Re: [PATCH RFC 4/5] net/tls: Add support for PF_TLSH (a TLS handshake listener)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28 Apr 2022, at 9:51, Hannes Reinecke wrote:

> On 4/28/22 15:30, Jakub Kicinski wrote:
>> On Thu, 28 Apr 2022 09:26:41 +0200 Hannes Reinecke wrote:
>>> The whole thing started off with the problem on _how_ sockets could be
>>> passed between kernel and userspace and vice versa.
>>> While there is fd passing between processes via AF_UNIX, there is no
>>> such mechanism between kernel and userspace.
>>
>> Noob question - the kernel <> user space FD sharing is just
>> not implemented yet, or somehow fundamentally hard because kernel
>> fds are "special"?
>
> Noob reply: wish I knew.  (I somewhat hoped _you_ would've been able to
> tell me.)
>
> Thing is, the only method I could think of for fd passing is the POSIX fd
> passing via unix_attach_fds()/unix_detach_fds().  But that's AF_UNIX,
> which really is designed for process-to-process communication, not
> process-to-kernel.  So you probably have to move a similar logic over to
> AF_NETLINK. And design a new interface on how fds should be passed over
> AF_NETLINK.
>
> But then you have to face the issue that AF_NELINK is essentially UDP, and
> you have _no_ idea if and how many processes do listen on the other end.
> Thing is, you (as the sender) have to copy the fd over to the receiving
> process, so you'd better _hope_ there is a receiving process.  Not to
> mention that there might be several processes listening in...
>
> And that's something I _definitely_ don't feel comfortable with without
> guidance from the networking folks, so I didn't pursue it further and we
> went with the 'accept()' mechanism Chuck implemented.
>
> I'm open to suggestions, though.

EXPORT_SYMBOL(receive_fd) would allow interesting implementations.

The kernel keyring facilities have a good API for creating various key_types
which are able to perform work such as this from userspace contexts.

I have a working prototype for a keyring key instantiation which allows a
userspace process to install a kernel fd on its file table.  The problem
here is how to match/route such fd passing to appropriate processes in
appropriate namespaces.  I think this problem is shared by all
kernel-to-userspace upcalls, which I hope we can discuss at LSF/MM.

I don't think kernel fds are very special as compared to userspace fds.

Ben




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux