Facebook Patent | Capability space
Patent: Capability space
Drawings: Click to check drawins
Publication Number: 20210049036
Publication Date: 20210218
Applicant: Facebook
Abstract
In one embodiment, a kernel of an operating system executing on a computing system receives a system call from a process requesting to perform an operation on a kernel object. The system call includes an object handle to the kernel object. The kernel accesses, from a memory space allocated to the kernel, data associated with the object handle. The data identifies an object type of the kernel object and specifies a bit string. The kernel identifies, based on the object type and the bit string, a list of capabilities of the process. The kernel determines whether the process has permission to perform the operation on the kernel object by comparing the operation to the list of capabilities. The kernel, in response to determining the process has permission to perform the operation, allows the operation on the kernel object to be performed.
Claims
-
A method comprising, by a kernel of an operating system executing on a computing system: receiving a system call from a process requesting to perform an operation on a kernel object, wherein the system call comprises an object handle to the kernel object; accessing, from a memory space allocated to the kernel, data associated with the object handle, wherein the data identifies an object type of the kernel object and specifies a bit string; identifying, based on the object type and the bit string, a list of capabilities of the process, wherein each capability in the list indicates whether the process has permission to perform a predetermined operation on the kernel object; determining whether the process has permission to perform the operation on the kernel object by comparing the operation to the list of capabilities; and in response to determining the process has permission to perform the operation, allowing the operation on the kernel object to be performed.
-
The method of claim 1, wherein the kernel object is one of a thread, a process, or an interrupt.
-
The method of claim 1, wherein the object handle is generated by the kernel for the process when the kernel object is generated.
-
The method of claim 1, further comprising: receiving a second system call from the process requesting to perform a second operation on a second kernel object, wherein the second system call comprises a second object handle to a second kernel object; accessing, from a second memory space allocated to the kernel, a second data associated with the second object handle, wherein the second data identifies a second object type of the second kernel object and specifies a second bit string; identifying, based on the second object type and the second bit string, a second list of capabilities of the process; determining whether the process has permission to perform a second operation on the second kernel object by comparing the second operation to the second list of capabilities; and in response to determining the process has permission to perform the second operation, allowing the second operation on the second kernel object to be performed.
-
The method of claim 4, wherein the object type is different from the second object type, and wherein the list of capabilities for the object type is different from the second list of capabilities for the second object type.
-
The method of claim 1, wherein the object handle comprises one or more of a magic, a generation, and an offset, wherein the magic is a randomly generated number, and wherein the generation is a predetermined number to detect the offset.
-
The method of claim 1, wherein the object type is represented by a second bit string, and wherein identifying the object type is based on a comparison of the second bit string to a table of bit strings corresponding to a plurality of object types.
-
The method of claim 1, wherein the operation comprises one of a suspend operation, a resume operation, a query operation, or a terminate operation.
-
The method of claim 1, further comprising: duplicating the object handle to generate a second object handle to pass to a second process; allocating a second memory space to the kernel for a second data associated with the second object handle, wherein the second data identifies the object type of the kernel object and specifies a second bit string; and sending, to the second process, the second object handle.
-
The method of claim 9, further comprising: modifying the second bit string associated with the second object handle, wherein the second bit string corresponds to a second list of capabilities of the second process.
-
The method of claim 10, wherein modifying the second bit string associated with the second object handle comprises reducing the amount of permissions to perform operations on the kernel object.
-
The method of claim 10, wherein modifying the second bit string associated with the second object handle comprises increasing the amount of permissions to perform operations on the kernel object.
-
The method of claim 10, wherein modifying the second bit string associated with the second object handle is based on identifying one or more operations the second process requires to function.
