From: Tejun Heo <tj@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Serge Hallyn <serue@us.ibm.com>,
greg@kroah.com, fuse-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 5/7] FUSE: implement ioctl support
Date: Sat, 30 Aug 2008 13:40:36 +0200 [thread overview]
Message-ID: <48B931B4.1030606@kernel.org> (raw)
In-Reply-To: <m163pjr5qf.fsf@frodo.ebiederm.org>
Hello, Eric.
Eric W. Biederman wrote:
> Implementation wise it is not too bad.
>
> FUSE ----------------
> pid = get_pid(task_tid(current))
> ^ |
> | | kernel
> pid_vnr(pid)
> ------ ioctl ----------- /dev/fuse ------------
> | | userland
> | v
> --------------- -------------
> | caller | | FUSE server |---> reads and writes
> | with tid CTID | | | /proc/PID/task/TID/mem
> --------------- -------------
Ah hah.. thanks for the info.
> However it is a largely an insane idea.
> - Write is not implemented for /proc/PID/task/TID/mem
> - It would be better if the kernel handed you back a file descriptor to the
> other process memory rather than you having to generate one.
Yeah, that would at least ensure we're not meddling with the wrong
address space.
> - To access /proc/PID/task/TID/mem you need to have CAP_PTRACE.
> - This seems to allow for random ioctls. With the compat_ioctl
> thing we have largely stomped on that idea. So you should only
> need to deal with well defined ioctls. At which point why do you
> need to directly access the memory of another process.
What do you mean by "compat_ioctl" thing? We still allow random
memory accesses to ioctls.
> So why not just only support well defined ioctls and serialize them
> in the kernel and allow the receiving process to deserialize them?
Yeap, that certainly is an option.
> That would allow all of this to happen with a non-privileged server which
> makes the functionality much more useful.
When !allow_others, there's no reason to prevent one user's FUSE
server to corruption the user's processes. Everyone has the innate
right to shoot him/herself in the foot.
> Given the pain it is to maintain ioctls I would be very surprised if
> we wanted to open up that pandoras box even wider by allowing
> arbitrary user space processes to support random ioctls. How would
> you do 32/64bit support and the like?
32/64bit is not really much problem tho. The kernel just flags the
request as-such and let the userland deal with it.
Miklos, I think Eric's reply pretty much blew the direct access idea
out of water, which leaves us with three options.
1. Support only the proper ioctls. This would be the simplest but
someone might run into its limitations in the future. Given that
the most probable use cases for CUSE are replacing in-kernel legacy
code or faking some proprietary interfaces which are likely to be
somewhat weird, the chance isn't too low IMHO.
2. Do what hpa suggested, that is a simple language to describe the
needed data regions. To me, it seems like an overkill. If there's
already such infrastructure in kernel, I would be happy to
piggyback on it but separate serialization language for FUSE ioctl
support seems extreme.
3. And my favorite (obviously), keep the current implementation. Ugly
it may look but given the horror of the problem at hand I think it
actually hits a pretty good balance between interface peculiarness
and complexity that a more elegant solution would require. It's
only ~250 lines of code which can support any ioctl. Complex ones
will have to go through a few duplicate copy operations but I don't
really think those are gonna hurt anyone when the whole thing is
being relayed to userland.
So, what do you think?
Thanks.
