linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Lennart Poettering <mzerqung@0pointer.de>
To: Lukasz Pawelczyk <havner@gmail.com>
Cc: libvir-list@redhat.com, systemd-devel@lists.freedesktop.org,
	linux-kernel@vger.kernel.org,
	lxc-devel@lists.linuxcontainers.org, linux-input@vger.kernel.org
Subject: Re: Suspending access to opened/active /dev/nodes during application runtime
Date: Sat, 8 Mar 2014 03:39:29 +0100	[thread overview]
Message-ID: <20140308023929.GA1413@tango.0pointer.de> (raw)
In-Reply-To: <9E972401-6FA3-439B-9531-49D1FCC8D61D@gmail.com>

On Fri, 07.03.14 21:51, Lukasz Pawelczyk (havner@gmail.com) wrote:

> >> Problem:
> >> Has anyone thought about a mechanism to limit/remove an access to a
> >> device during an application runtime? Meaning we have an
> >> application that has an open file descriptor to some /dev/node and
> >> depending on *something* it gains or looses the access to it
> >> gracefully (with or without a notification, but without any fatal
> >> consequences).
> > 
> > logind can mute input devices as sessions are switched, to enable
> > unpriviliged X11 and wayland compositors.
> 
> Would you please elaborate on this? Where is this mechanism? How does
> it work without kernel space support? Is there some kernel space
> support I’m not aware of?

There's EVIOCREVOKE for input devices and
DRM_IOCTL_SET_MASTER/DRM_IOCTL_DROP_MASTER for DRM devices. See logind
sources.

> > Before you think about doing something like this, you need to fix the
> > kernel to provide namespaced devices (good luck!)
> 
> Precisly! That’s the generic idea. I’m not for implementing it though
> at this moment. I just wanted to know whether anybody actually though
> about it or maybe someone is interested in starting such a work, etc.

It's not just about turning on and turning off access to the event
stream. It's mostly about enumeration and probing which doesn't work in
containers, and is particularly messy if you intend to share devices
between containers.

> > logind can do this for you between sessions. But such a container setup
> > will never work without proper device namespacing.
> 
> So how can it do it when there is no kernel support? You mean it could
> be doing this if the support were there?

EVIOCREVOKE and the DRM ioctls are pretty real...

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

  reply	other threads:[~2014-03-08  2:39 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-07 18:45 Suspending access to opened/active /dev/nodes during application runtime Lukasz Pawelczyk
2014-03-07 19:24 ` Lennart Poettering
2014-03-07 20:51   ` [systemd-devel] " Lukasz Pawelczyk
2014-03-08  2:39     ` Lennart Poettering [this message]
     [not found]     ` <9E972401-6FA3-439B-9531-49D1FCC8D61D-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2014-03-11 16:02       ` [lxc-devel] " Oren Laadan
2014-03-11 12:33 ` David Herrmann
  -- strict thread matches above, loose matches on Subject: below --
2014-03-07 18:46 Lukasz Pawelczyk
2014-03-07 19:09 ` [systemd-devel] " Greg KH
2014-03-07 20:45   ` Lukasz Pawelczyk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140308023929.GA1413@tango.0pointer.de \
    --to=mzerqung@0pointer.de \
    --cc=havner@gmail.com \
    --cc=libvir-list@redhat.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lxc-devel@lists.linuxcontainers.org \
    --cc=systemd-devel@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).