|Kay Sievers||Nov 16, 2010 7:46 am|
|Alan Cox||Nov 16, 2010 7:56 am|
|Kay Sievers||Nov 16, 2010 8:12 am|
|Alan Cox||Nov 16, 2010 9:14 am|
|Kay Sievers||Nov 16, 2010 10:51 am|
|Alan Cox||Nov 16, 2010 11:55 am|
|Kay Sievers||Nov 16, 2010 12:15 pm|
|Alan Cox||Nov 16, 2010 12:48 pm|
|Kay Sievers||Nov 16, 2010 1:28 pm|
|Lennart Poettering||Nov 16, 2010 1:35 pm|
|Lennart Poettering||Nov 16, 2010 1:42 pm|
|Alan Cox||Nov 16, 2010 2:51 pm|
|Alan Cox||Nov 16, 2010 2:55 pm|
|Lennart Poettering||Nov 16, 2010 2:58 pm|
|Alan Cox||Nov 16, 2010 3:04 pm|
|Lennart Poettering||Nov 16, 2010 3:10 pm|
|Lennart Poettering||Nov 16, 2010 3:18 pm|
|Alan Cox||Nov 16, 2010 3:45 pm|
|Etched Pixels||Nov 16, 2010 3:49 pm|
|John Stoffel||Nov 17, 2010 8:31 am|
|Vald...@vt.edu||Nov 17, 2010 2:00 pm|
|Kay Sievers||Nov 17, 2010 3:39 pm|
|Alan Cox||Nov 17, 2010 3:56 pm|
|Greg KH||Nov 17, 2010 5:27 pm|
|Lennart Poettering||Nov 17, 2010 5:48 pm|
|Greg KH||Nov 17, 2010 5:52 pm|
|Lennart Poettering||Nov 17, 2010 6:28 pm|
|Alan Cox||Nov 18, 2010 2:14 am|
|Dr. Werner Fink||Nov 18, 2010 2:59 am|
|Alan Cox||Nov 18, 2010 3:23 am|
|Kay Sievers||Nov 18, 2010 3:54 am|
|Kay Sievers||Nov 18, 2010 4:03 am|
|Dr. Werner Fink||Nov 18, 2010 4:12 am|
|Alan Cox||Nov 18, 2010 4:57 am|
|Alan Cox||Nov 18, 2010 5:00 am|
|Dr. Werner Fink||Nov 18, 2010 5:13 am|
|Alan Cox||Nov 18, 2010 6:41 am|
|Dr. Werner Fink||Nov 19, 2010 5:21 am|
|Alan Cox||Nov 19, 2010 7:46 am|
|Dr. Werner Fink||Nov 19, 2010 9:06 am||.tiocgdev|
|Greg KH||Nov 19, 2010 10:02 am|
|Dr. Werner Fink||Nov 19, 2010 10:41 am|
|Alan Cox||Nov 20, 2010 4:39 am|
|Dr. Werner Fink||Dec 1, 2010 3:15 am|
|Dr. Werner Fink||Dec 1, 2010 4:31 am||.tiocgdev|
|Dr. Werner Fink||Dec 3, 2010 3:47 am||.Other|
|Subject:||Re: tty: add 'active' sysfs attribute to tty0 and console device|
|From:||Kay Sievers (kay....@vrfy.org)|
|Date:||Nov 18, 2010 3:54:45 am|
On 2010-11-18, Alan Cox <al...@lxorguk.ukuu.org.uk> wrote:
- the existing ioctl is broken and no userspace program can use it properly, so it might as well be removed.
You can use it happily for various things providing you hold the vt switch lock. It's not a very good API and wants something doing about it. However we can't deprecate it using either of the proposed patches because neither of them cover the needed functionality.
- Kay's patch is one proposed solution for what userspace is wanting to learn about ttys. Werner's is another one.
Kay's patch is useless. As we've demonstrated by as you call it "going off topic" it can't actually provide a credible security model. Its providing a variable without holding the locks that make the value meaningful. Thats as basic an error I can think of.
We wouldn't accept kernel code which did
mutex_lock(&foo->lock) temp = foo->only_valid_under_lock; mutex_unlock(&foo->lock); return temp; /* ma invalid by now */
especially when it was going to be used for permission management. We'd call it a bug. So why are we proposing to add an API that does exactly that ?
All this is just no real issue for us. This is not about security in the sense of untrusted users being able to do something they couldn't do already, it's about passing the currently active user _some_ additional rights.
And if that user goes inactive there will always be a window where this user keeps some rights it had while active. There is always some kind of overlap, and even if we had revoke() we probably couldn't it for many reasons. Soft hand-over is the expected behavior. But the poll() will still show us that *something* has changed, and it's all we need to know to switch to the new user.
I can do any one, or multiple things from the following options:
- disable the existing ioctl to return an error so that no new userspace program starts to use it thinking it is valid - accept Werner's patch for those who like proc files - accept Kay's patch
None of the above. In fact the current situation is better than either of the patches because it's equally broken and involves no more broken APIs !
Doing it right means: - deprecating the existing ioctl (because it's a dumb interface and Kay is right about that) - adding a proper event device which is pollable and returns the same events (and more) using a small kfifo queue. Trivial to code and will not add another API we'll need to deprecate again the moment anyone wants to use it. - support synchronous switching by that interface or verify the existing vt locking interfaces will do the job in conjunction with it.
Kay's approach doesn't solve three things
Synchronous interface means we block the VT switch until we have handled the event in userspace? We have several in-kernel VT switches during suspend-resume and such. I really don't think this will want to wait for userspace to do random crap in /dev? :)
We also never want single-use interfaces again. It's a pain when we need to switch to some new way of doing things,a nd need to run two services during the transition period. It is also always handy for debugging. We will not use any single-user-subscribe interface. It's an absolute requirement in the Linux eco-system not to block kernel interfaces with a running service, otherwise we end up with the /proc/acpi/* nightmare.
So if we have multiple subscribers, we need for all subscribers to finish userspace handling and let all other block in the VT switch ioctl()?
That all sounds nice to have for some tasks, sure no doubt, but it sounds pretty complicated/fragile for what we need to do. We are fine so far with the async behavior.
- You can't use the data to implement proper secure desktop switching - It doesn't support moving to multiple active vts at a time - You can't deprecate the wait event interface unless you replace all the features of it that people use (eg resize events)
So we will be back here again doing the same thing deprecating Kay's interface if we go that way. Having an event device actually lets us solve the problem properly, and if we are careful about the message formats cover the fact the KMS folks and others want multiple "live" virtual consoles at a time.
As far as I know, the future is VT-like stuff in Wayland-like things using a pty, and not legacy kernel-based VTs at all. They even think to leave all kernel VT stuff behind, because there are too many assumptions about, and they don't fit into the modern world of internationalization key/font-handling anyway.
I also see problems with a lot of compat stuff that is based on fg_console, and ...
And last, we could just have more than a single name in the 'active' file, if that really will ever happen, which I seriously don't expect.
If you have a /dev/vtmanager or similar and opening it allocates a kfifo of a page into which we stuff the events we currently post for waitevent then the code is trivial and it does what Kay needs as well as being able to cover the rest of the WAITEVENT interface and future multi-desktop stuff.
So its trivial to do the job properly, which makes the existing patches all the wrong thing to do.
I'm not against this, it might be what others are looking for. We could also use that, even when it's 100 times more complicated than the simple poll()able text interface.
As long as we can have multiple subscribers doing the same thing, and have a way not to block VT switches, but receive all this asynchronously.
I just expect a ton of problems if we now start making VT switches block, which they never did before.