[Xenomai-git] Philippe Gerum : copperplate: enable group-based access to sessions
Module: xenomai-3 Branch: master Commit: cf21e806295981a9d0e342f683bfef419b6e3c68 URL: http://git.xenomai.org/?p=xenomai-3.git;a=commit;h=cf21e806295981a9d0e342f683bfef419b6e3c68 Author: Philippe GerumDate: Fri Sep 11 18:47:24 2015 +0200 copperplate: enable group-based access to sessions Passing --session foo/ will allow the members of the designated UNIX group to attach the shared heap and use the Copperplate services within a particular session. may be a valid GID or group name from /etc/group. With Cobalt, such group would typically match the xenomai.allowed_group parameter passed to the kernel. To set up a shared session involving non-privileged users, all of them must be members of a dedicated UNIX group, and the following operations should be carried out: 1. if using Cobalt, pass xenomai.gid= on the kernel command line accordingly 2. set udev rules to chown+chmod /dev/rtdm/* files with proper group permissions (e.g. for user group "xenomai" => SUBSYSTEM=="rtdm", MODE="0660", GROUP="xenomai") 3. create the registry root manually with proper permissions, 1777 is recommended if non-privileged processes will belong to the session 4. if --shared-registry is required from a non-privileged session initiator (i.e. the first process establishing the session), set user_allow_other in /etc/fuse.conf 5. to start a session with group-based access control, suffix the session name with the allowed group name or id separated with a slash ('/') when starting the session initiator, i.e. --session name/ . For instance, with {user} a member of the "xenomai" group: /* The initiator of session 'foo' is [root] */ [root] ./program --session foo/xenomai /* Bind a non-privileged process from {user} to session 'foo' */ {user} ./program --session foo Or, with {user1} and {user2} both members of the "xenomai" group: /* The initiator of session 'foo' is {user1} */ {user1} ./program --session foo/xenomai /* Bind a process from {user2} to session 'foo' */ {user2} ./program --session foo --- include/copperplate/heapobj.h |8 -- include/copperplate/threadobj.h |3 +- include/copperplate/tunables.h| 11 lib/copperplate/cluster.c |5 +++- lib/copperplate/heapobj-pshared.c | 55 - lib/copperplate/init.c| 47 +-- lib/copperplate/internal.c| 10 +++ lib/copperplate/internal.h|2 ++ lib/copperplate/registry.c|5 ++-- lib/copperplate/threadobj.c | 50 + 10 files changed, 150 insertions(+), 46 deletions(-) diff --git a/include/copperplate/heapobj.h b/include/copperplate/heapobj.h index c61cf3e..4cf947e 100644 --- a/include/copperplate/heapobj.h +++ b/include/copperplate/heapobj.h @@ -192,11 +192,6 @@ struct sysgroup_memspec { struct holder next; }; -struct agent_memspec { - /** Agent pid in owner process. */ - pid_t pid; -}; - static inline void *mainheap_ptr(memoff_t off) { return off ? (void *)__memptr(__main_heap, off) : NULL; @@ -326,9 +321,6 @@ char *xnstrdup(const char *ptr); struct sysgroup_memspec { }; -struct agent_memspec { -}; - /* * Whether an object is laid in some shared heap. Never if pshared * mode is disabled. diff --git a/include/copperplate/threadobj.h b/include/copperplate/threadobj.h index 1d01709..f27c111 100644 --- a/include/copperplate/threadobj.h +++ b/include/copperplate/threadobj.h @@ -212,7 +212,6 @@ struct threadobj { struct traceobj *tracer; sem_t *cancel_sem; struct sysgroup_memspec memspec; - struct agent_memspec agent; struct backtrace_data btd; }; @@ -392,7 +391,7 @@ static inline int threadobj_local_p(struct threadobj *thobj) void threadobj_init_key(void); -int threadobj_pkg_init(void); +int threadobj_pkg_init(int anon_session); #ifdef __cplusplus } diff --git