LingBo Tang wrote:
> Darren J Moffat wrote:
>> LingBo Tang wrote:
>>> - current VT usage model is not match with devname as other cases,
>>>   like pts and clearview;
>>> - manage active link as symlink in devname filesystem requests expand
>>>   current devname.
>>> - VT daemon can update the contents of "active link" by two syscalls,
>>>   which only have a very small time window for potential incorrect
>>>   plug-in device accessing.
>> very small ?
>> No window of incorrectness is acceptable, since a race condition like 
>> this could lead to possible incorrect permissions and this security 
>> problems.
>> It MUST always be correct, if you can't make it always correct don't 
>> do it.
> How about change the target of symlink as below?
> During VT switch, change the target to next target VT first, then
> do actual VT activate ioctl.

What happens then if the activate ioctl is interuptted or some how fails ?

This needs to be atomic.

> if the target VT has no user login, ( in another words, login programs
> is using that VT, and the ownership of VT node is root ) then the
> worst case is the ownership of new plug-in device is set to "root".
> The user can do plug-out/plug-in again to solve the incorrect ownership
> for this case.

Having the user need to plug and unplug things to fix problems in our 
architecture isn't aceptable.

> If there has been user login on target VT, the plug-in device will
> belong to that user.
> Because switching VT and changing target of symlink are 2 operations,
> how to make it work in synchronization way?

It is only to operations because your implementation is making it that 
way.  It needs to be an atomic operation or you need to drop the active 
symlink concept.  Maybe a symlink is the wrong implementation.  Maybe 
the kernel subsystem when it does the switch should be updating the 
active node (ie it isn't actually a symlink but a different name for 

Darren J Moffat

Reply via email to