[dpdk-dev] [RFC] librte_vhost: Add unix domain socket fd registration

Aaron Conole aconole at redhat.com
Tue Jun 21 15:15:03 CEST 2016

Yuanhan Liu <yuanhan.liu at linux.intel.com> writes:

> On Fri, Jun 17, 2016 at 11:32:36AM -0400, Aaron Conole wrote:
>> Prior to this commit, the only way to add a vhost-user socket to the
>> system is by relying on librte_vhost to open the unix domain socket and
>> add it to the unix socket list.  This is problematic for applications
>> which would like to set the permissions,
> So, you want to address the issue raised by following patch?
>     http://dpdk.org/dev/patchwork/patch/12222/

That patch does try to address the issue, however - it has some
problems.  The biggest is a TOCTTOU issue when using chown.  The way to
solve that issue properly is different depending on which operating
system is being used (for instance, FreeBSD doesn't honor
fchown(),fchmod() on file descriptors).  My solution is basically to
punt that responsibility to the controlling application.

> I would still like to stick to my proposal, that is to introduce a
> new API to do the permission change at anytime, if we end up with
> wanting to introduce a new API.

I've spent a lot of time looking at the TOCTTOU problem, and I think
that is a really hard problem to solve portably.  Might be good to just
start with the flexible mechanism here that lets the application
developer satisfy their own needs.

>> or applications which are not
>> directly allowed to open sockets due to policy restrictions.
> Could you name a specific example?

SELinux policy might require one application to open the socket, and
pass it back via a dbus mechanism.  I can't actually think of a concrete
implemented case, so it may not be valid.

> BTW, JFYI, since 16.07, DPDK supports client mode. It's QEMU (acting
> as the server) will create the socket file. I guess that would diminish
> (or even avoid?) the permission pain that DPDK acting as server brings.
> I doubt the API to do the permission change is really needed then.

I wouldn't say it 'solves' the issue so much as hopes no one uses server
mode in DPDK.  I agree, for OvS, it could.

> 	--yliu

Thanks so much for your thoughts and review on this, Yuanhan Liu!


More information about the dev mailing list