18:03 ` [PATCH v2 2/2] read-cache: make sure file handles are not inherited by child processes larsxschneider
2016-10-24 18:39 ` Eric Wong
2016-10-24 19:53 ` Junio C Hamano
2016-10-25 10:33 ` Johannes Schindelin
2016-10-25 17:02 ` Junio C Hamano
2016-10-24 19:22 ` Johannes Sixt
2016-10-24 19:53 ` Lars Schneider
2016-10-25 21:39 ` Johannes Sixt
2016-10-24 18:23 ` [PATCH v2 0/2] Use CLOEXEC to avoid fd leaks Junio C Hamano
2016-10-25 11:27 ` Johannes Schindelin
2016-10-25 18:16 ` [PATCH v3 0/3] quick reroll of Lars's git_open() w/ O_CLOEXEC Junio C Hamano
2016-10-25 18:16 ` [PATCH v3 1/3] sha1_file: rename git_open_noatime() to git_open() Junio C Hamano
2016-10-25 18:16 ` [PATCH v3 2/3] sha1_file: open window into packfiles with O_CLOEXEC Junio C Hamano
2016-10-26 4:25 ` Jeff King
2016-10-26 16:23 ` Junio C Hamano
2016-10-26 16:47 ` Jeff King
2016-10-26 17:52 ` Junio C Hamano
2016-10-26 20:17 ` Jeff King
2016-10-26 21:15 ` Junio C Hamano
2016-10-27 10:24 ` Jeff King
2016-10-27 21:49 ` Junio C Hamano
2016-10-27 22:38 ` Linus Torvalds
2016-10-27 22:56 ` Junio C Hamano
2016-10-27 23:09 ` Linus Torvalds
2016-10-27 23:19 ` Linus Torvalds
2016-10-27 23:36 ` Junio C Hamano
2016-10-27 23:44 ` Linus Torvalds
2016-10-28 1:08 ` Junio C Hamano
2016-10-28 2:37 ` Junio C Hamano
2016-10-28 5:51 ` Eric Wong [this message]
2016-10-28 11:11 ` Johannes Schindelin
2016-10-28 16:13 ` Linus Torvalds
2016-10-28 16:48 ` Junio C Hamano
2016-10-28 17:38 ` Linus Torvalds
2016-10-28 17:47 ` Junio C Hamano
2016-10-29 1:26 ` Junio C Hamano
2016-10-29 8:25 ` Johannes Schindelin
2016-10-29 17:06 ` Linus Torvalds
2016-10-31 17:37 ` Junio C Hamano
2016-10-31 13:56 ` Jeff King
2016-10-31 17:55 ` Junio C Hamano
2016-10-31 18:05 ` Jeff King
2016-10-28 13:32 ` Junio C Hamano
2016-10-28 13:33 ` Junio C Hamano
2016-10-28 7:51 ` Jeff King
2016-10-25 18:16 ` [PATCH v3 3/3] read-cache: make sure file handles are not inherited by child processes Junio C Hamano
2016-10-25 21:33 ` Eric Wong
2016-10-25 22:54 ` Junio C Hamano
2016-10-25 21:48 ` [PATCH v3 0/3] quick reroll of Lars's git_open() w/ O_CLOEXEC Lars Schneider
2016-10-25 22:56 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161028055159.GA25950@starla \
--to=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=larsxschneider@gmail.com \
--cc=peff@peff.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).