[Dev] Tizen 3.0 proposal for fixing OSP/WRT/Core hard-coded UID issue

Łukasz Stelmach l.stelmach at samsung.com
Tue Oct 15 08:32:30 GMT 2013


It was <2013-10-14 pon 15:22>, when Jussi Laako wrote:
> On 11.10.2013 19:30, Schaufler, Casey wrote:
>>
>> Dominique and I discussed the underlying problem in some detail
>> and believe that we have a cleaner solution.
>
> Nobody has yet explained why launcher needs to be somehow privileged
> and why it's not just a service part of a normal user session?
>
> I'm not advocating for SO_PEERCRED & /proc/PID usage, but it can be
> made fairly proper. I have made a small demo client/server pair
> (attached) that should be quite OK for dealing with this combination
> for whatever use.
>
> I think I will also attempt to fix kernel regarding the "feature" I
> found (as commented in the sources).

I haven't followed the thread very closely. If I understand the problem
correctly the patch[fn:1] proposed by Jan Kaluza and discussed[fn:2] on
RedHat's bugzilla might help. It introduces three new socket-level
control messages: SCM_AUDIT, SCM_PROCINFO and SCM_CGROUP that are meant
to provide information about processes to systemd journal.

Systemd journal logs not only messages sent by processes but also
information about processes themselves. The goal is to provide some
trusted information that cannot be altered by the clients which send the
message. Currently it reads a few /proc/<PID>/* files upon every message
received, which brings a noticable performance hit. The socket control
messages are meant to be more efficient, less racy and as secure as
/proc.

Footnotes:

[fn:1] https://lkml.org/lkml/2013/8/27/318

[fn:2] https://bugzilla.redhat.com/show_bug.cgi?id=963620

-- 
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.tizen.org/pipermail/dev/attachments/20131015/ae693684/attachment.sig>


More information about the Dev mailing list