-
One or more computer-readable non-transitory storage media embodying software that is operable when executed to: receive a system call from a process requesting to perform an operation on a kernel object, wherein the system call comprises an object handle to the kernel object; access, from a memory space allocated to the kernel, data associated with the object handle, wherein the data identifies an object type of the kernel object and specifies a bit string; identify, based on the object type and the bit string, a list of capabilities of the process, wherein each capability in the list indicates whether the process has permission to perform a predetermined operation on the kernel object; determine whether the process has permission to perform the operation on the kernel object by comparing the operation to the list of capabilities; and in response to determining the process has permission to perform the operation, allow the operation on the kernel object to be performed.
-
A system comprising: one or more processors; and a non-transitory memory coupled to the processors comprising instructions executable by the processors, the processors operable when executing the instructions to: receive a system call from a process requesting to perform an operation on a kernel object, wherein the system call comprises an object handle to the kernel object; access, from a memory space allocated to the kernel, data associated with the object handle, wherein the data identifies an object type of the kernel object and specifies a bit string; identify, based on the object type and the bit string, a list of capabilities of the process, wherein each capability in the list indicates whether the process has permission to perform a predetermined operation on the kernel object; determine whether the process has permission to perform the operation on the kernel object by comparing the operation to the list of capabilities; and in response to determining the process has permission to perform the operation, allow the operation on the kernel object to be performed.
Description
TECHNICAL FIELD
[0001] This disclosure generally relates to handles used in an operating system.
BACKGROUND
[0002] In computer programming, a handle is an abstract reference to a resource. Handles are used when application software references blocks of memory or objects managed by another system, such as a database or an operating system. A resource handle can be an opaque identifier, in which case it is often an integer number (often an array index in an array or “table” that is used to manage that type of resource), or it can be a pointer that allows access to further information. Common resource handles are file descriptors, network sockets, database connections, process identifiers (PIDs), and job IDs. Process IDs and job IDs are explicitly visible integers, while file descriptors and sockets (which are often implemented as a form of file descriptor) are represented as integers, but are typically considered opaque. In traditional implementations, file descriptors are indices into a (per-process) file descriptor table, thence a (system-wide) file table.
SUMMARY OF PARTICULAR EMBODIMENTS
[0003] Disclosed herein are a variety of different ways of generating handles for objects in an operating system. In particular embodiments, the handles may be specific for objects in an operating system for an augmented reality or virtual reality environment. The use of an augmented reality system or virtual reality system may be different than a typical computing system. As such, there may be privacy and security concerns that are unique to an augmented reality system or virtual reality system. Additionally, augmented reality systems and virtual reality systems may have different performance requirements than the typical computing system. As an example and not by way of limitation, an augmented reality system or a virtual reality system may have large memory requirements and large power consumption associated with rendering elements for display to a user. One goal of the disclosed methods may be to reduce the aggregated memory requirement and in turn to conserve power consumption through generating handles. Currently objects in an operating system may typically be referenced by handles that include a list of predetermined capabilities for all objects. The disclosed methods may generate handles that are specific to whether or not is has capabilities to a particular object type. Thereby eliminating the unnecessary bits associated with capabilities for object types other than the object type of the object. To do so, a kernel of the operating system may encode an object type into the object handle. When the kernel receives a system call from a process to perform an operation, the kernel may determine the object type from an object handle and confirm the capabilities of the process for the given object type based on a bit string of the object handle. In particular embodiments, the kernel may determine whether the process has permission to perform the operation and either allow or deny the process to perform the operation.
[0004] Embodiments of the invention may include or be implemented in conjunction with an artificial reality system. Artificial reality is a form of reality that has been adjusted in some manner before presentation to a user, which may include, e.g., a virtual reality (VR), an augmented reality (AR), a mixed reality (MR), a hybrid reality, or some combination and/or derivatives thereof. Artificial reality content may include completely generated content or generated content combined with captured content (e.g., real-world photographs). The artificial reality content may include video, audio, haptic feedback, or some combination thereof, and any of which may be presented in a single channel or in multiple channels (such as stereo video that produces a three-dimensional effect to the viewer). Additionally, in some embodiments, artificial reality may be associated with applications, products, accessories, services, or some combination thereof, that are, e.g., used to create content in an artificial reality and/or used in (e.g., perform activities in) an artificial reality. The artificial reality system that provides the artificial reality content may be implemented on various platforms, including a head-mounted display (HMD) connected to a host computer system, a standalone HMD, a mobile device or computing system, or any other hardware platform capable of providing artificial reality content to one or more viewers.
