Re: Support for "pshared" POSIX semaphores

[SODA Noriyuki <soda-netbsd2019%yuruyuru.net@localhost>]

>>>>> On Mon, 4 Feb 2019 12:18:35 -0800, Jason Thorpe <thorpej%me.com@localhost> said:

> Well, the SUS says this about it:
> 
> <quote>
> If the pshared argument has a non-zero value, then the semaphore is shared between processes; in this case, any process that can access the semaphore semcan use sem for performing sem_wait(), sem_timedwait(), sem_trywait(), sem_post(), and sem_destroy() operations.
> </quote>
> 
> I supposed if we really wanted to, we could restrict to same-UID or something similar, but it seems like that might technically violate the standard.  I suppose we could wrap that behavior in a sysctl control.
> 
> It's unfortunate that POSIX semaphores are so poorly specified (and "pshared" especially), but there are real uses of them out in the wild.
> 
> I'm open to suggestions.

The reason why the SUS definition is so nasty is that it implicitly
assumes pshared semaphore (and pshared mutex) will be implemented
on top of shared memory.  And the security problem won't happen
in that case (because random processes cannot share same memory).

How about using such implementation?  Although it requires symbol
versioning due to the sem_t size change..

Solaris implementation: 
https://github.com/joyent/illumos-joyent/blob/master/usr/src/lib/libc/port/threads/sema.c
-- 
soda