From: Elizabeth Figura <zfigura@codeweavers.com>
To: Andy Lutomirski <luto@kernel.org>, wine-devel@winehq.org
Cc: "Arnd Bergmann" <arnd@arndb.de>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
wine-devel@winehq.org, "André Almeida" <andrealmeid@igalia.com>,
"Wolfram Sang" <wsa@kernel.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Alexandre Julliard" <julliard@winehq.org>,
"Elizabeth Figura" <zfigura@codeweavers.com>
Subject: Re: [RFC PATCH 1/9] ntsync: Introduce the ntsync driver and character device.
Date: Wed, 24 Jan 2024 21:42:04 -0600 [thread overview]
Message-ID: <10405963.nUPlyArG6x@terabithia> (raw)
In-Reply-To: <5907233.BlLQTPImNI@camazotz>
On Wednesday, 24 January 2024 16:56:23 CST Elizabeth Figura wrote:
> On Wednesday, 24 January 2024 15:26:15 CST Andy Lutomirski wrote:
>
> > On Tue, Jan 23, 2024 at 4:59 PM Elizabeth Figura
> > <zfigura@codeweavers.com> wrote:
> >
> > >
> > >
> > > ntsync uses a misc device as the simplest and least intrusive uAPI
> > > interface.
> >
> > >
> > >
> > > Each file description on the device represents an isolated NT instance,
> > > intended to correspond to a single NT virtual machine.
> >
> >
> > If I understand this text right, and if I understood the code right,
> > you're saying that each open instance of the device represents an
> > entire universe of NT synchronization objects, and no security or
> > isolation is possible between those objects. For single-process use,
> > this seems fine. But fork() will be a bit odd (although NT doesn't
> > really believe in fork, so maybe this is fine).
> >
> > Except that NT has *named* semaphores and such. And I'm pretty sure
> > I've written GUI programs that use named synchronization objects (IIRC
> > they were events, and this was a *very* common pattern, regularly
> > discussed in MSDN, usenet, etc) to detect whether another instance of
> > the program is running. And this all works on real Windows because
> > sessions have sufficiently separated namespaces, and the security all
> > works out about as any other security on Windows, etc. But
> > implementing *that* on top of this
> > file-description-plus-integer-equals-object will be fundamentally
> > quite subject to one buggy program completely clobbering someone
> > else's state.
> >
> > Would it make sense and scale appropriately for an NT synchronization
> > *object* to be a Linux open file description? Then SCM_RIGHTS could
> > pass them around, an RPC server could manage *named* objects, and
> > they'd generally work just like other "Object Manager" objects like,
> > say, files.
>
>
> It's a sensible concern. I think when I discussed this with Alexandre
> Julliard (the Wine maintainer, CC'd) the conclusion was this wasn't
> something we were concerned about.
>
> While the current model *does* allow for processes to arbitrarily mess
> with each other, accidentally or not, I think we're not concerned with
> the scope of that than we are about implementing a whole scheduler in
> user space.
>
> For one, you can't corrupt the wineserver state this way—wineserver
> being sort of like a dedicated process that handles many of the things
> that a kernel would, and so sometimes needs to set or reset events, or
> perform NTSYNC_IOC_KILL_MUTEX, but never relies on ntsync object state.
> Whereas trying to implement a scheduler in user space would involve the
> wineserver taking locks, and hence other processes could deadlock.
>
> For two, it's probably a lot harder to mess with that internal state
> accidentally.
>
> [There is also a potential problem where some broken applications
> create a million (literally) sync objects. Making these into files runs
> into NOFILE. We did specifically push distributions and systemd to
> increase those limits because an older solution *did* use eventfds and
> *did* run into those limits. Since that push was successful I don't
> know if this is *actually* a concern anymore, but avoiding files is
> probably not a bad thing either.]
Of course, looking at it from a kernel maintainer's perspective, it wouldn't
be insane to do this anyway. If we at some point do start to care about cross-
process isolation in this way, or if another NT emulator wants to use this
interface and does care about cross-process isolation, it'll be necessary. At
least it'd make sense to make them separate files even if we don't implement
granular permission handling just yet.
The main question is, is NOFILE a realistic concern, and what other problems
might there be, in terms of making these heavier objects? Besides memory usage
I can't think of any, but of course I don't have much knowledge of this area.
Alternatively, maybe there's another more lightweight way to store per-process
data?
next prev parent reply other threads:[~2024-01-25 3:42 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 0:40 [RFC PATCH 0/9] NT synchronization primitive driver Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 1/9] ntsync: Introduce the ntsync driver and character device Elizabeth Figura
2024-01-24 7:38 ` Arnd Bergmann
2024-01-24 17:51 ` Elizabeth Figura
2024-01-24 21:26 ` Andy Lutomirski
2024-01-24 22:56 ` Elizabeth Figura
2024-01-25 3:42 ` Elizabeth Figura [this message]
2024-01-25 16:47 ` Arnd Bergmann
2024-01-25 18:21 ` Elizabeth Figura
2024-01-25 18:55 ` Andy Lutomirski
2024-01-25 21:45 ` Elizabeth Figura
2024-01-25 7:41 ` Alexandre Julliard
2024-01-24 0:40 ` [RFC PATCH 2/9] ntsync: Reserve a minor device number and ioctl range Elizabeth Figura
2024-01-24 0:54 ` Greg Kroah-Hartman
2024-01-24 3:43 ` Elizabeth Figura
2024-01-24 12:32 ` Greg Kroah-Hartman
2024-01-24 17:59 ` Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 3/9] ntsync: Introduce NTSYNC_IOC_CREATE_SEM and NTSYNC_IOC_DELETE Elizabeth Figura
2024-01-24 1:14 ` Greg Kroah-Hartman
2024-01-24 3:35 ` Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 4/9] ntsync: Introduce NTSYNC_IOC_PUT_SEM Elizabeth Figura
2024-01-25 8:59 ` Nikolay Borisov
2024-01-24 0:40 ` [RFC PATCH 5/9] ntsync: Introduce NTSYNC_IOC_WAIT_ANY Elizabeth Figura
2024-01-24 7:56 ` Arnd Bergmann
2024-01-24 18:02 ` Elizabeth Figura
2024-01-24 19:52 ` Arnd Bergmann
2024-01-24 22:28 ` Elizabeth Figura
2024-01-25 17:02 ` Arnd Bergmann
2024-01-25 18:30 ` Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 6/9] ntsync: Introduce NTSYNC_IOC_WAIT_ALL Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 7/9] ntsync: Introduce NTSYNC_IOC_CREATE_MUTEX Elizabeth Figura
2024-01-24 0:40 ` [RFC PATCH 8/9] ntsync: Introduce NTSYNC_IOC_PUT_MUTEX Elizabeth Figura
2024-01-24 7:42 ` Arnd Bergmann
2024-01-24 18:03 ` Elizabeth Figura
2024-01-24 19:53 ` Arnd Bergmann
2024-01-24 0:40 ` [RFC PATCH 9/9] ntsync: Introduce NTSYNC_IOC_KILL_OWNER Elizabeth Figura
2024-01-24 0:59 ` [RFC PATCH 0/9] NT synchronization primitive driver Greg Kroah-Hartman
2024-01-24 1:37 ` Elizabeth Figura
2024-01-24 12:29 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10405963.nUPlyArG6x@terabithia \
--to=zfigura@codeweavers.com \
--cc=andrealmeid@igalia.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=julliard@winehq.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=wine-devel@winehq.org \
--cc=wsa@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).