Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1414375rdb; Wed, 24 Jan 2024 14:56:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IFcJSYUcsWgn9aShEYZFNXjYs1Pqekp4NMABUYlwZDX1Jc6LTAXnY9mdI/JO3Fxm/XvP3eH X-Received: by 2002:a17:902:ec86:b0:1d7:4044:81e4 with SMTP id x6-20020a170902ec8600b001d7404481e4mr129043plg.112.1706136998371; Wed, 24 Jan 2024 14:56:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706136998; cv=pass; d=google.com; s=arc-20160816; b=Uv3jJFbejPxJ+QeFwpRV6XBW4oZKXSR1EievIaA4oKkodFD0jV9DI8jsFL8DC3LRl+ WsF4LAbD3/ow/SzATLy7Ykc1UE7NaZnmYhSWwMtk5O7YgrQ0Bqmkh9z3rOnw2X6Y7/uP QQXYkLsjeFRIAROV+ZuBaBg45qKkMlW/Ao/wpefozrRn1yWlvE2qU2GrDLGzu2f6d+aR bcsaOuL29SIsOIoAg9ptwik+enAMH9gbz5wKFYUjYkC+BmRbYrWou9FI60dmAWejLCeu hZp4ijPxiZoDRw3qWGdCE1e7/VJfRgsMWkd5+UKBHpxhUiYaHvUWnPVqBkSbhhQVqhnj JOTg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=DkSieLEcEHpG6Q5/Pg0k+yQT4j2UmfvF4WEMWSAihHY=; fh=mkaUU7+z21PlrMKNp0CWzGf2N/lRQaBa3iZgfXWIUtM=; b=W+KHUM9YwmcXR+RgG6ZW7Qw2J7pzc+TJUpqJLQzI8GBD/npf3d2uf/v9qa8tUCsQG+ jvzbdn6kofSG7j8CZKQS1HqdaPLRUnDUQVqjQ0I9Ku9Re/61qxRXyw+Z30xJoXy+I2qG cUYzVpHjsRZwLFDPXjBOJqcEurgK5r52QI1tdartu+zibLEglpVrXxQD/7g9m/Gtinf7 C0WTcDy0Bhr81BWAo87LMJbsXKrBX4OWDUiwlGT8LTK8MT030xGyPdZYSBlthmcD2tNH Cl4InfJsEzeTZOSTGBaGkIOUf33geWSlqWNhs+wh3ELBuvuqno0F0oJ93RR1rN1HU+Nu sdiw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@codeweavers.com header.s=s1 header.b=Y1DBGw21; arc=pass (i=1 spf=pass spfdomain=codeweavers.com dkim=pass dkdomain=codeweavers.com dmarc=pass fromdomain=codeweavers.com); spf=pass (google.com: domain of linux-kernel+bounces-37789-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37789-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id iz11-20020a170902ef8b00b001d72fa0cc5fsi7898654plb.503.2024.01.24.14.56.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 14:56:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-37789-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@codeweavers.com header.s=s1 header.b=Y1DBGw21; arc=pass (i=1 spf=pass spfdomain=codeweavers.com dkim=pass dkdomain=codeweavers.com dmarc=pass fromdomain=codeweavers.com); spf=pass (google.com: domain of linux-kernel+bounces-37789-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37789-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codeweavers.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 077D5282E9A for ; Wed, 24 Jan 2024 22:56:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 41E24136647; Wed, 24 Jan 2024 22:56:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=codeweavers.com header.i=@codeweavers.com header.b="Y1DBGw21" Received: from mail.codeweavers.com (mail.codeweavers.com [4.36.192.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 108962C683; Wed, 24 Jan 2024 22:56:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=4.36.192.163 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706136989; cv=none; b=MIApamantHNEA9SXb/yO2V4WdjXAnY6977Uf8T6nzrn6UDUJ0kdchM2W7vqJ/4UIHvtIaMMrT3T/R3G8H28SNnInfSltzUz3vKyTNxje1Zb4d1Dd9WhISFiT1wN16x7ioVKgUmsoVNAMba1ubBVEMSXUE1N9GTk97g6AMkRIwN4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706136989; c=relaxed/simple; bh=SKdonuUpwHNKkTNWaGs4Ap2srIbuQXPsoaUP/5ykGqk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gZ9guv+lL1AL72Enuyvvf/oXaQEHt0vY2kB7p7raKfwt5ODKJvTBRG0l6arCKZfY75646tT5c3KC+6VLHq2lTWxKTx87ufRktbiLKXB3Ig7Dd9LbxBAbkDGMtjH03xyUf7XqH8IuadhovFHb3YWjdiaXKbczDgIKQro8C1wxTRQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=codeweavers.com; spf=pass smtp.mailfrom=codeweavers.com; dkim=pass (2048-bit key) header.d=codeweavers.com header.i=@codeweavers.com header.b=Y1DBGw21; arc=none smtp.client-ip=4.36.192.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=codeweavers.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=codeweavers.