Hi Ivan,
We were investigating problem of sending big amount of data via network in Genode on Fiasco.OC. And we have found out some significant bug of the Genode Signal service implementation and we also could provide the simple stable solution. As know Packet_stream_rx and Packet_stream_tx
thank you for investigating this issue. This is indeed a problem on all kernels that use kernel-protected capabilities. (i.e., Fiasco.OC and NOVA) Actually, there exists an issue-tracker entry for it:
https://github.com/genodelabs/genode/issues/32
Admittedly, I had not realized the significance of this issue for the packet-steam interface.
context is redundant. Signal_session_component::submit uses Siganl_context_capability only for searching it in the context entrypoint (base/src/core/signal_session_component.cc). But the same effect could be achieved by searching signal context by a badge(local_name()) and then there would not be necessity of capability unmarshalling. The decision is quote simple to change the Signal_context_capability typedef from Capability<Signal_context> to simple int or long type (base/include/signla_session/signal_session.h) and then to fix all errors generated by compiler. So we think that this problem of Signal service is significant and has to be fixed as quick as possible. But of course we'll glad to hear any your remarks about the decision to use the capability is a sense of Signal_context.
Unfortunately, a real solution for the problem is not as simple as that. You are right that the badge is used as a key for looking up the signal-context within core. But by passing the badge as plain data instead of a capability, the referred signal context could be forged by the client. This way, a malicious client would be able to submit signals to all signal receivers in the system. The use of capabilities prevents that.
That said, I think that your fix is better as interim solution than the current leak of capability selectors.
Thanks a lot for bringing up the issue and for the proposal for a fix. Your work is much appreciated!
Norman