On Wed, Apr 17, 2019 at 7:12 PM Tomasz Figa <tfiga@xxxxxxxxxxxx> wrote: > > On Wed, Apr 17, 2019 at 6:31 PM Gerd Hoffmann <kraxel@xxxxxxxxxx> wrote: > > > > > > > Mojo IPC. Mojo is just yet another IPC designed to work over a Unix > > > > > socket, relying on file descriptor passing (SCM_RIGHTS) for passing > > > > > various platform handles (e.g. DMA-bufs). The clients exchange > > > > > DMA-bufs with the service. > > > > > > > > Only dma-bufs? > > > > > > > > > > Mojo is just a framework that can serialize things and pass various > > > objects around. What is being passed depends on the particular > > > interface. > > > > > > For the camera use case that would be DMA-bufs and fences. > > > > Hmm, fences. That'll be tricky too. > > > > > We also have some more general use cases where we actually pass files, > > > sockets and other objects there. They can be easily handled with a > > > userspace proxy, though. Not very efficiently, but that's not a > > > requirement for our use cases. > > > > Ok. So you'll have a userspace proxy anyway? > > > > That pretty much removes the requirement to handle dma-bufs in > > virtio-vsock (even though that still might be the best option), > > the proxy could also use virtio-gpu or something else. > > > > We have a proxy for some other IPC interfaces, like sharing guest > files with the host. It doesn't handle DMA-bufs or fences, but those > could be added. Given that, no, technically we don't need that in > virtio-vsock. It would cost us a bit of latency, but it should work > okay. Actually there is one issue with the user space proxy model. Malicious userspace could still open vsock directly and start guessing resource handles to get access to buffers. While this could be prevented by making vsock accessible only for the proxy process, it would render any other legit use cases for vsock impossible without making the processes implementing those privileged as well. Of course that would not be a security issue for the host, since the malicious process could only get access to the buffers accessible to the guest as a whole. Still, it would significantly affect the security level within the guest. Best regards, Tomasz
