genode/base-linux/include/linux_pd_session/client.h
Norman Feske 20d8655a7f Linux: move process creation into core
Genode used to create new processes by directly forking from the
respective Genode parent using the process library. The forking process
created a PD session at core merely for propagating the PID of the new
process into core (for later destruction). This traditional mechanisms
has the following disadvantages:

First, the PID reported by the creating process to core cannot easily be
validated by core. Therefore core has to trust the PD client to not
specify a PID of an existing process, which would happen to be killed
once the PD session gets destructed. This problem is documented by
issue #318. Second, there is no way for a Genode process to detect the
failure of its any grandchildren. The immediate parent of a faulting
process could use the SIGCHLD-and-waitpid mechanism to observe its
children but this mechanism does not work transitively.

By performing the process creation exclusively within core, all Genode
processes become immediate child processes of core. Hence, core can
respond to failures of any of those processes and reflect such
conditions via core's session interfaces. Furthermore, the PID
associated to a PD session is locally known within core and cannot be
forged anymore. In fact, there is actually no need at all to make
processes aware of any PIDs of other processes.

Please note that this patch breaks the 'chroot' mechanism that comes in
the form of the 'os/src/app/chroot' program. Because all processes are
forked from core, a chroot'ed process could sneak outside its chroot
environment by just creating a new Genode process. To address this
issue, the chroot mechanism must be added to core.
2012-11-05 17:31:04 +01:00

44 lines
1.1 KiB
C++

/*
* \brief Client-side PD session interface
* \author Norman Feske
* \date 2012-08-15
*/
/*
* Copyright (C) 2012 Genode Labs GmbH
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
#ifndef _INCLUDE__LINUX_PD_SESSION__CLIENT_H_
#define _INCLUDE__LINUX_PD_SESSION__CLIENT_H_
#include <linux_pd_session/linux_pd_session.h>
#include <base/rpc_client.h>
namespace Genode {
struct Linux_pd_session_client : Rpc_client<Linux_pd_session>
{
explicit Linux_pd_session_client(Capability<Linux_pd_session> session)
: Rpc_client<Linux_pd_session>(session) { }
int bind_thread(Thread_capability thread) {
return call<Rpc_bind_thread>(thread); }
int assign_parent(Parent_capability parent) {
return call<Rpc_assign_parent>(parent); }
/*****************************
* Linux-specific extension **
*****************************/
void start(Capability<Dataspace> binary, Name const &name) {
call<Rpc_start>(binary, name); }
};
}
#endif /* _INCLUDE__LINUX_PD_SESSION__CLIENT_H_ */