| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Nov 2014 21:02:16 -0800
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: arnd@...db.de, ebiederm@...ssion.com, gnomes@...rguk.ukuu.org.uk,
teg@...m.no, jkosina@...e.cz, luto@...capital.net,
linux-api@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: daniel@...que.org, dh.herrmann@...il.com, tixxdz@...ndz.org
Subject: [PATCH v2 00/13] Add kdbus implementation
kdbus is a kernel-level IPC implementation that aims for resemblance to
the the protocol layer with the existing userspace D-Bus daemon while
enabling some features that couldn't be implemented before in userspace.
The documentation in the first patch in this series explains the
protocol and the API details.
This version has changed a lot since the first submission, based on the
review comments received, many thanks to everyone who took the time to
review the code and make suggestions. Full details are below:
Reasons why this should be done in the kernel, instead of userspace as
it is currently done today include the following:
- performance: fewer process context switches, fewer copies, fewer
syscalls, larger memory chunks via memfd. This is really important
for a whole class of userspace programs that are ported from other
operating systems that are run on tiny ARM systems that rely on
hundreds of thousands of messages passed at boot time, and at
"critical" times in their user interaction loops.
- security: the peers which communicate do not have to trust each other,
as the only trustworthy compoenent in the game is the kernel which
adds metadata and ensures that all data passed as payload is either
copied or sealed, so that the receiver can parse the data without
having to protect against changing memory while parsing buffers. Also,
all the data transfer is controlled by the kernel, so that LSMs can
track and control what is going on, without involving userspace.
Because of the LSM issue, security people are much happier with this
model than the current scheme of having to hook into dbus to mediate
things.
- more metadata can be attached to messages than in userspace
- semantics for apps with heavy data payloads (media apps, for instance)
with optinal priority message dequeuing, and global message ordering.
Some "crazy" people are playing with using kdbus for audio data in the
system. I'm not saying that this is the best model for this, but
until now, there wasn't any other way to do this without having to
create custom "busses", one for each application library.
- being in the kernle closes a lot of races which can't be fixed with
the current userspace solutions. For example, with kdbus, there is a
way a client can disconnect from a bus, but do so only if no further
messages present in its queue, which is crucial for implementing
race-free "exit-on-idle" services
- eavesdropping on the kernel level, so privileged users can hook into
the message stream without hacking support for that into their
userspace processes
- a number of smaller benefits: for example kdbus learned a way to peek
full messages without dequeing them, which is really useful for
logging metadata when handling bus-activation requests.
Of course, some of the bits above could be implemented in userspace
alone, for example with more sophisticated memory management APIs, but
this is usually done by losing out on the other details. For example,
for many of the memory management APIs, it's hard to not require the
communicating peers to fully trust each other. And we _really_ don't
want peers to have to trust each other.
Another benefit of having this in the kernel, rather than as a userspace
daemon, is that you can now easily use the bus from the initrd, or up to
the very end when the system shuts down. On current userspace D-Bus,
this is not really possible, as this requires passing the bus instance
around between initrd and the "real" system. Such a transition of all
fds also requires keeping full state of what has already been read from
the connection fds. kdbus makes this much simpler, as we can change the
ownership of the bus, just by passing one fd over from one part to the
other.
Regarding binder: binder and kdbus follow very different design
concepts. Binder implies the use of thread-pools to dispatch incoming
method calls. This is a very efficient scheme, and completely natural
in programming languages like Java. On most Linux programs, however,
there's a much stronger focus on central poll() loops that dispatch all
sources a program cares about. kdbus is much more usable in such
environments, as it doesn't enforce a threading model, and it is happy
with serialized dispatching. In fact, this major difference had an
effect on much of the design decisions: binder does not guarantee global
message ordering due to the parallel dispatching in the thread-pools,
but kdbus does. Moreover, there's also a difference in the way message
handling. In kdbus, every message is basically taken and dispatched as
one blob, while in binder, continious connections to other peers are
created, which are then used to send messages on. Hence, the models are
quite different, and they serve different needs. I believe that the
D-Bus/kdbus model is more compatible and friendly with how Linux
programs are usually implemented.
