Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754427AbcLQJew (ORCPT ); Sat, 17 Dec 2016 04:34:52 -0500 Received: from mail-wm0-f67.google.com ([74.125.82.67]:34165 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752186AbcLQJeu (ORCPT ); Sat, 17 Dec 2016 04:34:50 -0500 Subject: Re: Document accounting of FDs passed over UNIX domain sockets To: Willy Tarreau References: <68dec064-17bb-0994-8dcf-e06d54d80ada@gmail.com> <20161217070431.GA13141@1wt.eu> Cc: mtk.manpages@gmail.com, linux-man , lkml , socketpair@gmail.com, Tetsuo Handa , linux-fsdevel@vger.kernel.org From: "Michael Kerrisk (man-pages)" Message-ID: <5365dfbc-1506-d49f-975e-efa2ac49d002@gmail.com> Date: Sat, 17 Dec 2016 10:34:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161217070431.GA13141@1wt.eu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2925 Lines: 78 Hi Willy, On 12/17/2016 08:04 AM, Willy Tarreau wrote: > Hi Michael, > > On Fri, Dec 16, 2016 at 12:08:33PM +0100, Michael Kerrisk (man-pages) wrote: >> Hello Willy, >> >> Your commit 712f4aad406bb1 ("unix: properly account for FDs passed over >> unix sockets" added accounting to ensure that the RLIMIT_NOFILE limit >> could not be bypassed when passing file descriptors across UNIX >> domain sockets. >> >> Such patches should be CCed to linux-api@vger.kernel.org ;-) > > Yes, I learned this after your presentation at kernel recipes, but this > patch pre-dates it ;-) But the note in Documentation/SubmittingPatches predates that ;-) >> A documentation [atch would be great as well, but I had a shot >> at cobbling some text together. Does the text below (for the unix(7) >> man page) look okay? > > I think so, though maybe we can arrange it very slightly given that > this was considered as a fix for a vulnerability and backported to > various kernels : > >> ETOOMANYREFS >> This error can occur for sendmsg(2) when sending a file >> descriptor as ancilary data over a UNIX domain socket (see >> the description of SCM_RIGHTS, above). It occurs if the >> number of "in-flight" file descriptors exceeds the >> RLIMIT_NOFILE resource limit and the caller does not have >> the CAP_SYS_RESOURCE capability. An in-flight file >> descriptor is one that has been sent using sendmsg(2) but >> has not yet been accepted in the recipient process using >> recvmsg(2). >> >> This error is diagnosed since Linux 4.5. In earlier kernel >> versions, it was possible to place an unlimited number of >> file descriptors in flight, by sending each file descriptor >> with sendmsg(2) and then closing the file descriptor so >> that it was not accounted against the RLIMIT_NOFILE >> resource limit. > > - resource limit. > + resource limit. Some older stable kernels might have > + included the same check by backporting the fix from 4.5. > > I've just checked the exact versions containing this, but I don't think > it's worth providing the list, in my opinion mentionning that it could be > observed on some older versions is enough to help developers who see it > in field : > - 3.2.78 > - 3.10.99 > - 3.12.57 > - 3.14.63 > - 3.16.35 > - 3.18.27 > - 4.1.19 > - 4.4.4 Yea. This is a tricky issue that I run into now and then. I've added some different wording that expresses they same idea you intended. Thanks for noting this. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/