a/include/copperplate/tunables.h b/include/copperplate/tunables.h index 8428716..640b8b4 100644 --- a/include/copperplate/tunables.h +++ b/include/copperplate/tunables.h @@ -27,6 +27,7 @@ struct copperplate_setup_data { int no_registry; int shared_registry; size_t mem_pool; + gid_t session_gid; }; #ifdef __cplusplus @@ -85,6 +86,16 @@ static inline read_config_tunable(mem_pool_size, size_t) return __copperplate_setup_data.mem_pool; } +static inline define_config_tunable(session_gid, gid_t, gid) +{ + __copperplate_setup_data.session_gid = gid; +} + +static inline read_config_tunable(session_gid, gid_t) +{ + return __copperplate_setup_data.session_gid; +} + #ifdef __cplusplus } #endif diff --git a/lib/copperplate/cluster.c b/lib/copperplate/cluster.c index eac0afe..f0552f0 100644 --- a/lib/copperplate/cluster.c +++ b/lib/copperplate/cluster.c @@ -174,8 +174,11 @@ static int cluster_probe(struct hashobj *hobj) * we can send the
[Xenomai-git] Philippe Gerum : copperplate: enable group-based access to sessions
Module: xenomai-3 Branch: arm64 Commit: cf21e806295981a9d0e342f683bfef419b6e3c68 URL: http://git.xenomai.org/?p=xenomai-3.git;a=commit;h=cf21e806295981a9d0e342f683bfef419b6e3c68 Author: Philippe GerumDate: Fri Sep 11 18:47:24 2015 +0200 copperplate: enable group-based access to sessions Passing --session foo/ will allow the members of the designated UNIX group to attach the shared heap and use the Copperplate services within a particular session. may be a valid GID or group name from /etc/group. With Cobalt, such group would typically match the xenomai.allowed_group parameter passed to the kernel. To set up a shared session involving non-privileged users, all of them must be members of a dedicated UNIX group, and the following operations should be carried out: 1. if using Cobalt, pass xenomai.gid= on the kernel command line accordingly 2. set udev rules to chown+chmod /dev/rtdm/* files with proper group permissions (e.g. for user group "xenomai" => SUBSYSTEM=="rtdm", MODE="0660", GROUP="xenomai") 3. create the registry root manually with proper permissions, 1777 is recommended if non-privileged processes will belong to the session 4. if --shared-registry is required from a non-privileged session initiator (i.e. the first process establishing the session), set user_allow_other in /etc/fuse.conf 5. to start a session with group-based access control, suffix the session name with the allowed group name or id separated with a slash ('/') when starting the session initiator, i.e. --session name/ . For instance, with {user} a member of the "xenomai" group: /* The initiator of session 'foo' is [root] */ [root] ./program --session foo/xenomai /* Bind a non-privileged process from {user} to session 'foo' */ {user} ./program --session foo Or, with {user1} and {user2} both members of the "xenomai" group: /* The initiator of session 'foo' is {user1} */ {user1} ./program --session foo/xenomai /* Bind a process from {user2} to session 'foo' */ {user2} ./program --session foo --- include/copperplate/heapobj.h |8 -- include/copperplate/threadobj.h |3 +- include/copperplate/tunables.h| 11 lib/copperplate/cluster.c |5 +++- lib/copperplate/heapobj-pshared.c | 55 - lib/copperplate/init.c| 47 +-- lib/copperplate/internal.c| 10 +++ lib/copperplate/internal.h|2 ++ lib/copperplate/registry.c|5 ++-- lib/copperplate/threadobj.c | 50 + 10 files changed, 150 insertions(+), 46 deletions(-) diff --git a/include/copperplate/heapobj.h b/include/copperplate/heapobj.h index c61cf3e..4cf947e 100644 --- a/include/copperplate/heapobj.h +++ b/include/copperplate/heapobj.h @@ -192,11 +192,6 @@ struct sysgroup_memspec { struct holder next; }; -struct agent_memspec { - /** Agent pid in owner