Yuanhan Liu <yuanhan.liu at linux.intel.com> writes: > On Fri, Jun 17, 2016 at 11:32:36AM -0400, Aaron Conole wrote: >> Prior to this commit, the only way to add a vhost-user socket to the >> system is by relying on librte_vhost to open the unix domain socket and >> add it to the unix socket list. This is problematic for applications >> which would like to set the permissions, > > So, you want to address the issue raised by following patch? > > http://dpdk.org/dev/patchwork/patch/12222/
That patch does try to address the issue, however - it has some problems. The biggest is a TOCTTOU issue when using chown. The way to solve that issue properly is different depending on which operating system is being used (for instance, FreeBSD doesn't honor fchown(),fchmod() on file descriptors). My solution is basically to punt that responsibility to the controlling application. > I would still like to stick to my proposal, that is to introduce a > new API to do the permission change at anytime, if we end up with > wanting to introduce a new API. I've spent a lot of time looking at the TOCTTOU problem, and I think that is a really hard problem to solve portably. Might be good to just start with the flexible mechanism here that lets the application developer satisfy their own needs. >> or applications which are not >> directly allowed to open sockets due to policy restrictions. > > Could you name a specific example? SELinux policy might require one application to open the socket, and pass it back via a dbus mechanism. I can't actually think of a concrete implemented case, so it may not be valid. > BTW, JFYI, since 16.07, DPDK supports client mode. It's QEMU (acting > as the server) will create the socket file. I guess that would diminish > (or even avoid?) the permission pain that DPDK acting as server brings. > I doubt the API to do the permission change is really needed then. I wouldn't say it 'solves' the issue so much as hopes no one uses server mode in DPDK. I agree, for OvS, it could. > --yliu Thanks so much for your thoughts and review on this, Yuanhan Liu! -Aaron