This can also be found in a git tree, the kdbus branch of char-misc.git at:
https://git.kernel.org/cgit/linux/kernel/git/gregkh/char-misc.git/
Changes since RFC v1:
* Most notably, kdbus exposes its control files, buses and endpoints
via an own file system now, called kdbusfs.
* Each time a file system of this type is mounted, a new kdbus
domain is created.
* By default, kdbus is expected to be mounted in /sys/fs/kdbus
* The layout inside each mount point is the same as before, except
that domains are not hierarchically nested anymore.
* Domains are therefore also unnamed now.
* Unmounting a kdbusfs will automatically also destroy the
associated domain.
* Hence, the action of creating a kdbus domain is now as
privileged as mounting a file system.
* This way, we can get around creating dev nodes for everything,
which is last but not least something that is not limited by
20-bit minor numbers.
* Rework the metadata attachment logic to address concerns raised by
Andy Lutomirsky and Alan Cox:
* Split the attach_flags in kdbus_cmd_hello into two parts,
attach_flags_send and attach_flags_recv. Also, split the
existing KDBUS_ITEM_ATTACH_FLAGS into
KDBUS_ITEM_ATTACH_FLAGS_SEND and KDBUS_ITEM_ATTACH_FLAGS_RECV,
and allow updating both connection details through
KDBUS_CMD_CONN_UPDATE.
* Only attach metadata to the final message in the receiver's pool
if both the sender's attach_flags_send and the receiver's
attach_flags_recv bit are set.
* Add an optional metadata mask to the bus during its creation, so
bus owners can denote their minimal requirements of metadata to
be attached by connections of the bus.
* Namespaces are now pinned by a domain at its creation time, and
metadata items are automatically translated into these namespaces.
Unless that cannot be done (currently only capabilities), in which
case the items are dropped. For hide_pid enabled domains, drop all
items except for such not revealing anything about the task.
* Capabilities are now only checked at open() time, and the
information is cached for the lifetime of a file descriptor.
Reported by Eric W. Biederman, Andy Lutomirski and Thomas Gleixner.
* Make functions that create new objects return the newly allocated
memory directly, rather than in a referenced function arguments.
That implies using ERR_PTR/PTR_ERR logic in many areas. Requested by
Al Viro.
* Rename two details in kdbus.h to not overload the term 'name' too
much:
KDBUS_ITEM_CONN_NAME → KDBUS_ITEM_CONN_DESCRIPTION
KDBUS_ATTACH_CONN_NAME → KDBUS_ATTACH_CONN_DESCRIPTION
* Documentation fixes, by Peter Meerwald and others.
* Some memory leaks plugged, and another match test added, by
Rui Miguel Silva
* Per-user message count quota logic fixed, and new test added.
By John de la Garza.
* More test code for CONN_INFO ioctl
* Added a kdbus_node object embedded by domains, endpoints and buses
to track children in a generic way. A kdbus_node is always exposed
as inode in kdbusfs.
* Add a new attach flags constant called _KDBUS_ATTACH_ANY (~0)
which automatically degrades to _KDBUS_ATTACH_ALL in the kernel.
That way, old clients can opt-in for whethever newer kernels might
offer to send.
* Use #defines rather than an enum for the ioctl signatures, so when
new ones are added, usespace can use #ifdeffery to determine the
function set at compile time. Suggested by Arnd Bergmann.
* Moved the driver to ipc/kdbus, as suggested by Arnd Bergmann.
