Memfds!
memfds are completely anonymous, no name, no mountpoint needed, no name clashes, and no global registry file creation mechanism.
It's meant to provide a very basic file descriptor over an anonymous memory area. This file descriptor can then be passed to other processes using standard Unix fd-passing mechanisms.
It's created specefically for safely sharing memory with applications. shm_open()
suffers from non-anonymity, name-clashes, and security problems (all other processes in the system can see the SHM files). Meanwhile, memfd is anonymous and nothing of this issue exists.
Moreover, there is an excellent feature designed for safely using SHM regions: seals.
Seals!
Imagine in the PulseAudio case, you want to protect the PA server from its clients. When a playback client connets to the daemon, it creates a SHM region for sending playback data.
If the client was malicious, it can shrink the area behind the daemon back, leading to faults in the daemon. With F_SEAL_SHRINK
, we can be sure that a client will not shrink the file behind our back, leading to daemon SIGBUS
faults.
Examples
- Personal memfd-examples github repo. I've added a simple zero-copy clent/server application that uses memfd and seals there
References
- On memfd_create(2), David Herrman (memfd author)
- memfd_create(2) manpage
- The Linux Programming Interface, Section 61.13.3 "Passing File Descriptors"
- FD Passing for DRI.Next, Keith Packard (Xorg maintainer)