Re: Why not make kdbus use CUSE?

From: Richard Yao
Date: Tue Dec 02 2014 - 07:21:55 EST

Next message: Mark Brown: "Re: [PATCH v9 8/8] devicetree: regulator: sky81452: Modify Device Tree structure"
Previous message: Theodore Ts'o: "Re: Checking to see if a bit is _not_ set in a ftrace event filter"
In reply to: Richard Yao: "Re: Why not make kdbus use CUSE?"
Next in thread: Greg Kroah-Hartman: "Re: Why not make kdbus use CUSE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Greg,

I had hoped that I could avoid reading through the code for yet another
IPC mechanism when I asked why we needed kdbus at LinuxCon Europe. In
hindsight, I should have just checked out the code and read it instead
of asking. However, what I did instead was ask and then do some thinking
based on that, mean to send an email and then sent it long after I
should have.

Our conversation now has lead me to realize my mistake and I have tried
to rectify it. I now see that kdbus is hooking into kernel interface to
implement KDBUS_ITEM_PAYLOAD_MEMFD in a way that we could only achieve
from userspace with UNIX domain sockets. I imagine that we could avoid
putting this code into the kernel through a combination of libev,
libfuse, memfds and UNIX domain sockets.

A fallback path could be provided by using anonymous files on the FUSE
filesystem. This could probably by by the sender doing something like
the following:

void *buf;
int coookie;
char *name = strdup("/sys/fs/kdbus/tmp/XXXXXX");
int fd = mkstemp(name);
unlink(name);
buf = mmap(NULL, LENGTH, PROT_WRITE, MAP_SHARED, fd, 0);
// Do your writes here
cookie = ioctl(fd, SEAL);
close(fd);
munmap(buf);
// Send a message via a UNIX domain socket to the server with the
// cookie, plus whatever XXXXXX became and instructions on where to
// send the data. If the file had been closed before the message was
// received, the server should be able to say okay. Otherwise, it can //
send an error. The server would need to have a timer to handle the
// case where a process never actually sends a message with the cookie.

Assuming that this dance succeeds, the FUSE process could then make a
readonly file in itself, open it read only, unlink it, put the data into
the file and send the file descriptor via UNIX domain socket while
refusing further writes. If it has its own user/group, the file should
be safe from prying eyes.

This is not as good as a memfd and also suffers from the race that
O_TMPFILE was meant to close, but it should be able to function as a
decent fallback. This would preserve portability across not only
different versions of Linux, but also other POSIX systems. Keeping the
code in userspace would allow us to apply SELinux policies to it, which
is something that we would lose if it were go to into the kernel.

That said, it is still not clear to me that dbus must be inside the
kernel to be able to perform multicast and zero copy using memfd. Is
there something that I have missed that make this not the case?

Yours truly,
Richard Yao

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Mark Brown: "Re: [PATCH v9 8/8] devicetree: regulator: sky81452: Modify Device Tree structure"
Previous message: Theodore Ts'o: "Re: Checking to see if a bit is _not_ set in a ftrace event filter"
In reply to: Richard Yao: "Re: Why not make kdbus use CUSE?"
Next in thread: Greg Kroah-Hartman: "Re: Why not make kdbus use CUSE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]