bozo: Make bozo_isrestricted atomic

The bosserver global bozo_isrestricted is often accessed without any locks. It's a simple boolean that doesn't need coordination with anything else, but on pthreads, accessing this from different threads is technically undefined behavior. To avoid this, convert bozo_isrestricted to be an rx_atomic_t, which can be accessed safely from different threads. Access this global through the new functions bozo_IsRestricted() and bozo_SetRestricted(), to make it easier to change how we access this global in the future, if we need to. Change the name of the global to bozo_restricted and declare it 'static', to try to make sure we haven't left behind any old users. Do the same thing for the bozo_restdisable global, too (renamed to bozo_restricted_disabled), except don't add accessor functions, since this is only used in a small number of places. While we could instead make these globals be protected by a lock (such as BNODE_LOCK()), using atomics is a little simpler, since we don't need to worry about whether we have obtained the relevant lock. Change-Id: If8d8dcc2103b084bebb152440ddd52b85cfa26b0 Reviewed-on: https://gerrit.openafs.org/15779 Reviewed-by: Michael Meffie <mmeffie@sinenomine.net> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu> Tested-by: BuildBot <buildbot@rampaginggeek.com>
2025-01-18 15:00:12 +00:00 · 2024-07-06 15:06:48 -05:00 · 2024-07-06 15:06:48 -05:00 · 0182dbd13b
commit 0182dbd13b
parent d53f37689f
3 changed files with 38 additions and 21 deletions
--- a/src/bozo/bosoprocs.c
+++ b/src/bozo/bosoprocs.c
@ -38,7 +38,6 @@ extern struct ktime bozo_nextRestartKT, bozo_nextDayKT;
 extern struct afsconf_dir *bozo_confdir;
 extern int bozo_newKTs;
 extern int DoLogging;
-extern int bozo_isrestricted;

 afs_int32
 SBOZO_GetRestartTime(struct rx_call *acall, afs_int32 atype, struct bozo_netKTime *aktime)
@ -121,7 +120,7 @@ SBOZO_Exec(struct rx_call *acall, char *acmd)
 	code = BZACCESS;
 	goto fail;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	code = BZACCESS;
 	goto fail;
    }
@ -191,7 +190,7 @@ SBOZO_UnInstall(struct rx_call *acall, char *aname)
 	osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END);
 	return code;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	code = BZACCESS;
 	osi_auditU(acall, BOS_UnInstallEvent, code, AUD_STR, aname, AUD_END);
 	return code;
@ -305,7 +304,7 @@ SBOZO_Install(struct rx_call *acall, char *aname, afs_int32 asize, afs_int32 mod

    if (!afsconf_SuperUser(bozo_confdir, acall, caller))
 	return BZACCESS;
-    if (bozo_isrestricted)
+    if (bozo_IsRestricted())
 	return BZACCESS;

    /* construct local path from canonical (wire-format) path */
@ -811,7 +810,7 @@ SBOZO_CreateBnode(struct rx_call *acall, char *atype, char *ainstance,
 	code = BZACCESS;
 	goto fail;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	const char *salvpath = AFSDIR_CANONICAL_SERVER_SALVAGER_FILEPATH;
 	/* for DAFS, 'bos salvage' will pass "salvageserver -client" instead */
 	const char *salsrvpath = AFSDIR_CANONICAL_SERVER_SALSRV_FILEPATH " -client ";
@ -875,7 +874,7 @@ SBOZO_DeleteBnode(struct rx_call *acall, char *ainstance)
 	code = BZACCESS;
 	goto fail;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	code = BZACCESS;
 	goto fail;
    }
@ -1228,7 +1227,7 @@ SBOZO_Prune(struct rx_call *acall, afs_int32 aflags)
 	code = BZACCESS;
 	goto fail;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	code = BZACCESS;
 	goto fail;
    }
@ -1503,7 +1502,7 @@ SBOZO_GetLog(struct rx_call *acall, char *aname)
 	code = BZACCESS;
 	goto fail;
    }
-    if (bozo_isrestricted && strchr(aname, '/')
+    if (bozo_IsRestricted() && strchr(aname, '/') != NULL
 	&& strcmp(aname, AFSDIR_CANONICAL_SERVER_SLVGLOG_FILEPATH)) {
 	code = BZACCESS;
 	goto fail;
@ -1588,7 +1587,7 @@ SBOZO_GetInstanceStrings(struct rx_call *acall, char *abnodeName,
 afs_int32
 SBOZO_GetRestrictedMode(struct rx_call *acall, afs_int32 *arestmode)
 {
-    *arestmode = bozo_isrestricted;
+    *arestmode = bozo_IsRestricted();
    return 0;
 }