Daniel Mack (13):
kdbus: add documentation
kdbus: add header file
kdbus: add driver skeleton, ioctl entry points and utility functions
kdbus: add connection pool implementation
kdbus: add connection, queue handling and message validation code
kdbus: add node and filesystem implementation
kdbus: add code to gather metadata
kdbus: add code for notifications and matches
kdbus: add code for buses, domains and endpoints
kdbus: add name registry implementation
kdbus: add policy database implementation
kdbus: add Makefile, Kconfig and MAINTAINERS entry
kdbus: add selftests
Documentation/ioctl/ioctl-number.txt | 1 +
Documentation/kdbus.txt | 1837 +++++++++++++++++++++
MAINTAINERS | 12 +
include/uapi/linux/Kbuild | 1 +
include/uapi/linux/kdbus.h | 933 +++++++++++
include/uapi/linux/magic.h | 1 +
init/Kconfig | 12 +
ipc/Makefile | 2 +-
ipc/kdbus/Makefile | 21 +
ipc/kdbus/bus.c | 459 ++++++
ipc/kdbus/bus.h | 98 ++
ipc/kdbus/connection.c | 1838 ++++++++++++++++++++++
ipc/kdbus/connection.h | 188 +++
ipc/kdbus/domain.c | 349 ++++
ipc/kdbus/domain.h | 84 +
ipc/kdbus/endpoint.c | 497 ++++++
ipc/kdbus/endpoint.h | 91 ++
ipc/kdbus/fs.c | 417 +++++
ipc/kdbus/fs.h | 22 +
ipc/kdbus/handle.c | 993 ++++++++++++
ipc/kdbus/handle.h | 20 +
ipc/kdbus/item.c | 258 +++
ipc/kdbus/item.h | 41 +
ipc/kdbus/limits.h | 77 +
ipc/kdbus/main.c | 59 +
ipc/kdbus/match.c | 524 ++++++
ipc/kdbus/match.h | 31 +
ipc/kdbus/message.c | 444 ++++++
ipc/kdbus/message.h | 75 +
ipc/kdbus/metadata.c | 698 ++++++++
ipc/kdbus/metadata.h | 38 +
ipc/kdbus/names.c | 921 +++++++++++
ipc/kdbus/names.h | 81 +
ipc/kdbus/node.c | 872 ++++++++++
ipc/kdbus/node.h | 86 +
ipc/kdbus/notify.c | 235 +++
ipc/kdbus/notify.h | 29 +
ipc/kdbus/policy.c | 629 ++++++++
ipc/kdbus/policy.h | 61 +
ipc/kdbus/pool.c | 722 +++++++++
ipc/kdbus/pool.h | 44 +
ipc/kdbus/queue.c | 608 +++++++
ipc/kdbus/queue.h | 93 ++
ipc/kdbus/util.c | 166 ++
ipc/kdbus/util.h | 103 ++
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/kdbus/.gitignore | 11 +
tools/testing/selftests/kdbus/Makefile | 45 +
tools/testing/selftests/kdbus/kdbus-enum.c | 94 ++
tools/testing/selftests/kdbus/kdbus-enum.h | 14 +
tools/testing/selftests/kdbus/kdbus-test.c | 546 +++++++
tools/testing/selftests/kdbus/kdbus-test.h | 81 +
tools/testing/selftests/kdbus/kdbus-util.c | 1240 +++++++++++++++
tools/testing/selftests/kdbus/kdbus-util.h | 143 ++
tools/testing/selftests/kdbus/test-activator.c | 317 ++++
tools/testing/selftests/kdbus/test-benchmark.c | 409 +++++
tools/testing/selftests/kdbus/test-bus.c | 130 ++
tools/testing/selftests/kdbus/test-chat.c | 123 ++
tools/testing/selftests/kdbus/test-connection.c | 501 ++++++
tools/testing/selftests/kdbus/test-daemon.c | 66 +
tools/testing/selftests/kdbus/test-endpoint.c | 221 +++
tools/testing/selftests/kdbus/test-fd.c | 664 ++++++++
tools/testing/selftests/kdbus/test-free.c | 34 +
tools/testing/selftests/kdbus/test-match.c | 437 +++++
tools/testing/selftests/kdbus/test-message.c | 371 +++++
tools/testing/selftests/kdbus/test-metadata-ns.c | 258 +++
tools/testing/selftests/kdbus/test-monitor.c | 156 ++
tools/testing/selftests/kdbus/test-names.c | 184 +++
tools/testing/selftests/kdbus/test-policy-ns.c | 622 ++++++++
tools/testing/selftests/kdbus/test-policy-priv.c | 1168 ++++++++++++++
tools/testing/selftests/kdbus/test-policy.c | 81 +
tools/testing/selftests/kdbus/test-race.c | 313 ++++
tools/testing/selftests/kdbus/test-sync.c | 241 +++
tools/testing/selftests/kdbus/test-timeout.c | 97 ++
74 files changed, 23338 insertions(+), 1 deletion(-)
create mode 100644 Documentation/kdbus.txt
create mode 100644 include/uapi/linux/kdbus.h
create mode 100644 ipc/kdbus/Makefile
create mode 100644 ipc/kdbus/bus.c
create mode 100644 ipc/kdbus/bus.h
create mode 100644 ipc/kdbus/connection.c
create mode 100644 ipc/kdbus/connection.h
create mode 100644 ipc/kdbus/domain.c
create mode 100644 ipc/kdbus/domain.h
create mode 100644 ipc/kdbus/endpoint.c
create mode 100644 ipc/kdbus/endpoint.h
create mode 100644 ipc/kdbus/fs.c
create mode 100644 ipc/kdbus/fs.h
create mode 100644 ipc/kdbus/handle.c
create mode 100644 ipc/kdbus/handle.h
create mode 100644 ipc/kdbus/item.c
create mode 100644 ipc/kdbus/item.h
create mode 100644 ipc/kdbus/limits.h
create mode 100644 ipc/kdbus/main.c
create mode 100644 ipc/kdbus/match.c
create mode 100644 ipc/kdbus/match.h
create mode 100644 ipc/kdbus/message.c
create mode 100644 ipc/kdbus/message.h
create mode 100644 ipc/kdbus/metadata.c
create mode 100644 ipc/kdbus/metadata.h
create mode 100644 ipc/kdbus/names.c
create mode 100644 ipc/kdbus/names.h
create mode 100644 ipc/kdbus/node.c
create mode 100644 ipc/kdbus/node.h
create mode 100644 ipc/kdbus/notify.c
create mode 100644 ipc/kdbus/notify.h
create mode 100644 ipc/kdbus/policy.c
create mode 100644 ipc/kdbus/policy.h
create mode 100644 ipc/kdbus/pool.c
create mode 100644 ipc/kdbus/pool.h
create mode 100644 ipc/kdbus/queue.c
create mode 100644 ipc/kdbus/queue.h
create mode 100644 ipc/kdbus/util.c
create mode 100644 ipc/kdbus/util.h
create mode 100644 tools/testing/selftests/kdbus/.gitignore
create mode 100644 tools/testing/selftests/kdbus/Makefile
create mode 100644 tools/testing/selftests/kdbus/kdbus-enum.c
create mode 100644 tools/testing/selftests/kdbus/kdbus-enum.h
create mode 100644 tools/testing/selftests/kdbus/kdbus-test.c
create mode 100644 tools/testing/selftests/kdbus/kdbus-test.h
create mode 100644 tools/testing/selftests/kdbus/kdbus-util.c
create mode 100644 tools/testing/selftests/kdbus/kdbus-util.h
create mode 100644 tools/testing/selftests/kdbus/test-activator.c
create mode 100644 tools/testing/selftests/kdbus/test-benchmark.c
create mode 100644 tools/testing/selftests/kdbus/test-bus.c
create mode 100644 tools/testing/selftests/kdbus/test-chat.c
create mode 100644 tools/testing/selftests/kdbus/test-connection.c
create mode 100644 tools/testing/selftests/kdbus/test-daemon.c
create mode 100644 tools/testing/selftests/kdbus/test-endpoint.c
create mode 100644 tools/testing/selftests/kdbus/test-fd.c
create mode 100644 tools/testing/selftests/kdbus/test-free.c
create mode 100644 tools/testing/selftests/kdbus/test-match.c
create mode 100644 tools/testing/selftests/kdbus/test-message.c
create mode 100644 tools/testing/selftests/kdbus/test-metadata-ns.c
create mode 100644 tools/testing/selftests/kdbus/test-monitor.c
create mode 100644 tools/testing/selftests/kdbus/test-names.c
create mode 100644 tools/testing/selftests/kdbus/test-policy-ns.c
create mode 100644 tools/testing/selftests/kdbus/test-policy-priv.c
create mode 100644 tools/testing/selftests/kdbus/test-policy.c
create mode 100644 tools/testing/selftests/kdbus/test-race.c
create mode 100644 tools/testing/selftests/kdbus/test-sync.c
create mode 100644 tools/testing/selftests/kdbus/test-timeout.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists