From: Warner Losh <imp@bsdimp.com>
To: ron minnich <rminnich@gmail.com>
Cc: The Eunuchs Hysterical Society <tuhs@tuhs.org>
Subject: Re: [TUHS] Unix APIs: elegant or not?
Date: Thu, 1 Nov 2018 10:56:44 -0600 [thread overview]
Message-ID: <CANCZdfqSv7U+fOyoX2YeD7UZpr8Pi6sWJm_jCFr=xjRhE808qw@mail.gmail.com> (raw)
In-Reply-To: <CAP6exY+ZxHC3H=jUt0G1kGPJQdMUid40Lt4aDkf80tevC9K1dg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]
On Thu, Nov 1, 2018 at 10:48 AM ron minnich <rminnich@gmail.com> wrote:
>
>
> On Thu, Nov 1, 2018 at 9:44 AM Warner Losh <imp@bsdimp.com> wrote:
>
>>
>>
>> There's another school of thought too that says the kernel has no
>> business parsing strings with all the security implications of doing so...
>>
>>
> yeah, it's an interesting question. But Unix is based on parsing strings.
> The kernel already parses lots of strings for paths, for all kinds of
> reasons, so adding another element in the kernel that uses paths seems
> acceptable.
>
Well, if the nose of a camel comes in under the tent, the rest of the camel
is sure to follow... Parsing a string path is rock simple, but are there
two arguments or three for this command, and what happens if they are too
long, or negative when you expect and fd, or or or. The CVE-archive is
littered with people who thought parsing in the kernel was simple and
easy...
> The bigger problem for Plan 9 that started to bite was i8n. All the Plan 9
> messages are English, oops. All the control messages are english. And so
> on.
>
> And, further, that network architecture I referenced is much less
> efficient than the BSD model -- 5 system calls per accept! so that was
> starting to hit us here on the Akaros project, since we imported the entire
> Plan 9 network stack into akaros, along with the drivers. Linux left us in
> the dust on network connections/second. We were going to change it had
> Akaros continued.
>
That's the other reason to not do stings in the kernel: parsing is takes
time.
I'll grant there's a balance here: A single int fd is nice so you don't
have to pass a pointer to the device call function and provides a level of
abstraction that blocks many bad data attacks. But even with this interface
there's been issues with improper range checks for some interfaces.
Warner
[-- Attachment #2: Type: text/html, Size: 2759 bytes --]
next prev parent reply other threads:[~2018-11-01 17:53 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-31 4:38 Warren Toomey
2018-10-31 15:47 ` Paul Winalski
2018-10-31 17:22 ` Clem Cole
2018-10-31 19:33 ` Lawrence Stewart
2018-10-31 20:57 ` G. Branden Robinson
2018-10-31 21:31 ` Dave Horsfall
2018-11-01 7:42 ` Pierre DAVID
2018-11-01 10:20 ` Dave Horsfall
2018-11-01 12:57 ` Clem Cole
2018-11-01 14:19 ` ron minnich
2018-11-01 14:41 ` Clem Cole
2018-11-01 16:43 ` Warner Losh
2018-11-01 16:48 ` ron minnich
2018-11-01 16:56 ` Warner Losh [this message]
2018-11-02 5:24 ` Bakul Shah
2018-11-04 10:53 ` Chris Hanson
2018-11-04 15:34 ` ron minnich
2018-11-04 17:06 ` Warner Losh
2018-11-04 20:00 ` ron minnich
2018-11-04 18:52 ` Bakul Shah
2018-11-04 10:49 ` Chris Hanson
2018-11-04 12:28 ` arnold
2018-11-04 21:34 ` Chris Hanson
2018-11-05 14:11 ` Donald ODona
2018-11-04 13:35 ` Warner Losh
2018-11-04 19:47 ` Dave Horsfall
2018-11-01 15:39 Noel Chiappa
2018-11-04 22:29 Theodore Y. Ts'o
2018-11-04 22:37 Noel Chiappa
2018-11-05 4:04 ` Dave Horsfall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANCZdfqSv7U+fOyoX2YeD7UZpr8Pi6sWJm_jCFr=xjRhE808qw@mail.gmail.com' \
--to=imp@bsdimp.com \
--cc=rminnich@gmail.com \
--cc=tuhs@tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).