1. 25 Nov, 2019 31 commits
  2. 24 Nov, 2019 3 commits
    • Timothy Arceri's avatar
      radv: create a fresh fork for each pipeline compile · f54c4e85
      Timothy Arceri authored
      In order to prevent a potential malicious pipeline tainting our
      secure compile process and interfering with successive pipelines
      we want to create a fresh fork for each pipeline compile.
      
      Benchmarking has shown that simply forking on each pipeline
      creation doubles the total time it takes to compile a fossilize db
      collection. So instead here we fork the process at device creation
      so that we have a slim copy of the device and then fork this
      otherwise idle and untainted process each time we compile a
      pipeline. Forking this slim copy of the device results in only a
      20% increase in compile time vs a 100% increase.
      
      Fixes: cff53da3 ("radv: enable secure compile support")
      f54c4e85
    • Timothy Arceri's avatar
      radv: add a secure_compile_open_fifo_fds() helper · 1663bb1f
      Timothy Arceri authored
      This will be used to create a communication pipe between the user
      facing device and a freshly forked (per pipeline compile) slim copy
      of that device.
      
      We can't use pipe() here because the fork will not be a direct fork
      of the user facing process. Instead we use a previously forked
      copy of the process that was forked at device creation in order to
      reduce the resources required for the fork and avoid performance
      issues.
      
      Fixes: cff53da3 ("radv: enable secure compile support")
      1663bb1f
    • Timothy Arceri's avatar
      radv: add some infrastructure for fresh forks for each secure compile · ef54f15d
      Timothy Arceri authored
      In the following commits we want to be able to fork an existing lightweight
      fork created at device creation time. In order for the user facing process
      to communicate with this new fresh fork we create some members here to hold
      FIFO file descriptors and a unique id.
      
      Here we also add a new fork enum that we use to tell the lightweight
      process to create a fresh fork.
      
      For more information on why we create a fresh fork see the following
      commits.
      ef54f15d
  3. 23 Nov, 2019 6 commits