Discussion:
handling misbehaving filesystem drivers
Nobody III
2016-05-13 04:01:07 UTC
Permalink
I'm planning on writing an fs_filter server for the desktop environment I'm
developing. The server will combine access to multiple filesystems, much
like the vfs server. I want to implement this feature in such a way that a
misbehaving filesystem driver can't make the server hang. How should I do
this?
Norman Feske
2016-05-13 09:40:02 UTC
Permalink
Hello Ben,
Post by Nobody III
I'm planning on writing an fs_filter server for the desktop environment
I'm developing. The server will combine access to multiple filesystems,
much like the vfs server. I want to implement this feature in such a way
that a misbehaving filesystem driver can't make the server hang. How
should I do this?
this question reminds me of the following issue, where I brought up the
same problem for NIC drivers:

https://github.com/genodelabs/genode/issues/1592

In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
environment with the following functionality:

* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.

Do you think this approach would work for you?

Norman
--
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
Nobody III
2016-05-13 15:08:36 UTC
Permalink
Okay, that makes sense. Thanks. And I'm looking forward to when we have
more failsafe components.
Post by Norman Feske
Hello Ben,
Post by Nobody III
I'm planning on writing an fs_filter server for the desktop environment
I'm developing. The server will combine access to multiple filesystems,
much like the vfs server. I want to implement this feature in such a way
that a misbehaving filesystem driver can't make the server hang. How
should I do this?
this question reminds me of the following issue, where I brought up the
https://github.com/genodelabs/genode/issues/1592
In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.
Do you think this approach would work for you?
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
GeschÀftsfÌhrer: Dr.-Ing. Norman Feske, Christian Helmuth
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
Nobody III
2016-05-13 23:52:44 UTC
Permalink
After thinking and going through more code, it seems like it might be
better to update the vfs library and server to support reloading their
configuration cleanly. How feasible is this?
Post by Norman Feske
Hello Ben,
Post by Nobody III
I'm planning on writing an fs_filter server for the desktop environment
I'm developing. The server will combine access to multiple filesystems,
much like the vfs server. I want to implement this feature in such a way
that a misbehaving filesystem driver can't make the server hang. How
should I do this?
this question reminds me of the following issue, where I brought up the
https://github.com/genodelabs/genode/issues/1592
In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.
Do you think this approach would work for you?
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
GeschÀftsfÌhrer: Dr.-Ing. Norman Feske, Christian Helmuth
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
Emery Hemingway
2016-05-14 09:01:51 UTC
Permalink
I think the thing to do is to leave the VFS static, but create a vfs
plugin that is dynamic. Something like

<vfs>
<tar name="bash.tar"/>
<dir name="home"> <fs/> </dir>
<tmp> <ram/> </tmp>
<dir name="media"> <dynamic config="dynamic_fs.config"/> </dir>
</vfs>

That keeps the VFS simple but with some optional complexity.


Emery
Post by Nobody III
After thinking and going through more code, it seems like it might be
better to update the vfs library and server to support reloading their
configuration cleanly. How feasible is this?
Post by Norman Feske
Hello Ben,
Post by Nobody III
I'm planning on writing an fs_filter server for the desktop environment
I'm developing. The server will combine access to multiple filesystems,
much like the vfs server. I want to implement this feature in such a way
that a misbehaving filesystem driver can't make the server hang. How
should I do this?
this question reminds me of the following issue, where I brought up the
https://github.com/genodelabs/genode/issues/1592
In short, rather than developing your fs_filter in a defensive way, I
would recommend to develop it assuming that the used file-system servers
are trusted. To still use a non-trustworthy file-system server, run it
as a child of a dedicated fs_failsafe monitor. This is a runtime
* It runs the real file system as a child component.
* It provides a file-system service to the outside. However, it does not
implement the file-system itself but rather forwards all requests to
its child. Because the fs_failsafe component is small and trusted, it
will never hang. So your fs_filter would be safe to use it at all
times.
* It monitors the liveliness of the child. E.g., by using a watchdog
thread that looks at the duration of file-system requests. If it
detects that the child hangs, it can try to handle this situation
(I don't know it restarting a file-system is a reasonable idea or
not). In any case, it could still respond to client requests by
returning errors instead of hanging. It could also respond to a
session-close request by killing the child.
Do you think this approach would work for you?
Norman
--
Dr.-Ing. Norman Feske
Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
Loading...