Home • About Us • A-Z Index • Search * Contact Us • Register • Login • Press • Shop

The Open Brand -- Problem Reporting and Interpretations System

Problem Report 2480 Details

Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges
This page provides all information on Problem Report 2480.

Report 2480 Actions

Problem Report Number 2480

Submitter's Classification Specification problem

State Resolved

Resolution Rejected (REJ)

Problem Resolution ID REJ.X.0684

Raised 2005-09-20 04:02

Updated 2009-08-14 22:18

Published 2009-08-14 22:18

Product Standard Internationalised System Calls and Libraries Extended V3 (UNIX 03)

Certification Program The Open Brand certification program

Test Suite VSART version 1.1.5

Test Identification /tset/POSIX_art.os/timers/timer_create/T.timer_create 1

Specification Base Definitions Issue 6

Location in Spec System Interfaces, Issue 6; Volume 3 (R to Z).
timer_create(), pages 1514-1516

Problem Summary create_timer() with high resolution can deny service, thus our O/S
restricts CLOCK_MONOTONIC to privileged processes.

Problem Text The test "/tset/POSIX_art.os/timers/timer_create/T.timer_create #1"
is built as a normal user executable, and when it executes and
attempts to call the timer_create() function with a clockid of
CLOCK_MONOTOMIC, the function returns an EPERM error, and the test
fails with an Unresolved status.

On our O/S, a process with a high resolution clock timer
can cause denial of service conditions on the system, and thus such
timers are restricted to privileged processes.

CLOCK_MONOTOMIC is implemented as CLOCK_HIGHRES on our O/S, and our
man-page for timer_create() gives this error condition:

EPERM The specified clock ID, clock_id, is CLOCK_HIGHRES
and the {PRIV_PROC_CLOCK_HIGHRES} is not asserted in
the effective set of the calling process.

We would like to request a waiver for this test case, or have the
test executable be built with owner=root and the set-ID bit set.

Test Output /tset/POSIX_art.os/timers/timer_create/T.timer_create 1 Unresolved

Test Description:
If {_POSIX_CLOCK_SELECTION} is defined:
When clock_id is CLOCK_MONOTONIC, then
timer_create(clock_id, evp, timerid) creates a
per-process timer using the monotonic clock as the
timing base 0, sets the location referenced by
timerid to a timer ID that can be used to identify
the timer in timer requests, and returns zero.

Test Information:
timer_create() failed, errno = 1

Review Information

Review Type SA Review

Start Date 2005-09-20 05:02

Last Updated 2005-10-19 16:36

Completed 2005-10-19 16:36

Status Complete

Review Resolution Rejected (REJ)

Review Conclusion
The report resolution is changed to Rejected (REJ).

The Austin Group has recently reopened Austin Interpretation AI-122, on
which PR 2480 was based. Subsequently the Austin Group has closed AI-122
with a different resolution to that of before, which has now invalidated
this interpretation. We have therefore administratively appealed this
request and resolved it as rejected inline with the final interpretation
of AI-122.

==============================================================
Former rationale below of the previous decision, now invalidated
The working group agrees with the submitter for the following reasons:

1. After creating a timer by calling:
ret = timer_create(CLOCK_MONOTONIC, evp, &t);
the only way to enable the timer is by calling:
ret = timer_settime(t, flags, &value, &oldvalue);
This two step process above seems to be logically equivalent to the
call:
ret = clock_settime(CLOCK_MONOTONIC, &expire);
in cases where expire specifies the timer expiration, and value
specifies the same timer expiration and a zero nanosecond timer
period (i.e. non-repeating timer).

XSH6 [2004 edition], P203, L2786 in the DESCRIPTION of
clock_settime() (clock_getres() is the name at the top of the page)
says:
"The appropriate privilege to set a particular clock
is implementation-defined."

The ERRORS section for clock_settime() requires that
clock_settime() fail in this case. Both EINVAL (which is a shall
fail error when CLOCK_MONOTONIC is given as the clock_id) or EPERM
(which is a may fail when the requesting process doesn't have
appropriate privilege to set the specified clock) would seem to be
legal errno values. Therefore, it seems that
timer_create(CLOCK_MONOTONIC, ...) should also be allowed to
require appropriate privilege and to fail with errno set to EPERM.

2. Since timer_create() and timer_settime() can be used to set not
only a one shot timer, but also to create timers that fire
periodically (and the period can be as small as a nanosecond
depending on the clock's resolution), it seems that these functions
could (as the submitter suggests) lead to a denial of service
attack on the system. (The CLOCK_MONOTONIC clock is a real-time
clock and a short time period on a high resolution clock could
indeed keep the system busy doing nothing but servicing this
timer.) Since this is user level code, requiring privilege seems
perfectly reasonable to me.

Therefore, we believe it would be appropriate to copy the paragraph
quoted in #1 above into the timer_create() DESCRIPTION on P1540
after L47924 and to add a may fail error as follows on P1541 after
L47951:
The timer_create() function may fail if:
[EPERM] The requesting process does not have the appropriate
privilege to create a timer associated with the
specified clock.

3. Since this waiver is not talking about XSI shaded text,
this needs to be forwarded to The Austin Group for formal
interpretation.

Until the Austin Group rules on this interpretation, it
would be appropriate to grant a temporary waiver.

Problem Reporting System Options:

View Report 2480

List All PRs

Search Reports

Email the System Administrator

View the The Open Brand Interpretations Database User Manual

Contact the Certification Authority