third_party
/
virglrenderer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2514 Commits
1 Branch
0 Tags
6.6 MiB
Tag: Branch: Tree: a663e5d20a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a663e5d20a'
${ noResults }
virglrenderer/server/render_server.c

221 lines
5.7 KiB
Raw Normal View History Unescape

virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
/*
* Copyright 2021 Google LLC
* SPDX-License-Identifier: MIT
*/
#include "render_server.h"
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
#include <errno.h>
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
#include <getopt.h>
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
#include <poll.h>
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
#include <unistd.h>
#include "render_client.h"
#include "render_worker.h"
#define RENDER_SERVER_MAX_WORKER_COUNT 256
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
enum render_server_poll_type {
RENDER_SERVER_POLL_SOCKET = 0,
RENDER_SERVER_POLL_SIGCHLD /* optional */,
RENDER_SERVER_POLL_COUNT,
};
static int
render_server_init_poll_fds(struct render_server *srv,
struct pollfd poll_fds[static RENDER_SERVER_POLL_COUNT])
{
const int socket_fd = srv->client->socket.fd;
const int sigchld_fd = render_worker_jail_get_sigchld_fd(srv->worker_jail);
poll_fds[RENDER_SERVER_POLL_SOCKET] = (const struct pollfd){
.fd = socket_fd,
.events = POLLIN,
};
poll_fds[RENDER_SERVER_POLL_SIGCHLD] = (const struct pollfd){
.fd = sigchld_fd,
.events = POLLIN,
};
return sigchld_fd >= 0 ? 2 : 1;
}
static bool
render_server_poll(UNUSED struct render_server *srv,
struct pollfd *poll_fds,
int poll_fd_count)
{
int ret;
do {
ret = poll(poll_fds, poll_fd_count, -1);
} while (ret < 0 && (errno == EINTR || errno == EAGAIN));
if (ret <= 0) {
render_log("failed to poll in the main loop");
return false;
}
return true;
}
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
static bool
render_server_run(struct render_server *srv)
{
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
struct render_client *client = srv->client;
struct pollfd poll_fds[RENDER_SERVER_POLL_COUNT];
const int poll_fd_count = render_server_init_poll_fds(srv, poll_fds);
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
while (srv->state == RENDER_SERVER_STATE_RUN) {
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
if (!render_server_poll(srv, poll_fds, poll_fd_count))
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
return false;
server: rework worker apis and internals Now that render_worker_jail tracks workers, the apis are simplified such that - render_worker_create forks a subprocess - render_worker_destroy kills a subprocess - render_worker_jail_reap_workers reaps all exited subprocesses Also add render_worker_jail_detach_workers that can be called by a forked subprocess to "detach" (free without killing/reaping) workers. v2: replace some checks for worker->{destroyed,reaped} by asserts (Ryan) Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> (v1) Reviewed-by: Ryan Neph <ryanneph@google.com> (v1)
3 years ago
server: listen to SIGCHLD to reap workers No more confusing zombie processes. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
if (poll_fds[RENDER_SERVER_POLL_SOCKET].revents) {
if (!render_client_dispatch(client))
return false;
}
if (poll_fds[RENDER_SERVER_POLL_SIGCHLD].revents) {
if (!render_worker_jail_reap_workers(srv->worker_jail))
return false;
}
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
}
return true;
}
static void
render_server_fini(struct render_server *srv)
{
if (srv->client)
render_client_destroy(srv->client);
if (srv->worker_jail)
render_worker_jail_destroy(srv->worker_jail);
if (srv->client_fd >= 0)
close(srv->client_fd);
}
static bool
