我可以在两个进程之间保护内存吗
[英]Can I mprotect memory between two processes
问题描述
I have mmaped shared memory (backed by /dev/shm) between two processes. 
我已经在两个进程之间映射了共享内存(由/ dev / shm支持)。
7ffff7ff3000-7ffff7ff7000 rw-s 00000000 00:16 176796 /dev/shm/shdmem
One process is doing mprotect for first page of the memory and see proper configuration 一个过程是对内存的第一页执行mprotect,并查看正确的配置
7ffff7ff3000-7ffff7ff4000 ---s 00000000 00:16 176796 /dev/shm/shdmem
7ffff7ff4000-7ffff7ff7000 rw-s 00001000 00:16 176796 /dev/shm/shdmem
But second one still see only rw region: 但是第二个仍然只看到rw区域:
7ffff7ff3000-7ffff7ff7000 rw-s 00000000 00:16 176796 /dev/shm/shdmem
is it correct Linux behaviour? 它是正确的Linux行为吗? I was thinking that if I share the same memory region I can protect my memory against usage of different processes? 我当时在想,如果我共享相同的内存区域,那么我可以保护自己的内存免受不同进程的使用吗? (Of course process B can easily modify shared memory but process A which issued mprotect will get segfault) (当然,进程B可以轻松地修改共享内存,但是发出mprotect的进程A将出现段错误)
1 个解决方案
解决方案1
1 2018-04-07 22:26:17
Think about what happens when you do an mmap (an operating system neutral description). 想一想当您执行mmap(操作系统无关性说明)时会发生什么。
The operating system has to create a shared memory region in which physical memory is mapped to some file (this could be the page files and on some systems user specified file). 操作系统必须创建一个共享内存区域,其中物理内存被映射到某个文件(这可以是页面文件,在某些系统上是用户指定的文件)。
To map the region to the first process, it's page tables must be altered to map some range of the process logical address space to the physical memory page frames used by the shared region (which may change over time). 要将区域映射到第一个进程,必须更改其页表,以将进程逻辑地址空间的某些范围映射到共享区域使用的物理内存页面框架(可能会随时间变化)。 Those tables may be set to read, read/write, etc. depending up on how the region is created and how the mapping is done. 这些表可以设置为读取,读取/写入等,具体取决于创建区域的方式和完成映射的方式。 In your case, you apparently made the region read/write. 就您而言,您显然使该区域为读/写。
A second process comes alone and maps to the shared region. 第二个过程一个人来,并映射到共享区域。 It's process page tables are mapped to the the physical page frames. 它的过程页面表被映射到物理页面框架。 Again, it the protection in the mapping is set to how the region is created and how the the region is mapped. 同样,将映射中的保护设置为如何创建区域以及如何映射区域。 (generally you can map a read/write region as read only but cannot map a read only region as read/write). (通常,您可以将读/写区域映射为只读,但不能将只读区域映射为读/写)。
Your first process has done mprotect to change some of the pages in the region to no access. 您的第一个过程已完成mprotect,将区域中的某些页面更改为无权访问。 You have not changed the protection on the region. 您尚未更改该区域的保护。 You have only changed the protection settings in the page tables of the first process. 您仅在第一个过程的页表中更改了保护设置。
Apparently you are expecting the modification of the page tables in the first process to be reflected in other processes that map the region. 显然,您希望在第一个过程中对页表的修改会反映在映射该区域的其他过程中。 That is not going to happen. 那不会发生。 An operating system is not going to allow page level modifications in one process to be propagated to another process. 操作系统不允许将一个进程中的页面级修改传播到另一个进程。 That would create all kinds of security holes. 那会造成各种各样的安全漏洞。
The protection of the region is generally set by the protection of the file backing the region. 通常通过对支持该区域的文件的保护来设置区域的保护。 That protection applies to the entire region. 该保护适用于整个地区。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.