-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API safety and soundness #29
Comments
Hey @vi! Thanks for bringing this up. I don't know that it's realistic to try and handle all possible complications involving memory mapping, and it's definitely possible that by manipulating the underlying file you can mess up your database and cause a panic or other undefined behavior. However, I do believe that the steps I've taken (locking the file if possible) should be "safe enough" provided you're not doing something ridiculous, which is why I chose to not to make the function unsafe. Perhaps some more documentation would be appropriate though? Some big warning that says not to mess with the file while it's open by another process? |
For example, would it be wise to use the app from privileged suid executable that accesses a database which is created by unprivileged users? Will straightforward usage of the API lead to a secure application? Users of the crate may think "if database is adversarial then it may return fake data, so we need e.g. to verify signatures of those data before using it" while in reality mere opening the database leads to code execution.
Documentation should be a starting point. The documentation should mention what worst can happen if the rules are not being followed. If this "worst" involves undefined behaviour, then it invites If, however, the function is a gateway to something large and potential unsoundness only reachable in really tricky scenarios, then the function is often not marked But, for example, opening attacker-provided or corrupted database file should not be considered as too exotic scenario and should invite Precedent: BTreeMap/HashMap in std and bad
This encapsulation allows
There may be two functions for opening the database: usual |
Well, mandatory locking, at least in Linux, is a lost cause, so... In general, this is a problem involving all applications using mmap. So, "some big warning that says not to mess with the file" might be the best we have in this scenario. |
Description mentions that the library uses
mmap
, also links to "Single-level store" article, which suggests that jammdb may give users references leading to mmaped files.I expected e.g.
jammdb::DB::open
to beunsafe fn
, as full protection against unreasonable things that is needed to make it completely sound (or maybe even enough-for-practical-considerations sound) may not be viable gived the architecture.But it seems to be not the case, the crate API does not hint at potentials undefined behaviours users may face with the library. For example, what worst could happen if the database file is mangled by external process while in use? What if multiple processes open the same database for writing (including using networked filesystem without locking)?
Shall the entry function be marked
unsafe
to make users commit to not doing unreasonable things to the database? Or isjammdb
actually fully handles all possible complications of memory mapping, so the API is indeed sound even when misused?The text was updated successfully, but these errors were encountered: