Documentation: move mandatory locking documentation to filesystems/

Shouldn't this mandatory-locking documentation be in the Documentation/filesystems directory? Give it a more descriptive name while we're at it, and update 00-INDEX with a more inclusive description of Documentation/filesystems (which has already talked about more than just individual filesystems). Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
author: J. Bruce Fields <bfields@citi.umich.edu> 2007-09-24 18:52:09 -0400
committer: J. Bruce Fields <bfields@citi.umich.edu> 2007-10-09 18:32:45 -0400
commit: 4f3b19ca41fbe572e3d44caf516c215b286fe2a6 (patch)
tree: 8fdb502c03ed5c4ce2b8ca114f0fee5ec96abde2 /Documentation/filesystems
parent: 85c59580b30c82aa771aa33b37217a6b6851bc14 (diff)
2 files changed, 154 insertions, 0 deletions
diff --git a/Documentation/filesystems/00-INDEX b/Documentation/filesystems/00-INDEX
index 59db1bca7027..e801076812a4 100644
--- a/Documentation/filesystems/00-INDEX
+++ b/Documentation/filesystems/00-INDEX
@@ -52,6 +52,8 @@ isofs.txt
        - info and mount options for the ISO 9660 (CDROM) filesystem.
 jfs.txt
        - info and mount options for the JFS filesystem.
+mandatory-locking.txt
+        - info on the Linux implementation of Sys V mandatory file locking.
 ncpfs.txt
        - info on Novell Netware(tm) filesystem using NCP protocol.
 ntfs.txt
diff --git a/Documentation/filesystems/mandatory-locking.txt b/Documentation/filesystems/mandatory-locking.txt
new file mode 100644
index 000000000000..bc449d49eee5
--- /dev/null
+++ b/Documentation/filesystems/mandatory-locking.txt
@@ -0,0 +1,152 @@
+        Mandatory File Locking For The Linux Operating System
+                Andy Walker <andy@lysaker.kvaerner.no>
+                           15 April 1996
+1. What is  mandatory locking?
+------------------------------
+Mandatory locking is kernel enforced file locking, as opposed to the more usual
+cooperative file locking used to guarantee sequential access to files among
+processes. File locks are applied using the flock() and fcntl() system calls
+(and the lockf() library routine which is a wrapper around fcntl().) It is
+normally a process' responsibility to check for locks on a file it wishes to
+update, before applying its own lock, updating the file and unlocking it again.
+The most commonly used example of this (and in the case of sendmail, the most
+troublesome) is access to a user's mailbox. The mail user agent and the mail
+transfer agent must guard against updating the mailbox at the same time, and
+prevent reading the mailbox while it is being updated.
+In a perfect world all processes would use and honour a cooperative, or
+"advisory" locking scheme. However, the world isn't perfect, and there's
+a lot of poorly written code out there.
+In trying to address this problem, the designers of System V UNIX came up
+with a "mandatory" locking scheme, whereby the operating system kernel would
+block attempts by a process to write to a file that another process holds a
+"read" -or- "shared" lock on, and block attempts to both read and write to a 
+file that a process holds a "write " -or- "exclusive" lock on.
+The System V mandatory locking scheme was intended to have as little impact as
+possible on existing user code. The scheme is based on marking individual files
+as candidates for mandatory locking, and using the existing fcntl()/lockf()
+interface for applying locks just as if they were normal, advisory locks.
+Note 1: In saying "file" in the paragraphs above I am actually not telling
+the whole truth. System V locking is based on fcntl(). The granularity of
+fcntl() is such that it allows the locking of byte ranges in files, in addition
+to entire files, so the mandatory locking rules also have byte level
+granularity.
+Note 2: POSIX.1 does not specify any scheme for mandatory locking, despite
+borrowing the fcntl() locking scheme from System V. The mandatory locking
+scheme is defined by the System V Interface Definition (SVID) Version 3.
+2. Marking a file for mandatory locking
+---------------------------------------
+A file is marked as a candidate for mandatory locking by setting the group-id
+bit in its file mode but removing the group-execute bit. This is an otherwise
+meaningless combination, and was chosen by the System V implementors so as not
+to break existing user programs.
+Note that the group-id bit is usually automatically cleared by the kernel when
+a setgid file is written to. This is a security measure. The kernel has been
+modified to recognize the special case of a mandatory lock candidate and to
+refrain from clearing this bit. Similarly the kernel has been modified not
+to run mandatory lock candidates with setgid privileges.
+3. Available implementations
+----------------------------
+I have considered the implementations of mandatory locking available with
+SunOS 4.1.x, Solaris 2.x and HP-UX 9.x.
+Generally I have tried to make the most sense out of the behaviour exhibited
+by these three reference systems. There are many anomalies.
+All the reference systems reject all calls to open() for a file on which
+another process has outstanding mandatory locks. This is in direct
+contravention of SVID 3, which states that only calls to open() with the
+O_TRUNC flag set should be rejected. The Linux implementation follows the SVID
+definition, which is the "Right Thing", since only calls with O_TRUNC can
+modify the contents of the file.
+HP-UX even disallows open() with O_TRUNC for a file with advisory locks, not
+just mandatory locks. That would appear to contravene POSIX.1.
+mmap() is another interesting case. All the operating systems mentioned
+prevent mandatory locks from being applied to an mmap()'ed file, but  HP-UX
+also disallows advisory locks for such a file. SVID actually specifies the
+paranoid HP-UX behaviour.
+In my opinion only MAP_SHARED mappings should be immune from locking, and then
+only from mandatory locks - that is what is currently implemented.
+SunOS is so hopeless that it doesn't even honour the O_NONBLOCK flag for
+mandatory locks, so reads and writes to locked files always block when they
+should return EAGAIN.
+I'm afraid that this is such an esoteric area that the semantics described
+below are just as valid as any others, so long as the main points seem to
+agree. 
+4. Semantics
+------------
+1. Mandatory locks can only be applied via the fcntl()/lockf() locking
+   interface - in other words the System V/POSIX interface. BSD style
+   locks using flock() never result in a mandatory lock.
+2. If a process has locked a region of a file with a mandatory read lock, then
+   other processes are permitted to read from that region. If any of these
+   processes attempts to write to the region it will block until the lock is
+   released, unless the process has opened the file with the O_NONBLOCK
+   flag in which case the system call will return immediately with the error
+   status EAGAIN.
+3. If a process has locked a region of a file with a mandatory write lock, all
+   attempts to read or write to that region block until the lock is released,
+   unless a process has opened the file with the O_NONBLOCK flag in which case
+   the system call will return immediately with the error status EAGAIN.
+4. Calls to open() with O_TRUNC, or to creat(), on a existing file that has
+   any mandatory locks owned by other processes will be rejected with the
+   error status EAGAIN.
+5. Attempts to apply a mandatory lock to a file that is memory mapped and
+   shared (via mmap() with MAP_SHARED) will be rejected with the error status
+   EAGAIN.
+6. Attempts to create a shared memory map of a file (via mmap() with MAP_SHARED)
+   that has any mandatory locks in effect will be rejected with the error status
+   EAGAIN.
+5. Which system calls are affected?
+-----------------------------------
+Those which modify a file's contents, not just the inode. That gives read(),
+write(), readv(), writev(), open(), creat(), mmap(), truncate() and
+ftruncate(). truncate() and ftruncate() are considered to be "write" actions
+for the purposes of mandatory locking.
+The affected region is usually defined as stretching from the current position
+for the total number of bytes read or written. For the truncate calls it is
+defined as the bytes of a file removed or added (we must also consider bytes
+added, as a lock can specify just "the whole file", rather than a specific
+range of bytes.)
+Note 3: I may have overlooked some system calls that need mandatory lock
+checking in my eagerness to get this code out the door. Please let me know, or
+better still fix the system calls yourself and submit a patch to me or Linus.
+6. Warning!
+-----------
+Not even root can override a mandatory lock, so runaway processes can wreak
+havoc if they lock crucial files. The way around it is to change the file
+permissions (remove the setgid bit) before trying to read or write to it.
+Of course, that might be a bit tricky if the system is hung :-(
author	J. Bruce Fields <bfields@citi.umich.edu>	2007-09-24 18:52:09 -0400
committer	J. Bruce Fields <bfields@citi.umich.edu>	2007-10-09 18:32:45 -0400
commit	4f3b19ca41fbe572e3d44caf516c215b286fe2a6 (patch)
tree	8fdb502c03ed5c4ce2b8ca114f0fee5ec96abde2 /Documentation/filesystems
parent	85c59580b30c82aa771aa33b37217a6b6851bc14 (diff)

diff --git a/Documentation/filesystems/00-INDEX b/Documentation/filesystems/00-INDEX index 59db1bca7027..e801076812a4 100644 --- a/Documentation/filesystems/00-INDEX +++ b/Documentation/filesystems/00-INDEX
@@ -52,6 +52,8 @@ isofs.txt
52	- info and mount options for the ISO 9660 (CDROM) filesystem.	52	- info and mount options for the ISO 9660 (CDROM) filesystem.
53	jfs.txt	53	jfs.txt
54	- info and mount options for the JFS filesystem.	54	- info and mount options for the JFS filesystem.
		55	mandatory-locking.txt
		56	- info on the Linux implementation of Sys V mandatory file locking.
55	ncpfs.txt	57	ncpfs.txt
56	- info on Novell Netware(tm) filesystem using NCP protocol.	58	- info on Novell Netware(tm) filesystem using NCP protocol.
57	ntfs.txt	59	ntfs.txt


diff --git a/Documentation/filesystems/mandatory-locking.txt b/Documentation/filesystems/mandatory-locking.txt new file mode 100644 index 000000000000..bc449d49eee5 --- /dev/null +++ b/Documentation/filesystems/mandatory-locking.txt
@@ -0,0 +1,152 @@
		1	Mandatory File Locking For The Linux Operating System
		2
		3	Andy Walker <andy@lysaker.kvaerner.no>
		4
		5	15 April 1996
		6
		7
		8	1. What is mandatory locking?
		9	------------------------------
		10
		11	Mandatory locking is kernel enforced file locking, as opposed to the more usual
		12	cooperative file locking used to guarantee sequential access to files among
		13	processes. File locks are applied using the flock() and fcntl() system calls
		14	(and the lockf() library routine which is a wrapper around fcntl().) It is
		15	normally a process' responsibility to check for locks on a file it wishes to
		16	update, before applying its own lock, updating the file and unlocking it again.
		17	The most commonly used example of this (and in the case of sendmail, the most
		18	troublesome) is access to a user's mailbox. The mail user agent and the mail
		19	transfer agent must guard against updating the mailbox at the same time, and
		20	prevent reading the mailbox while it is being updated.
		21
		22	In a perfect world all processes would use and honour a cooperative, or
		23	"advisory" locking scheme. However, the world isn't perfect, and there's
		24	a lot of poorly written code out there.
		25
		26	In trying to address this problem, the designers of System V UNIX came up
		27	with a "mandatory" locking scheme, whereby the operating system kernel would
		28	block attempts by a process to write to a file that another process holds a
		29	"read" -or- "shared" lock on, and block attempts to both read and write to a
		30	file that a process holds a "write " -or- "exclusive" lock on.
		31
		32	The System V mandatory locking scheme was intended to have as little impact as
		33	possible on existing user code. The scheme is based on marking individual files
		34	as candidates for mandatory locking, and using the existing fcntl()/lockf()
		35	interface for applying locks just as if they were normal, advisory locks.
		36
		37	Note 1: In saying "file" in the paragraphs above I am actually not telling
		38	the whole truth. System V locking is based on fcntl(). The granularity of
		39	fcntl() is such that it allows the locking of byte ranges in files, in addition
		40	to entire files, so the mandatory locking rules also have byte level
		41	granularity.
		42
		43	Note 2: POSIX.1 does not specify any scheme for mandatory locking, despite
		44	borrowing the fcntl() locking scheme from System V. The mandatory locking
		45	scheme is defined by the System V Interface Definition (SVID) Version 3.
		46
		47	2. Marking a file for mandatory locking
		48	---------------------------------------
		49
		50	A file is marked as a candidate for mandatory locking by setting the group-id
		51	bit in its file mode but removing the group-execute bit. This is an otherwise
		52	meaningless combination, and was chosen by the System V implementors so as not
		53	to break existing user programs.
		54
		55	Note that the group-id bit is usually automatically cleared by the kernel when
		56	a setgid file is written to. This is a security measure. The kernel has been
		57	modified to recognize the special case of a mandatory lock candidate and to
		58	refrain from clearing this bit. Similarly the kernel has been modified not
		59	to run mandatory lock candidates with setgid privileges.
		60
		61	3. Available implementations
		62	----------------------------
		63
		64	I have considered the implementations of mandatory locking available with
		65	SunOS 4.1.x, Solaris 2.x and HP-UX 9.x.
		66
		67	Generally I have tried to make the most sense out of the behaviour exhibited
		68	by these three reference systems. There are many anomalies.
		69
		70	All the reference systems reject all calls to open() for a file on which
		71	another process has outstanding mandatory locks. This is in direct
		72	contravention of SVID 3, which states that only calls to open() with the
		73	O_TRUNC flag set should be rejected. The Linux implementation follows the SVID
		74	definition, which is the "Right Thing", since only calls with O_TRUNC can
		75	modify the contents of the file.
		76
		77	HP-UX even disallows open() with O_TRUNC for a file with advisory locks, not
		78	just mandatory locks. That would appear to contravene POSIX.1.
		79
		80	mmap() is another interesting case. All the operating systems mentioned
		81	prevent mandatory locks from being applied to an mmap()'ed file, but HP-UX
		82	also disallows advisory locks for such a file. SVID actually specifies the
		83	paranoid HP-UX behaviour.
		84
		85	In my opinion only MAP_SHARED mappings should be immune from locking, and then
		86	only from mandatory locks - that is what is currently implemented.
		87
		88	SunOS is so hopeless that it doesn't even honour the O_NONBLOCK flag for
		89	mandatory locks, so reads and writes to locked files always block when they
		90	should return EAGAIN.
		91
		92	I'm afraid that this is such an esoteric area that the semantics described
		93	below are just as valid as any others, so long as the main points seem to
		94	agree.
		95
		96	4. Semantics
		97	------------
		98
		99	1. Mandatory locks can only be applied via the fcntl()/lockf() locking
		100	interface - in other words the System V/POSIX interface. BSD style
		101	locks using flock() never result in a mandatory lock.
		102
		103	2. If a process has locked a region of a file with a mandatory read lock, then
		104	other processes are permitted to read from that region. If any of these
		105	processes attempts to write to the region it will block until the lock is
		106	released, unless the process has opened the file with the O_NONBLOCK
		107	flag in which case the system call will return immediately with the error
		108	status EAGAIN.
		109
		110	3. If a process has locked a region of a file with a mandatory write lock, all
		111	attempts to read or write to that region block until the lock is released,
		112	unless a process has opened the file with the O_NONBLOCK flag in which case
		113	the system call will return immediately with the error status EAGAIN.
		114
		115	4. Calls to open() with O_TRUNC, or to creat(), on a existing file that has
		116	any mandatory locks owned by other processes will be rejected with the
		117	error status EAGAIN.
		118
		119	5. Attempts to apply a mandatory lock to a file that is memory mapped and
		120	shared (via mmap() with MAP_SHARED) will be rejected with the error status
		121	EAGAIN.
		122
		123	6. Attempts to create a shared memory map of a file (via mmap() with MAP_SHARED)
		124	that has any mandatory locks in effect will be rejected with the error status
		125	EAGAIN.
		126
		127	5. Which system calls are affected?
		128	-----------------------------------
		129
		130	Those which modify a file's contents, not just the inode. That gives read(),
		131	write(), readv(), writev(), open(), creat(), mmap(), truncate() and
		132	ftruncate(). truncate() and ftruncate() are considered to be "write" actions
		133	for the purposes of mandatory locking.
		134
		135	The affected region is usually defined as stretching from the current position
		136	for the total number of bytes read or written. For the truncate calls it is
		137	defined as the bytes of a file removed or added (we must also consider bytes
		138	added, as a lock can specify just "the whole file", rather than a specific
		139	range of bytes.)
		140
		141	Note 3: I may have overlooked some system calls that need mandatory lock
		142	checking in my eagerness to get this code out the door. Please let me know, or
		143	better still fix the system calls yourself and submit a patch to me or Linus.
		144
		145	6. Warning!
		146	-----------
		147
		148	Not even root can override a mandatory lock, so runaway processes can wreak
		149	havoc if they lock crucial files. The way around it is to change the file
		150	permissions (remove the setgid bit) before trying to read or write to it.
		151	Of course, that might be a bit tricky if the system is hung :-(
		152