handling misbehaving filesystem drivers
Norman Feske
norman.feske at ...1...
Fri May 13 11:40:02 CEST 2016
Hello Ben,
On 13.05.2016 06:01, Nobody III wrote:
> I'm planning on writing an fs_filter server for the desktop environment
> I'm developing. The server will combine access to multiple filesystems,
> much like the vfs server. I want to implement this feature in such a way
> that a misbehaving filesystem driver can't make the server hang. How
> should I do this?
this question reminds me of the following issue, where I brought up the
same problem for NIC drivers:
https://github.com/genodelabs/genode/issues/1592
In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
environment with the following functionality:
* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.
Do you think this approach would work for you?
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
More information about the users
mailing list