Hi Genodians,
I'm working on my HnH19-project to create a component listening on a shared filesystem to open each pdf file into a separate instance of mupdf. Goal is to tie the share to a linux-vm in vbox so firefox and thunderbird can have a simple 'cp' command to get pdfs rendered outside that vm.
I add a RAM-FS, FS-QUERY and REPORT-ROM to mupdf.run. The file gets put in the ram-fs, fs-query should pick that up and report it to the report-rom.
<start name="pdf_share"> <binary name="ram_fs"/> <resource name="RAM" quantum="128M"/> <provides> <service name="File_system"/> </provides> <config verbose="yes"> <default-policy root="/" writeable="yes" /> </config> </start>
<start name="report_new_pdf"> <binary name="report_rom"/> <resource name="RAM" quantum="1M"/> <provides> <service name="Report"/> <service name="ROM"/> </provides> <config verbose="yes"/> </start>
<start name="fs_query"> <resource name="RAM" quantum="1M"/> <config verbose="yes"> <vfs> <fs writeable="yes"/> </vfs> <query path="/" content="yes"/> </config> </start>
I change the test-scenario to copy a pdf into the share and start the pdf-viewer. The viewer picks up the pdf and renders it. So far so good.
The problem is that while the 'add'-test copies the file, it gets detected by fs_query but fs_query thinks it's gone:
[init -> test -> add] --- noux started --- [init -> fs_query] Error: failed to watch '//foo.pdf' [init -> fs_query] Warning: could not obtain content of nonexistent file foo.pdf
(The error comes from gems/vfs.h L556, the warning from fs_query/main.cc L80.)
Fs_quey does send a new report but does not show the file, it show an empty directory.
[init -> report_new_pdf] report 'fs_query -> listing' [init -> report_new_pdf] <listing> [init -> report_new_pdf] <dir path="/"/> [init -> report_new_pdf] </listing>
However, a ls -laR shows it's there:
[init -> test -> ls-after] /dest: [init -> test -> ls-after] total 1 [init -> test -> ls-after] drwxr-xr-x 0 root 0 0 Jan 1 00:00 . [init -> test -> ls-after] drwxr-xr-x 0 root 0 0 Jan 1 00:00 .. [init -> test -> ls-after] -rwxrwxrwx 0 root 0 8192 Jan 1 00:00 foo.pdf
Now the race condition:
When I set the fs-query option to show the content to "no", it gives the same error: failed to watch '//foo.pdf' but it now it does send the file name to the report:
[init -> report_new_pdf] <file name="foo.pdf"/>
So it seems that somehow that fs_query watch learns there is a file while the contents are not yet committed. Accessing that triggers a file-not-found error.
Did I discover a race condition or am I doing something wrong?
With regards, Guido.
PS. I added the complete run-file and logs for completeness. (log-1 shows the contents-flag to no). PPS. I'm testing with Qemu in a linux VM on my AMD nixos host.
Hi All,
Reading release-notes 18.08 it states that RAM_FS and VFS are supposed to be equal.
However, I don't get any errors when I replace my ram_fs config with this vfs:
<start name="pdf_share"> <binary name="vfs"/> <resource name="RAM" quantum="128M"/> <provides> <service name="File_system"/> </provides> <config verbose="yes"> <vfs> <ram /> </vfs> <default-policy root="/" writeable="yes" /> </config> </start>
It perfectly reports the filename and contents in the report_rom. :-)
Now the next step: create a dynamic ROM to start the pdf_view component on demand. Any pointers to run files that help me get going?
Cheers, Guido.
On 5/20/19 1:27 PM, Guido Witmond wrote:
Hi Genodians,
I'm working on my HnH19-project to create a component listening on a shared filesystem to open each pdf file into a separate instance of mupdf. Goal is to tie the share to a linux-vm in vbox so firefox and thunderbird can have a simple 'cp' command to get pdfs rendered outside that vm.
I add a RAM-FS, FS-QUERY and REPORT-ROM to mupdf.run. The file gets put in the ram-fs, fs-query should pick that up and report it to the report-rom.
<start name="pdf_share"> <binary name="ram_fs"/> <resource name="RAM" quantum="128M"/> <provides> <service name="File_system"/> </provides> <config verbose="yes"> <default-policy root="/" writeable="yes" /> </config> </start>
<start name="report_new_pdf"> <binary name="report_rom"/> <resource name="RAM" quantum="1M"/> <provides> <service name="Report"/> <service name="ROM"/>
</provides> <config verbose="yes"/> </start>
<start name="fs_query"> <resource name="RAM" quantum="1M"/> <config verbose="yes"> <vfs> <fs writeable="yes"/> </vfs> <query path="/" content="yes"/> </config> </start>
I change the test-scenario to copy a pdf into the share and start the pdf-viewer. The viewer picks up the pdf and renders it. So far so good.
The problem is that while the 'add'-test copies the file, it gets detected by fs_query but fs_query thinks it's gone:
[init -> test -> add] --- noux started --- [init -> fs_query] Error: failed to watch '//foo.pdf' [init -> fs_query] Warning: could not obtain content of nonexistent file foo.pdf
(The error comes from gems/vfs.h L556, the warning from fs_query/main.cc L80.)
Fs_quey does send a new report but does not show the file, it show an empty directory.
