From: Lennart Poettering <mzerqung@0pointer.de>
To: Lukasz Pawelczyk <havner@gmail.com>
Cc: systemd-devel@lists.freedesktop.org, libvir-list@redhat.com,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
lxc-devel@lists.linuxcontainers.org
Subject: Re: Suspending access to opened/active /dev/nodes during application runtime
Date: Fri, 7 Mar 2014 20:24:10 +0100 [thread overview]
Message-ID: <20140307192410.GA24453@tango.0pointer.de> (raw)
In-Reply-To: <9D7BA6C9-9F1F-4D09-8F4F-E7DA4720FF97@gmail.com>
On Fri, 07.03.14 19:45, Lukasz Pawelczyk (havner@gmail.com) wrote:
> Problem:
> Has anyone thought about a mechanism to limit/remove an access to a
> device during an application runtime? Meaning we have an application
> that has an open file descriptor to some /dev/node and depending on
> *something* it gains or looses the access to it gracefully (with or
> without a notification, but without any fatal consequences).
logind can mute input devices as sessions are switched, to enable
unpriviliged X11 and wayland compositors.
> Example:
> LXC. Imagine we have 2 separate containers. Both running full operating
> systems. Specifically with 2 X servers. Both running concurrently of
Well, devices are not namespaced on Linux (with the single exception of
network devices). An X server needs device access, hence this doesn't
fly at all.
When you enumerate devices with libudev in a container they will never
be marked as "initialized" and you do not get any udev hotplug events in
containers, and you don#t have the host's udev db around, nor would it
make any sense to you if you had. X11 and friends rely on udev
however...
Before you think about doing something like this, you need to fix the
kernel to provide namespaced devices (good luck!)
> course. Both need the same input devices (e.g. we have just one mouse).
> This creates a security problem when we want to have completely separate
> environments. One container is active (being displayed on a monitor and
> controlled with a mouse) while the other container runs evtest
> /dev/input/something and grabs the secret password user typed in the
> other.
logind can do this for you between sessions. But such a container setup
will never work without proper device namespacing.
> Solutions:
> The complete solution would comprise of 2 parts:
> - a mechanism that would allow to temporally "hide" a device from an
> open file descriptor.
> - a mechanism for deciding whether application/process/namespace should
> have an access to a specific device at a specific moment
Well, there's no point in inventing any "mechanisms" like this, as long
as devices are not namespaced in the kernel, so that userspace in
containers can enumerate/probe/identify/... things correctly...
Lennart
--
Lennart Poettering, Red Hat
next prev parent reply other threads:[~2014-03-07 19:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-07 18:45 Suspending access to opened/active /dev/nodes during application runtime Lukasz Pawelczyk
2014-03-07 19:24 ` Lennart Poettering [this message]
2014-03-07 20:51 ` [systemd-devel] " Lukasz Pawelczyk
2014-03-08 2:39 ` Lennart Poettering
[not found] ` <9E972401-6FA3-439B-9531-49D1FCC8D61D-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-03-11 16:02 ` [lxc-devel] [systemd-devel] " Oren Laadan
2014-03-11 12:33 ` David Herrmann
-- strict thread matches above, loose matches on Subject: below --
2014-03-07 18:46 Lukasz Pawelczyk
2014-03-07 19:09 ` [systemd-devel] " Greg KH
2014-03-07 20:45 ` Lukasz Pawelczyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140307192410.GA24453@tango.0pointer.de \
--to=mzerqung@0pointer.de \
--cc=havner@gmail.com \
--cc=libvir-list@redhat.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lxc-devel@lists.linuxcontainers.org \
--cc=systemd-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).