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codeweavers.com; s=s1; h=Message-ID:Date:Subject:Cc:To:From:Sender; bh=DkSieLEcEHpG6Q5/Pg0k+yQT4j2UmfvF4WEMWSAihHY=; b=Y1DBGw21m5Hc+UTCIOYjYI8FHz luVQen0EpOKHHXL/WSwkVb+i8f58xSBeFY7Fv8G51gbrWisq7rT1A+Ydjr8ZTCWbdjwAS9jk5ZTdF wWf9v3YYTNlqzIrH4L892xpiQ2SpZmH34ZJmOWCUNhGfBL3AgN5ceGsnO+sZB1NLgoeXmw/d6w5ai D7s52QdJx5yasDJBvA/elgaondrWRb3sHHKvkoO9dYNcrquAPFgHAiQncVyFZexrWwml3+NbzBYp5 PlWExdFMzsg9Q0moMdeNh0XnGkLqGrLRC5LtycMVpPQPCX+K6IVTnuvRPAqMWvzNIplM1Mmk/qQqW ybSEAO6g==; Received: from cw137ip160.mn.codeweavers.com ([10.69.137.160] helo=camazotz.localnet) by mail.codeweavers.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1rSmAR-00Ea95-1y; Wed, 24 Jan 2024 16:56:23 -0600 From: Elizabeth Figura To: Andy Lutomirski Cc: Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, wine-devel@winehq.org, =?ISO-8859-1?Q?Andr=E9?= Almeida , Wolfram Sang , Arkadiusz Hiler , Peter Zijlstra , Alexandre Julliard Subject: Re: [RFC PATCH 1/9] ntsync: Introduce the ntsync driver and character device. Date: Wed, 24 Jan 2024 16:56:23 -0600 Message-ID: <5907233.BlLQTPImNI@camazotz> In-Reply-To: References: <20240124004028.16826-1-zfigura@codeweavers.com> <20240124004028.16826-2-zfigura@codeweavers.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" On Wednesday, 24 January 2024 15:26:15 CST Andy Lutomirski wrote: > On Tue, Jan 23, 2024 at 4:59=E2=80=AFPM Elizabeth Figura > wrote: > > > > ntsync uses a misc device as the simplest and least intrusive uAPI inte= rface. > > > > Each file description on the device represents an isolated NT instance,= intended > > to correspond to a single NT virtual machine. >=20 > If I understand this text right, and if I understood the code right, > you're saying that each open instance of the device represents an > entire universe of NT synchronization objects, and no security or > isolation is possible between those objects. For single-process use, > this seems fine. But fork() will be a bit odd (although NT doesn't > really believe in fork, so maybe this is fine). >=20 > Except that NT has *named* semaphores and such. And I'm pretty sure > I've written GUI programs that use named synchronization objects (IIRC > they were events, and this was a *very* common pattern, regularly > discussed in MSDN, usenet, etc) to detect whether another instance of > the program is running. And this all works on real Windows because > sessions have sufficiently separated namespaces, and the security all > works out about as any other security on Windows, etc. But > implementing *that* on top of this > file-description-plus-integer-equals-object will be fundamentally > quite subject to one buggy program completely clobbering someone > else's state. >=20 > Would it make sense and scale appropriately for an NT synchronization > *object* to be a Linux open file description? Then SCM_RIGHTS could > pass them around, an RPC server could manage *named* objects, and > they'd generally work just like other "Object Manager" objects like, > say, files. It's a sensible concern. I think when I discussed this with Alexandre Julliard (the Wine maintainer, CC'd) the conclusion was this wasn't something we were concerned about. While the current model *does* allow for processes to arbitrarily mess with each other, accidentally or not, I think we're not concerned with the scope of that than we are about implementing a whole scheduler in user space. =46or one, you can't corrupt the wineserver state this way=E2=80=94wineserv= er being sort of like a dedicated process that handles many of the things that a kernel would, and so sometimes needs to set or reset events, or perform NTSYNC_IOC_KILL_MUTEX, but never relies on ntsync object state. Whereas trying to implement a scheduler in user space would involve the wineserver taking locks, and hence other processes could deadlock. =46or two, it's probably a lot harder to mess with that internal state accidentally. [There is also a potential problem where some broken applications create a million (literally) sync objects. Making these into files runs into NOFILE. We did specifically push distributions and systemd to increase those limits because an older solution *did* use eventfds and *did* run into those limits. Since that push was successful I don't know if this is *actually* a concern anymore, but avoiding files is probably not a bad thing either.] =2D-Zeb