@ -1604,7 +1603,7 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode)
 	code = BZACCESS;
 	goto done;
    }
-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	code = BZACCESS;
 	goto done;
    }
@ -1612,7 +1611,7 @@ SBOZO_SetRestrictedMode(struct rx_call *acall, afs_int32 arestmode)
 	code = BZDOM;
 	goto done;
    }
-    bozo_isrestricted = arestmode;
+    bozo_SetRestricted(arestmode);
    code = WriteBozoFile(0);

 done:
--- a/src/bozo/bosprototypes.h
+++ b/src/bozo/bosprototypes.h
@ -43,6 +43,8 @@ int bozo_ReBozo(void);
 int WriteBozoFile(char *aname);
 int bozo_CreatePidFile(char *ainst, char *aname, pid_t apid);
 int bozo_DeletePidFile(char *ainst, char *aname);
+int bozo_IsRestricted(void);
+void bozo_SetRestricted(int mode);

 /* bosoprocs.c */
 int GetRequiredDirPerm(const char *path);
--- a/src/bozo/bosserver.c
+++ b/src/bozo/bosserver.c
@ -37,6 +37,7 @@
 #include <rx/rx.h>
 #include <rx/xdr.h>
 #include <rx/rx_globals.h>
+#include <rx/rx_atomic.h>
 #include <rx/rxkad.h>
 #include <rx/rxstat.h>
 #include <afs/keys.h>
@ -96,8 +97,20 @@ int bozo_newKTs = 1;
 int rxBind = 0;
 int rxkadDisableDotCheck = 0;

-int bozo_isrestricted = 0;
-int bozo_restdisable = 0;
+static rx_atomic_t bozo_restricted;
+static rx_atomic_t bozo_restricted_disabled;
+
+int
+bozo_IsRestricted(void)
+{
+    return rx_atomic_read(&bozo_restricted);
+}
+
+void
+bozo_SetRestricted(int mode)
+{
+    rx_atomic_set(&bozo_restricted, mode);
+}

 void
 bozo_insecureme(int sig)
@ -105,8 +118,8 @@ bozo_insecureme(int sig)
 #ifndef AFS_PTHREAD_ENV
    signal(SIGFPE, bozo_insecureme);
 #endif
-    bozo_isrestricted = 0;
-    bozo_restdisable = 1;
+    bozo_SetRestricted(0);
+    rx_atomic_set(&bozo_restricted_disabled, 1);
 }

 struct bztemp {
@ -453,7 +466,7 @@ ReadBozoFile(char *aname)
 		code = -1;
 		goto fail;
 	    }
-	    bozo_isrestricted = rmode;
+	    bozo_SetRestricted(rmode);
 	    continue;
 	}

@ -557,7 +570,7 @@ WriteBozoFile(char *aname)
    }
    btemp.file = tfile;

-    fprintf(tfile, "restrictmode %d\n", bozo_isrestricted);
+    fprintf(tfile, "restrictmode %d\n", bozo_IsRestricted());
    fprintf(tfile, "restarttime %d %d %d %d %d\n", bozo_nextRestartKT.mask,
 	    bozo_nextRestartKT.day, bozo_nextRestartKT.hour,
 	    bozo_nextRestartKT.min, bozo_nextRestartKT.sec);
@ -628,9 +641,9 @@ BozoDaemon(void *unused)

 	now = FT_ApproxTime();

-	if (bozo_restdisable) {
+	if (rx_atomic_read(&bozo_restricted_disabled)) {
 	    bozo_Log("Restricted mode disabled by signal\n");
-	    bozo_restdisable = 0;
+	    rx_atomic_set(&bozo_restricted_disabled, 0);
 	}

 	if (bozo_newKTs) {	/* need to recompute restart times */
@ -906,6 +919,7 @@ main(int argc, char **argv, char **envp)
    int DoProcessRPCStats = 0;
    struct stat sb;
    struct afsconf_bsso_info bsso;
+    int restricted = 0;
 #ifdef AFS_PTHREAD_ENV
    pthread_attr_t tattr;
    pthread_t bozo_pid;
@ -1052,7 +1066,9 @@ main(int argc, char **argv, char **envp)
    /* bosserver options */
    cmd_OptionAsFlag(opts, OPT_noauth, &noAuth);
    cmd_OptionAsFlag(opts, OPT_log, &DoLogging);
-    cmd_OptionAsFlag(opts, OPT_restricted, &bozo_isrestricted);
+
+    cmd_OptionAsFlag(opts, OPT_restricted, &restricted);
+    bozo_SetRestricted(restricted);

    if (cmd_OptionPresent(opts, OPT_pidfiles)) {
 	if (cmd_OptionAsString(opts, OPT_pidfiles, &DoPidFiles) != 0) {
@ -1222,7 +1238,7 @@ main(int argc, char **argv, char **envp)
 	exit(code);
    }

-    if (bozo_isrestricted) {
+    if (bozo_IsRestricted()) {
 	bozo_Log("NOTICE: bosserver is running in restricted mode.\n");
    } else {
 	bozo_Log("WARNING: bosserver is not running in restricted mode.\n");