File sealing

Hi all,

File sealing is a Linux-specific safety mechanism that can be used when
sharing memory between two processes.

In this scenario, one process typically calls shm_open(SHM_ANON), mmaps
the result in its address space, writes interesting things in this slice
of memory, sends the file descriptor over a Unix socket to another
process. The other process then mmaps the file descriptor to its own
address space and reads the shared memory.

Sometimes the two processes don't trust each other, for instance in the
case of Wayland. Bad clients may try to crash the compositor.

One way to crash the compositor is to send a shared memory file descriptor
and then shrink the file. When the compositor tries to read the
now-unmapped part of the file it'll receive SIGBUS.

What the compositor currently does is that it handles SIGBUS and ignores it
if it's about a memory slice mmapped from IPC. Apart from being a hack,
this makes things complicated because:

* There are multiple Wayland interfaces that need to mmap a file descriptor
sent over IPC. Collecting the list of IPC-mmapped regions is currently not
possible with libwayland.
* Since SIGBUS is global state, handling it is difficult. Some other IPC
mechanisms might need to add more regions to the list. Threads make this
even more annoying.

See [1]

I'd like to know if there are plans to add a feature similar to file
sealing [2] in OpenBSD.

Thanks,

--
Simon Ser
https://emersion.fr

[1]: https://gitlab.freedesktop.org/wayland/wayland/issues/53#note_24663
[2]: https://lwn.net/Articles/591108/