Okay, that makes sense. Thanks. And I'm looking forward to when we have more failsafe components.
Hello Ben,
On 13.05.2016 06:01, Nobody III wrote:
> I'm planning on writing an fs_filter server for the desktop environment
> I'm developing. The server will combine access to multiple filesystems,
> much like the vfs server. I want to implement this feature in such a way
> that a misbehaving filesystem driver can't make the server hang. How
> should I do this?
this question reminds me of the following issue, where I brought up the
same problem for NIC drivers:
https://github.com/genodelabs/genode/issues/1592
In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
environment with the following functionality:
* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.
Do you think this approach would work for you?
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
genode-main@...12...ceforge.net
https://lists.sourceforge.net/lists/listinfo/genode-main