process. */ - pid_t pid; -}; - static inline void *mainheap_ptr(memoff_t off) { return off ? (void *)__memptr(__main_heap, off) : NULL; @@ -326,9 +321,6 @@ char *xnstrdup(const char *ptr); struct sysgroup_memspec { }; -struct agent_memspec { -}; - /* * Whether an object is laid in some shared heap. Never if pshared * mode is disabled. diff --git a/include/copperplate/threadobj.h b/include/copperplate/threadobj.h index 1d01709..f27c111 100644 --- a/include/copperplate/threadobj.h +++ b/include/copperplate/threadobj.h @@ -212,7 +212,6 @@ struct threadobj { struct traceobj *tracer; sem_t *cancel_sem; struct sysgroup_memspec memspec; - struct agent_memspec agent; struct backtrace_data btd; }; @@ -392,7 +391,7 @@ static inline int threadobj_local_p(struct threadobj *thobj) void threadobj_init_key(void); -int threadobj_pkg_init(void); +int threadobj_pkg_init(int anon_session); #ifdef __cplusplus } diff --git a/include/copperplate/tunables.h b/include/copperplate/tunables.h index 8428716..640b8b4 100644 --- a/include/copperplate/tunables.h +++ b/include/copperplate/tunables.h @@ -27,6 +27,7 @@ struct copperplate_setup_data { int no_registry; int shared_registry; size_t mem_pool; + gid_t session_gid; }; #ifdef __cplusplus @@ -85,6 +86,16 @@ static inline read_config_tunable(mem_pool_size, size_t) return __copperplate_setup_data.mem_pool; } +static inline define_config_tunable(session_gid, gid_t, gid) +{ + __copperplate_setup_data.session_gid = gid; +} + +static inline read_config_tunable(session_gid, gid_t) +{ + return __copperplate_setup_data.session_gid; +} + #ifdef __cplusplus } #endif diff --git a/lib/copperplate/cluster.c b/lib/copperplate/cluster.c index eac0afe..f0552f0 100644 --- a/lib/copperplate/cluster.c +++ b/lib/copperplate/cluster.c @@ -174,8 +174,11 @@ static int cluster_probe(struct hashobj *hobj) * we can send the
[Xenomai-git] Philippe Gerum : copperplate: enable group-based access to sessions
Module: xenomai-3 Branch: numalliance Commit: cf21e806295981a9d0e342f683bfef419b6e3c68 URL: http://git.xenomai.org/?p=xenomai-3.git;a=commit;h=cf21e806295981a9d0e342f683bfef419b6e3c68 Author: Philippe GerumDate: Fri Sep 11 18:47:24 2015 +0200 copperplate: enable group-based access to sessions Passing --session foo/ will allow the members of the designated UNIX group to attach the shared heap and use the Copperplate services within a particular session. may be a valid GID or group name from /etc/group. With Cobalt, such group would typically match the xenomai.allowed_group parameter passed to the kernel. To set up a shared session involving non-privileged users, all of them must be members of a dedicated UNIX group, and the following operations should be carried out: 1. if using Cobalt, pass xenomai.gid= on the kernel command line accordingly 2. set udev rules to chown+chmod /dev/rtdm/* files with proper group permissions (e.g. for user group "xenomai" => SUBSYSTEM=="rtdm", MODE="0660", GROUP="xenomai") 3. create the registry root manually with proper permissions, 1777 is recommended if non-privileged processes will belong to the session 4. if --shared-registry is required from a non-privileged session initiator (i.e. the first process establishing the session), set user_allow_other in /etc/fuse.conf 5. to start a session with group-based access control, suffix the session name with the allowed group name or id separated with a slash ('/') when starting the session initiator, i.e. --session name/ . For instance, with {user} a member of the "xenomai" group: /* The initiator of session 'foo' is [root] */ [root] ./program --session foo/xenomai /* Bind a non-privileged process from {user} to session 'foo' */ {user} ./program --session foo Or, with {user1} and {user2} both members of the "xenomai" group: /* The initiator of session 'foo' is {user1} */ {user1} ./program --session foo/xenomai /* Bind a process from {user2} to session 'foo' */ {user2} ./program --session foo --- include/copperplate/heapobj.h |8 -- include/copperplate/threadobj.h |3 +- include/copperplate/tunables.h| 11 lib/copperplate/cluster.c |5 +++- lib/copperplate/heapobj-pshared.c | 55 - lib/copperplate/init.c| 47 +-- lib/copperplate/internal.c| 10 +++ lib/copperplate/internal.h|2 ++ lib/copperplate/registry.c|5 ++-- lib/copperplate/threadobj.c | 50 + 10 files changed, 150 insertions(+), 46 deletions(-) diff --git a/include/copperplate/heapobj.h b/include/copperplate/heapobj.h index c61cf3e..4cf947e 100644 --- a/include/copperplate/heapobj.h +++ b/include/copperplate/heapobj.h @@ -192,11 +192,6 @@ struct sysgroup_memspec { struct holder next; }; -struct agent_memspec { - /** Agent pid in owner process. */ - pid_t pid; -}; - static inline void *mainheap_ptr(memoff_t off) { return off ? (void *)__memptr(__main_heap, off) : NULL; @@ -326,9 +321,6 @@ char *xnstrdup(const char *ptr); struct sysgroup_memspec { }; -struct agent_memspec { -}; - /* * Whether an object is laid in some shared heap. Never if pshared * mode is disabled. diff --git a/include/copperplate/threadobj.h b/include/copperplate/threadobj.h index 1d01709..f27c111 100644 --- a/include/copperplate/threadobj.h +++ b/include/copperplate/threadobj.h @@ -212,7 +212,6 @@ struct threadobj { struct traceobj *tracer; sem_t *cancel_sem; struct sysgroup_memspec memspec; - struct agent_memspec agent; struct backtrace_data btd; }; @@ -392,7 +391,7 @@ static inline int threadobj_local_p(struct threadobj *thobj) void threadobj_init_key(void); -int threadobj_pkg_init(void); +int threadobj_pkg_init(int anon_session); #ifdef __cplusplus } diff --git a/include/copperplate/tunables.h b/include/copperplate/tunables.h index 8428716..640b8b4 100644 --- a/include/copperplate/tunables.h +++ b/include/copperplate/tunables.h @@ -27,6 +27,7 @@ struct copperplate_setup_data { int no_registry; int shared_registry; size_t mem_pool; + gid_t session_gid; }; #ifdef __cplusplus @@ -85,6 +86,16 @@ static inline read_config_tunable(mem_pool_size, size_t) return __copperplate_setup_data.mem_pool; } +static inline define_config_tunable(session_gid, gid_t, gid) +{ + __copperplate_setup_data.session_gid = gid; +} + +static inline read_config_tunable(session_gid, gid_t) +{ + return __copperplate_setup_data.session_gid; +} + #ifdef __cplusplus } #endif diff --git a/lib/copperplate/cluster.c b/lib/copperplate/cluster.c index eac0afe..f0552f0 100644 --- a/lib/copperplate/cluster.c +++ b/lib/copperplate/cluster.c @@ -174,8 +174,11 @@ static int cluster_probe(struct hashobj *hobj) * we can send
[Xenomai-git] Philippe Gerum : copperplate: enable group-based access to sessions
Module: xenomai-3 Branch: next Commit: cf21e806295981a9d0e342f683bfef419b6e3c68 URL: http://git.xenomai.org/?p=xenomai-3.git;a=commit;h=cf21e806295981a9d0e342f683bfef419b6e3c68 Author: Philippe GerumDate: Fri Sep 11 18:47:24 2015 +0200 copperplate: enable group-based access to sessions Passing --session foo/ will allow the members of the designated UNIX group to attach the shared heap and use the Copperplate services within a particular session. may be a valid GID or group name from /etc/group. With Cobalt, such group would typically match the xenomai.allowed_group parameter passed to the kernel. To set up a shared session involving non-privileged users, all of them must be members of a dedicated UNIX group, and the following operations should be carried out: 1. if using Cobalt, pass xenomai.gid= on the kernel command line accordingly 