render_server_parse_options(struct render_server *srv, int argc, char **argv)
{
enum {
OPT_SOCKET_FD = 'a',
OPT_WORKER_SECCOMP_BPF,
OPT_WORKER_SECCOMP_MINIJAIL_POLICY,
OPT_WORKER_SECCOMP_MINIJAIL_LOG,
OPT_COUNT,
};
static const struct option options[] = {
{ "socket-fd", required_argument, NULL, OPT_SOCKET_FD },
{ "worker-seccomp-bpf", required_argument, NULL, OPT_WORKER_SECCOMP_BPF },
{ "worker-seccomp-minijail-policy", required_argument, NULL,
OPT_WORKER_SECCOMP_MINIJAIL_POLICY },
{ "worker-seccomp-minijail-log", no_argument, NULL,
OPT_WORKER_SECCOMP_MINIJAIL_LOG },
{ NULL, 0, NULL, 0 }
};
static_assert(OPT_COUNT <= 'z', "");
while (true) {
const int ret = getopt_long(argc, argv, "", options, NULL);
if (ret == -1)
break;
switch (ret) {
case OPT_SOCKET_FD:
srv->client_fd = atoi(optarg);
break;
case OPT_WORKER_SECCOMP_BPF:
srv->worker_seccomp_bpf = optarg;
break;
case OPT_WORKER_SECCOMP_MINIJAIL_POLICY:
srv->worker_seccomp_minijail_policy = optarg;
break;
case OPT_WORKER_SECCOMP_MINIJAIL_LOG:
srv->worker_seccomp_minijail_log = true;
break;
default:
render_log("unknown option specified");
return false;
break;
}
}
if (optind < argc) {
render_log("non-option arguments specified");
return false;
}
if (srv->client_fd < 0 || !render_socket_is_seqpacket(srv->client_fd)) {
render_log("no valid client fd specified");
return false;
}
return true;
}
static bool
render_server_init(struct render_server *srv,
int argc,
char **argv,
struct render_context_args *ctx_args)
{
memset(srv, 0, sizeof(*srv));
srv->state = RENDER_SERVER_STATE_RUN;
srv->context_args = ctx_args;
srv->client_fd = -1;
if (!render_server_parse_options(srv, argc, argv))
return false;
enum render_worker_jail_seccomp_filter seccomp_filter =
RENDER_WORKER_JAIL_SECCOMP_NONE;
const char *seccomp_path = NULL;
if (srv->worker_seccomp_minijail_log && srv->worker_seccomp_minijail_policy) {
seccomp_filter = RENDER_WORKER_JAIL_SECCOMP_MINIJAIL_POLICY_LOG;
seccomp_path = srv->worker_seccomp_minijail_policy;
} else if (srv->worker_seccomp_bpf) {
seccomp_filter = RENDER_WORKER_JAIL_SECCOMP_BPF;
seccomp_path = srv->worker_seccomp_bpf;
} else if (srv->worker_seccomp_minijail_policy) {
seccomp_filter = RENDER_WORKER_JAIL_SECCOMP_MINIJAIL_POLICY;
seccomp_path = srv->worker_seccomp_minijail_policy;
}
server: move worker count to render_worker_jail Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
srv->worker_jail = render_worker_jail_create(RENDER_SERVER_MAX_WORKER_COUNT,
seccomp_filter, seccomp_path);
virgl: add render server The render server is a daemon that sits idle waiting for commands. When requested to create a context, it forks and creates the context in a subprocess. This isolates contexts from each other, from the server process, and from the client process. Because a context process can execute untrusted commands and depends on GPU drivers, the isolation should improve the security. There is also a multi-thread mode where each context is executed by a thread. This mode is used to ease debugging, but maybe someone will find a use case for it. Signed-off-by: Chia-I Wu <olvaffe@gmail.com> Reviewed-by: Yiwei Zhang <zzyiwei@chromium.org> Reviewed-by: Ryan Neph <ryanneph@google.com>
3 years ago
if (!srv->worker_jail) {
render_log("failed to create worker jail");
goto fail;
}
srv->client = render_client_create(srv, srv->client_fd);
if (!srv->client) {
render_log("failed to create client");
goto fail;
}
/* ownership transferred */
srv->client_fd = -1;
return true;
fail:
render_server_fini(srv);
return false;
}
bool
render_server_main(int argc, char **argv, struct render_context_args *ctx_args)
{
struct render_server srv;
if (!render_server_init(&srv, argc, argv, ctx_args))
return false;
const bool ok = render_server_run(&srv);
render_server_fini(&srv);
return ok;
}