--
tejun
next prev parent reply other threads:[~2008-08-30 11:42 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-28 17:40 [PATCHSET] FUSE: extend FUSE to support more operations Tejun Heo
2008-08-28 17:40 ` [PATCH 1/7] FUSE: add include protectors Tejun Heo
2008-08-28 17:40 ` [PATCH 2/7] FUSE: pass nonblock flag to client Tejun Heo
2008-08-28 17:40 ` [PATCH 3/7] FUSE: implement nonseekable open Tejun Heo
2008-08-28 17:41 ` [PATCH 4/7] FUSE: implement direct lseek support Tejun Heo
2008-08-28 17:41 ` [PATCH 5/7] FUSE: implement ioctl support Tejun Heo
2008-08-28 17:51 ` Greg KH
2008-08-28 17:59 ` Tejun Heo
2008-08-28 18:01 ` Tejun Heo
2008-08-28 18:13 ` Miklos Szeredi
2008-08-28 18:17 ` Tejun Heo
2008-08-28 18:23 ` Miklos Szeredi
2008-08-28 18:34 ` Tejun Heo
2008-08-28 19:25 ` Miklos Szeredi
2008-08-28 19:42 ` Tejun Heo
2008-08-28 20:02 ` Miklos Szeredi
2008-08-29 2:19 ` Tejun Heo
2008-08-29 7:59 ` Miklos Szeredi
2008-08-29 8:12 ` Tejun Heo
2008-08-29 8:29 ` Miklos Szeredi
2008-08-29 9:03 ` Tejun Heo
2008-08-29 19:17 ` Eric W. Biederman
2008-08-29 19:47 ` Arnd Bergmann
2008-08-30 11:40 ` Tejun Heo [this message]
2008-09-01 11:57 ` Miklos Szeredi
2008-09-01 12:03 ` Tejun Heo
2008-09-03 14:32 ` Eric W. Biederman
2008-09-03 14:40 ` Tejun Heo
2008-09-03 21:51 ` Eric W. Biederman
2008-09-04 0:09 ` Tejun Heo
2008-08-29 11:31 ` [fuse-devel] " Roger Willcocks
2008-08-29 11:54 ` Tejun Heo
2008-08-28 20:48 ` Alan Cox
2008-08-28 18:02 ` Tejun Heo
2008-08-28 18:14 ` Greg KH
2008-08-28 18:25 ` Tejun Heo
2008-08-28 18:20 ` H. Peter Anvin
2008-08-28 18:28 ` Tejun Heo
2008-08-28 19:08 ` H. Peter Anvin
2008-08-28 19:18 ` Miklos Szeredi
2008-08-28 20:21 ` H. Peter Anvin
2008-08-28 20:55 ` Miklos Szeredi
2008-08-28 21:27 ` H. Peter Anvin
2008-08-29 7:32 ` Miklos Szeredi
2008-08-28 17:41 ` [PATCH 6/7] FUSE: implement unsolicited notification Tejun Heo
2008-08-28 17:41 ` [PATCH 7/7] FUSE: implement poll support Tejun Heo
2008-08-28 18:20 ` [PATCHSET] FUSE: extend FUSE to support more operations Miklos Szeredi
2008-08-28 18:23 ` Tejun Heo
2008-10-14 8:21 ` Tejun Heo
2008-10-14 9:37 ` Miklos Szeredi
2008-10-14 12:16 ` [fuse-devel] " Szabolcs Szakacsits
2008-10-14 12:43 ` Miklos Szeredi
[not found] ` <2cff7cb50810141032m5793a405h7425dfa122fb67ba@mail.gmail.com>
2008-10-14 21:04 ` Miklos Szeredi
2008-11-12 8:41 ` Tejun Heo
2008-11-12 9:14 ` Christoph Hellwig
2008-11-12 9:30 ` Tejun Heo
2008-11-12 9:36 ` Miklos Szeredi
2008-11-12 9:43 ` [fuse-devel] " Mike Hommey
2008-11-12 10:00 ` Miklos Szeredi
2008-11-13 5:54 ` Tejun Heo
2008-11-13 6:06 ` Tejun Heo
2008-11-13 11:19 ` Miklos Szeredi
2008-11-13 11:29 ` Tejun Heo
2008-11-13 11:57 ` Miklos Szeredi
2008-11-13 12:14 ` Tejun Heo
2008-11-13 6:26 ` Tejun Heo
2008-11-13 11:47 ` Miklos Szeredi
2008-11-13 11:54 ` Tejun Heo
2008-11-13 11:58 ` Miklos Szeredi
2008-11-13 12:34 ` Miklos Szeredi
2008-11-13 13:23 ` Tejun Heo
2008-11-13 13:42 ` Miklos Szeredi
2008-11-13 14:29 ` Tejun Heo
2008-11-13 14:48 ` Miklos Szeredi
2008-11-13 15:10 ` Tejun Heo
2008-11-13 15:52 ` Miklos Szeredi
2008-11-13 16:00 ` Tejun Heo
2008-11-17 9:17 ` Tejun Heo
2008-11-17 10:16 ` [fuse-devel] " Miklos Szeredi
2008-11-18 3:32 ` Tejun Heo
2008-11-18 9:33 ` Miklos Szeredi
2008-11-18 10:30 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48B931B4.1030606@kernel.org \
--to=tj@kernel.org \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.