Reputation: 2669
Who can share shared memory in Linux?
I am working on hardening a sandbox for student code execution. I think I'm satisfied that students can't share data on the file system or with signals because I've found express rules dictating those and they execute as different unprivileged users. However, I am having a really hard time looking at documentation to determine, when shared memory (or IPC more generally - queues or semaphores) is created, who can see that. If you create shared memory, can anyone on the same machine open it, or is there a way to control that? Does the control lie in the program that creates the memory, or can the sysadmin limit it?
Upvotes: 2
Views: 397
Answers (1)
Reputation: 126418
Any process in the same ipc namespace can see and (potentially) access ipc objects created by other processes in the same ipc namespace. Each ipc object has the same user/group/other-rwx permissions as file system objects objects -- see the svipc(7) manual page.
You can create a new ipc namespace by using the clone(2) system call with the CLONE_NEWIPC flag. You can use the unshare(1) program to do a clone+exec of another program with this or certain other CLONE flags.
Upvotes: 1
Related Questions
- IPC using shared memory in C
- How do unix-like OS implement IPC shared memory?
- How shared memory IPC fits into memory layout of a process?
- How does limits on the shared memory work on Linux
- Implementing shared memory without root privilege
- IPC - Shared Programming Program in Linux
- Shared memory in process address space?
- Shared memory marked as virtual memory?
- Access control to shared memory
- Linux Shared Memory