Comments (4)
We never implemented priority inheritance (PI), because the kernel lacks suitable infrastructure for it. The only user visible PI interface is FUTEX_LOCK_PI
and friends, and thus ends up being struct rtmutex
internally. This interface, though, is not directly applicable to IPC and we'd have to grossly mis-use it to get the desired PI effect. This is also why binder uses nice-levels, which were not particularly well received by upstream maintainers. Using nice-levels is a hack.
We did, however, discuss several PI setups for bus1. They are all modeled around blocking unicast transactions, that temporarily boost the receiver until its reply is queued. For instance, imagine a u64 reply_handle
parameter to SEND
, which, if requested by the caller via a flag, will block the call until a reply has been queued to the specified handle. Internally, we can thus make the receiver of the message inherit the priority of the caller.
Now with this you still end up with a bunch of open issues. What to do with multicasts? Which process do you boost while a message has not been dequeued, yet? Which kernel infrastructure do you use to boost processes? (e.g., how to avoid nice-level conflicts with user-space administration?)
Some of those are easier to solve than others. However, the big issue I still have with PI is its effectiveness. Why is PI so important, but other controllers are ignored? For instance, a nice level raises CPU priority, but it does not grant IO priority. It does not elevate the resource limits, nor does it modify any other controllers of the destination.
I am not saying PI does not work. The issue I have is the lack of proper kernel infrastructure to do this. We do have lots of knobs to control process priorities, resources, etc. via cgroups. Using nice-levels as the magic solution for IPC sounds wrong to me.
If bus1 gets merged and somebody convinced upstream that a binder-like nice-level hack is fine, we will definitely not block this. I also think that the flag-fields of SEND and nodes are enough to implement this. However, I would prefer a wider discussion about this issue. What are the problems we are solving here? Does this really apply to real world scenarios? How do other systems solve it? How do systems with non-blocking IPC deal with this? Who are the users that want this feature?
Now, regarding your second question (if this turns into a longer discussion, I'd prefer doing it as a separate issue): Care to elaborate how PEEK
is useful against FD exhaustion attacks? In a single-threaded dispatcher, you can simply close the FDs once received. If you don't want FDs, don't use BUS1_RECV_FLAG_INSTALL_FDS
.
Looking at a message to decide whether you want those FDs is a hack, IMO. If the existing API does not serve your security concerns, I'd appreciate if you can elaborate on the exact attack vectors, so we can comment on the issue, rather than on the solution.
Thanks
David
from bus1.
I don't think that the FUTEX_LOCK_PI trick can be used to force a caller to use it and delegate its priority to the callee. Moreover, this seems to only be able to raise a priority but can not lower it.
This is also why binder uses nice-levels, which were not particularly well received by upstream maintainers. Using nice-levels is a hack.
Probably, but it seems to work fine for Android, though.
I like the reply_handle
with a flag, but I'm not sure that the caller thread must be blocked. Why not just push its priority to the callee while keeping an async IPC, at least with the nice-level trick?
I agree that other controllers should be taken into account. The nice-level should definitely not be the sole player here.
The PI is not easy to get right, but I think every service should use it to protect themselves against abuses from their (potentially malicious) clients. Being able to charge a request should be an available feature in a sane IPC. I don't know other IPCs that solve this issue but some inspiration may be gained from Ethereum and their gas, though. :)
from bus1.
There was recently a paper by the seL4 people on exposing scheduling context as capabilities, putting this here if people want to look into it to get some ideas on how to solve this: http://ts.data61.csiro.au/publications/csiro_full_text//Lyons_MAH_18.pdf
Clients transferring SC as caps to the server probably has more to do with accounting, but it is, as I see it, also a PI mechanism. It is similar to the flags approach in that it is transferred during the send (and supports both active and passive models for the server).
from bus1.
@bl33pbl0p, Thanks! Definitely an interesting read. This references several techniques we already use in bus1. Eg., the reply-handle is the only way to get replies in bus1, and would allow attaching SC in the same way as is mentioned in the paper. We definitely envision something similar with bus1 as well. However, reading that article, it becomes even more clear that we need tight scheduler integration for that, and so far the linux scheduler does not expose these features to us.
from bus1.
Related Issues (15)
- rmmod: ERROR: Module bus1 is in use HOT 6
- make tt fails a test HOT 13
- bus1 tests - "INFO: suspicious RCU usage" HOT 4
- FTBFS with c-sundry 0~29 HOT 3
- replace c with rust HOT 5
- Examples of API usage HOT 8
- test-io: test.h:102: test_open: Assertion `*mapp != ((void *) -1)' failed HOT 3
- Dedicated flag instead of BUS1_HANDLE_INVALID HOT 5
- file descriptor exhaustion attack HOT 5
- State/Status of project now that we have dbus-broker? HOT 4
- a peer context shared by two processes HOT 4
- [Question] Why handles are transitive? HOT 2
- Project no longer builds? HOT 6
- Diagrams on the website
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bus1.