Re: gnome-sdk update and TODOs
- From: Tanu Kaskinen <tanu kaskinen linux intel com>
- To: Arun Raghavan <arun accosted net>
- Cc: gnome-os-list <gnome-os-list gnome org>
- Subject: Re: gnome-sdk update and TODOs
- Date: Tue, 16 Dec 2014 10:15:49 +0200
On Tue, 2014-12-16 at 09:48 +0530, Arun Raghavan wrote:
On 15 Dec 2014 13:29, "Alexander Larsson" <alexl redhat com> wrote:
On fre, 2014-12-12 at 17:42 +0100, Bastien Nocera wrote:
On Fri, 2014-12-12 at 17:08 +0100, Alexander Larsson wrote:
On fre, 2014-11-28 at 16:07 +0100, Alexander Larsson wrote:
* Audio
There is no audio support atm. Neither alsa libs, not device nodes.
I think the best approach is to use pulseaudio, but this needs
careful consideration in terms of ABI/IPC compat, performance,
latency, etc.
Today I looked at audio via pulseaudio. This is kind of tricky, it seems
to me like the pulseaudio protocol follows the X11 style permissions
method. I.e. if you're able to authenticate to the daemon you have full
privs, including loading modules into the daemon.
Furthermore, the "normal" mode of using shared memory to send audio
relies on a single global /dev/shm, which breaks with any kind of
containerization and allows any client to read any other clients data.
I don't see why theoretically pulseaudio couldn't allow shared memory
buffers in a contained mode, via e.g. fd passing of the shared memory
instead of a shared namespace. However, anything like this involves
upstream changes to the protocol. For now i'm disabling shared memory
in the app, which is not ideal but at least allows apps to play sounds.
In my experience the performance benefit of using shared memory in
PulseAudio is small, so I wouldn't be too worried about disabling it.
Lennart did mention that PulseAudio could make use of kdbus for passing
buffers around, and I guess that Wim's "PulseVideo" (for the lack of a
better name) could also make use of it.
Finer permissions are necessary in any case. You can probably allow any
app to play sound, but you might not want to allow microphone access to
most applications.
Yeah, this level of permissions will need some drastic changes to the
pulseaudio client handling. Perhaps it is possible to do while keeping
the protocol, not sure about that. But in general, a kdbus version would
be pretty nice as this would remove the issues around having to
share /dev/shm with the host.
Yes, kdbus is something that could be useful to plug this leak (though
we'd also need to make sure we don't add much overhead). In general,
securing the protocol is something we'd like to have, but is a huge
can of worms right now -- securing the protocol post-facto will be
hard to do right.
As I see it, the system for fine-grained permissions should be
protocol-agnostic. Implementing that system is a lot of work. Adapting
the current native protocol implementation to that is probably a smaller
task - all commands already can fail for whatever reason, so it
shouldn't be a big deal to add cases where they fail for "permission
denied" reasons.
A separate issue is that the protocol implementation doesn't do enough
input validation. That should be fixed even if we don't have a
fine-grained permission system.
Tanu was looking at a tunnel-based solution for containers in the mean
time. Maybe he can fill us in on this.
That's a misunderstanding. I haven't been involved with containers. In
our "cascaded PulseAudio setup" the goal is to allow multiple users to
access the audio hardware simultaneously without some of the drawbacks
of the normal system mode setup. We run one instance in system mode that
manages the hardware, plus per-user instances that use tunnels to access
the hardware via the system instance. The user instances are normal
clients from the point of view of the system instance, so they have full
access to everything.
--
Tanu
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]