[init -> report_new_pdf] report 'fs_query -> listing' [init -> report_new_pdf] <listing> [init -> report_new_pdf] <dir path="/"/> [init -> report_new_pdf] </listing>
However, a ls -laR shows it's there:
[init -> test -> ls-after] /dest: [init -> test -> ls-after] total 1 [init -> test -> ls-after] drwxr-xr-x 0 root 0 0 Jan 1 00:00 . [init -> test -> ls-after] drwxr-xr-x 0 root 0 0 Jan 1 00:00 .. [init -> test -> ls-after] -rwxrwxrwx 0 root 0 8192 Jan 1 00:00 foo.pdf
Now the race condition:
When I set the fs-query option to show the content to "no", it gives the same error: failed to watch '//foo.pdf' but it now it does send the file name to the report:
[init -> report_new_pdf] <file name="foo.pdf"/>
So it seems that somehow that fs_query watch learns there is a file while the contents are not yet committed. Accessing that triggers a file-not-found error.
Did I discover a race condition or am I doing something wrong?
With regards, Guido.
PS. I added the complete run-file and logs for completeness. (log-1 shows the contents-flag to no). PPS. I'm testing with Qemu in a linux VM on my AMD nixos host.
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users
Hey Guido,
El 20/5/19 a las 14:08, Guido Witmond escribió:
Now the next step: create a dynamic ROM to start the pdf_view component on demand. Any pointers to run files that help me get going?
I could imagine that listening to a report via the ROM filter [1] might be what you are looking for. But I don't know whether there is a component that creates a report that contains a list of files located inside a given directory. However, this might not be so hard to implement if you do it as FS bump-in-the-wire component.
Cheers, Martin
[1] os/src/server/rom_filter
Martin,
On Tue, May 21, 2019 at 17:52:52 CEST, Martin Stein wrote:
El 20/5/19 a las 14:08, Guido Witmond escribió:
Now the next step: create a dynamic ROM to start the pdf_view component on demand. Any pointers to run files that help me get going?
I could imagine that listening to a report via the ROM filter [1] might be what you are looking for. But I don't know whether there is a component that creates a report that contains a list of files located inside a given directory. However, this might not be so hard to implement if you do it as FS bump-in-the-wire component.
Guido mentioned the component in his original posting
https://github.com/genodelabs/genode/tree/master/repos/gems/src/app/fs_query
The missing piece now is the "filter" that generates the dynamic init configuration based on the file listing. I'm also not sure if the rom_filter fits all requirements but I think it's a good starting point. Examples for the rom_filter are in the source tree.
os/recipes/pkg/test-rom_filter/runtime os/run/demo.run
Greets
Hi Genodians,
With some pride, I present the results of my Hack'n'Hike project: 'launch_pdf_reader'.
My goal is to have a shared directory between a Linux VM and the Genode environment. Whenever the linux world puts a PDF file into the shared folder, a Genode process picks it up and starts a PDF viewer to render it inside a Genode sandbox.
As there is no PDF rendering on Linux (or Windows VM, if that's your thing), it eliminates parser bugs that could be used to attack a user. These attacks abuse of the Ambient Authority model of Linux, also called the Confused Deputy problem.
This makes pdf rendering on Linux as easy - and secure - as ''/bin/cp $PDF $SHARE''
The repo lives at: https://github.com/gwitmond/genode-launch-pdf-reader
With regards,
Guido.
Hey Guido,
Thanks for sharing the outcome of your project with us! I like the idea and think it solves a pretty common and practical problem.
I wonder, have you been able to integrate the 'launch_pdf_reader' as deployable package into Sculpt? If yes, are you planning to publish it, so other Sculpt users can give it a try too?
Cheers, Martin
El 26/5/19 a las 22:54, Guido Witmond escribió:
Hi Genodians,
With some pride, I present the results of my Hack'n'Hike project: 'launch_pdf_reader'.
My goal is to have a shared directory between a Linux VM and the Genode environment. Whenever the linux world puts a PDF file into the shared folder, a Genode process picks it up and starts a PDF viewer to render it inside a Genode sandbox.
As there is no PDF rendering on Linux (or Windows VM, if that's your thing), it eliminates parser bugs that could be used to attack a user. These attacks abuse of the Ambient Authority model of Linux, also called the Confused Deputy problem.
This makes pdf rendering on Linux as easy - and secure - as ''/bin/cp $PDF $SHARE''
The repo lives at: https://github.com/gwitmond/genode-launch-pdf-reader
With regards,
Guido.
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users
Hi Martin,
Glad you like it.
I've tested it with the run-file so far. I'm still struggling with getting it to run in Sculpt. When that's ready, I'm happy to give it to the world.
Do you have some hints on how to 'mount' the pdf_share into the Sculpt-FS?
Cheers, Guido.
On 5/27/19 5:50 PM, Martin Stein wrote:
Hey Guido,
Thanks for sharing the outcome of your project with us! I like the idea and think it solves a pretty common and practical problem.
I wonder, have you been able to integrate the 'launch_pdf_reader' as deployable package into Sculpt? If yes, are you planning to publish it, so other Sculpt users can give it a try too?
Cheers, Martin
El 26/5/19 a las 22:54, Guido Witmond escribió:
Hi Genodians,
With some pride, I present the results of my Hack'n'Hike project: 'launch_pdf_reader'.
My goal is to have a shared directory between a Linux VM and the Genode environment. Whenever the linux world puts a PDF file into the shared folder, a Genode process picks it up and starts a PDF viewer to render it inside a Genode sandbox.
As there is no PDF rendering on Linux (or Windows VM, if that's your thing), it eliminates parser bugs that could be used to attack a user. These attacks abuse of the Ambient Authority model of Linux, also called the Confused Deputy problem.
This makes pdf rendering on Linux as easy - and secure - as ''/bin/cp $PDF $SHARE''
The repo lives at: https://github.com/gwitmond/genode-launch-pdf-reader
With regards,
Guido.
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users
Genode users mailing list users@lists.genode.org https://lists.genode.org/listinfo/users
-
Christian Helmuth -
Guido Witmond -
Martin Stein