2. set udev rules to chown+chmod /dev/rtdm/* files with proper group permissions (e.g. for user group "xenomai" => SUBSYSTEM=="rtdm", MODE="0660", GROUP="xenomai") 3. create the registry root manually with proper permissions, 1777 is recommended if non-privileged processes will belong to the session 4. if --shared-registry is required from a non-privileged session initiator (i.e. the first process establishing the session), set user_allow_other in /etc/fuse.conf 5. to start a session with group-based access control, suffix the session name with the allowed group name or id separated with a slash ('/') when starting the session initiator, i.e. --session name/ . For instance, with {user} a member of the "xenomai" group: /* The initiator of session 'foo' is [root] */ [root] ./program --session foo/xenomai /* Bind a non-privileged process from {user} to session 'foo' */ {user} ./program --session foo Or, with {user1} and {user2} both members of the "xenomai" group: /* The initiator of session 'foo' is {user1} */ {user1} ./program --session foo/xenomai /* Bind a process from {user2} to session 'foo' */ {user2} ./program --session foo --- include/copperplate/heapobj.h |8 -- include/copperplate/threadobj.h |3 +- include/copperplate/tunables.h| 11 lib/copperplate/cluster.c |5 +++- lib/copperplate/heapobj-pshared.c | 55 - lib/copperplate/init.c| 47 +-- lib/copperplate/internal.c| 10 +++ lib/copperplate/internal.h|2 ++ lib/copperplate/registry.c|5 ++-- lib/copperplate/threadobj.c | 50 + 10 files changed, 150 insertions(+), 46 deletions(-) diff --git a/include/copperplate/heapobj.h b/include/copperplate/heapobj.h index c61cf3e..4cf947e 100644 --- a/include/copperplate/heapobj.h +++ b/include/copperplate/heapobj.h @@ -192,11 +192,6 @@ struct sysgroup_memspec { struct holder next; }; -struct agent_memspec { - /** Agent pid in owner process. */ - pid_t pid; -}; - static inline void *mainheap_ptr(memoff_t off) { return off ? (void *)__memptr(__main_heap, off) : NULL; @@ -326,9 +321,6 @@ char *xnstrdup(const char *ptr); struct sysgroup_memspec { }; -struct agent_memspec { -}; - /* * Whether an object is laid in some shared heap. Never if pshared * mode is disabled. diff --git a/include/copperplate/threadobj.h b/include/copperplate/threadobj.h index 1d01709..f27c111 100644 --- a/include/copperplate/threadobj.h +++ b/include/copperplate/threadobj.h @@ -212,7 +212,6 @@ struct threadobj { struct traceobj *tracer; sem_t *cancel_sem; struct sysgroup_memspec memspec; - struct agent_memspec agent; struct backtrace_data btd; }; @@ -392,7 +391,7 @@ static inline int threadobj_local_p(struct threadobj *thobj) void threadobj_init_key(void); -int threadobj_pkg_init(void); +int threadobj_pkg_init(int anon_session); #ifdef __cplusplus } diff --git a/include/copperplate/tunables.h b/include/copperplate/tunables.h index 8428716..640b8b4 100644 --- a/include/copperplate/tunables.h +++ b/include/copperplate/tunables.h @@ -27,6 +27,7 @@ struct copperplate_setup_data { int no_registry; int shared_registry; size_t mem_pool; + gid_t session_gid; }; #ifdef __cplusplus @@ -85,6 +86,16 @@ static inline read_config_tunable(mem_pool_size, size_t) return __copperplate_setup_data.mem_pool; } +static inline define_config_tunable(session_gid, gid_t, gid) +{ + __copperplate_setup_data.session_gid = gid; +} + +static inline read_config_tunable(session_gid, gid_t) +{ + return __copperplate_setup_data.session_gid; +} + #ifdef __cplusplus } #endif diff --git a/lib/copperplate/cluster.c b/lib/copperplate/cluster.c index eac0afe..f0552f0 100644 --- a/lib/copperplate/cluster.c +++ b/lib/copperplate/cluster.c @@ -174,8 +174,11 @@ static int cluster_probe(struct hashobj *hobj) * we can send the