Defect report from : Andrew Josey , The Open Group
(Please direct followup comments direct to yyyyyyyyyyyyyy@xxxxxxxxxxxxx)
@ page 1514 line 0 section timer_create comment {PR2480}
Problem:
Edition of Specification (Year): 2004
Defect code : 2. Omission
A problem was identified by the following test and The Open Group has granted a
TIN for Problem Report 2480:
/tset/POSIX_art.os/timers/timer_create/T.timer_create 1
Specification Base Definitions Issue 6
Location in Spec System Interfaces, Issue 6; Volume 3 (R to Z).
timer_create(), pages 1514-1516
Problem Summary create_timer() with high resolution can deny service,
thus our O/S
restricts CLOCK_MONOTONIC to privileged processes.
Problem Text The test "/tset/POSIX_art.os/timers/timer_create/T.timer_create
#1"
is built as a normal user executable, and when it executes and
attempts to call the timer_create() function with a clockid of
CLOCK_MONOTOMIC, the function returns an EPERM error, and the test
fails with an Unresolved status.
On our O/S, a process with a high resolution clock timer
can cause denial of service conditions on the system, and thus such
timers are restricted to privileged processes.
CLOCK_MONOTOMIC is implemented as CLOCK_HIGHRES on our O/S, and our
man-page for timer_create() gives this error condition:
EPERM The specified clock ID, clock_id, is CLOCK_HIGHRES
and the {PRIV_PROC_CLOCK_HIGHRES} is not asserted in
the effective set of the calling process.
We would like to request a waiver for this test case, or have the
test executable be built with owner=root and the set-ID bit set.
Test Output /tset/POSIX_art.os/timers/timer_create/T.timer_create 1
Unresolved
Test Description:
If {_POSIX_CLOCK_SELECTION} is defined:
When clock_id is CLOCK_MONOTONIC, then
timer_create(clock_id, evp, timerid) creates a
per-process timer using the monotonic clock as the
timing base 0, sets the location referenced by
timerid to a timer ID that can be used to identify
the timer in timer requests, and returns zero.
Test Information:
timer_create() failed, errno = 1
Action:
The Base working group agrees with the submitter for the following reasons:
1. After creating a timer by calling:
ret = timer_create(CLOCK_MONOTONIC, evp, &t);
the only way to enable the timer is by calling:
ret = timer_settime(t, flags, &value, &oldvalue);
This two step process above seems to be logically equivalent to the
call:
ret = clock_settime(CLOCK_MONOTONIC, &expire);
in cases where expire specifies the timer expiration, and value
specifies the same timer expiration and a zero nanosecond timer
period (i.e. non-repeating timer).
XSH6 [2004 edition], P203, L2786 in the DESCRIPTION of
clock_settime() (clock_getres() is the name at the top of the page)
says:
"The appropriate privilege to set a particular clock
is implementation-defined."
The ERRORS section for clock_settime() requires that
clock_settime() fail in this case. Both EINVAL (which is a shall
fail error when CLOCK_MONOTONIC is given as the clock_id) or EPERM
(which is a may fail when the requesting process doesn't have
appropriate privilege to set the specified clock) would seem to be
legal errno values. Therefore, it seems that
timer_create(CLOCK_MONOTONIC, ...) should also be allowed to
require appropriate privilege and to fail with errno set to EPERM.
2. Since timer_create() and timer_settime() can be used to set not
only a one shot timer, but also to create timers that fire
periodically (and the period can be as small as a nanosecond
depending on the clock's resolution), it seems that these functions
could (as the submitter suggests) lead to a denial of service
attack on the system. (The CLOCK_MONOTONIC clock is a real-time
clock and a short time period on a high resolution clock could
indeed keep the system busy doing nothing but servicing this
timer.) Since this is user level code, requiring privilege seems
perfectly reasonable to me.
Therefore, we believe it would be appropriate to copy the paragraph
quoted in #1 above into the timer_create() DESCRIPTION on P1540
after L47924 and to add a may fail error as follows on P1541 after
L47951:
The timer_create() function may fail if:
[EPERM] The requesting process does not have the appropriate
privilege to create a timer associated with the
specified clock.
3. Since this waiver is not talking about XSI shaded text,
this needs to be forwarded to The Austin Group for formal
interpretation.
Until the Austin Group rules on this interpretation, it
would be appropriate to grant a temporary waiver.
|