[0005] The embodiments disclosed herein are only examples, and the scope of this disclosure is not limited to them. Particular embodiments may include all, some, or none of the components, elements, features, functions, operations, or steps of the embodiments disclosed above. Embodiments according to the invention are in particular disclosed in the attached claims directed to a method, a storage medium, a system and a computer program product, wherein any feature mentioned in one claim category, e.g. method, can be claimed in another claim category, e.g. system, as well. The dependencies or references back in the attached claims are chosen for formal reasons only. However any subject matter resulting from a deliberate reference back to any previous claims (in particular multiple dependencies) can be claimed as well, so that any combination of claims and the features thereof are disclosed and can be claimed regardless of the dependencies chosen in the attached claims. The subject-matter which can be claimed comprises not only the combinations of features as set out in the attached claims but also any other combination of features in the claims, wherein each feature mentioned in the claims can be combined with any other feature or combination of other features in the claims. Furthermore, any of the embodiments and features described or depicted herein can be claimed in a separate claim and/or in any combination with any embodiment or feature described or depicted herein or with any of the features of the attached claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0006] FIG. 1 illustrates an example operating system environment associated with a virtual reality system.
[0007] FIG. 2 illustrates an example object handle and its corresponding handle table.
[0008] FIG. 3 illustrates another example object handle and its corresponding handle table.
[0009] FIG. 4 illustrates another example object handle and its corresponding handle table.
[0010] FIG. 5 illustrates an example network environment associated with a virtual reality system.
[0011] FIG. 6 illustrates an example method for handling a system call from a process.
[0012] FIG. 7 illustrates an example computer system.
DESCRIPTION OF EXAMPLE EMBODIMENTS
[0013] Each object in an operating system may be referenced by handles. In particular embodiments, to improve upon security, capability restrictions may be attached to each handle (e.g., read only, read/write, etc.). Initially, a handle to an object (e.g., a thread) may first be created with full capabilities. Later on, when the handle is transferred to another process, a subset of the capabilities may be granted to the recipient. A naive approach for encoding capabilities may be for each handle to store a list of bits that correspond to a list of predetermined capabilities for all objects (e.g., a 1 means the handle has the corresponding capability). However, since every handle needs such a list, the aggregated memory requirement could be large. This in turn may mean more power consumption, which is problematic for virtual reality (VR) and augmented reality (AR) devices.
[0014] In particular embodiments, in order to reduce the aggregated memory requirement and in turn to conserve power consumption, each handle may be encoded differently. Instead of having the full list of possible capabilities encoded within every handle, each handle may encode the capabilities that are relevant to its object type. As an example and not by way of limitation, if the handle is to a thread, it may encode whether or not it has capabilities related to threads; if the handle is to a process, it may encode whether it has capabilities related to processes. So for each handle, it may encode a capability type (e.g., thread vs. process) and bits that correspond to capabilities that are available for that type. In particular embodiments, object types may include a thread, a process, and an interrupt. In particular embodiments, capabilities may include the right to suspend a thread, the right to resume a thread, the right to query a process, the right to terminate a process, and the like. In particular embodiments, each handle may include a magic, a generation, and an offset. A magic may be a number that is hard to guess to improve upon the security of the handles. A generation may be a number to detect the offset. An offset may be a number to prevent replication of the handle.
[0015] In particular embodiments, upon generation of an object, a kernel of an operating system may generate a handle for a process. In particular embodiments, the kernel may define the capabilities the process has. In particular embodiments, the defining of the rights may be determined based on what rights a process requires in order to function. The kernel may have the ability to duplicate handles. Handles may be duplicated by taking the handle and a mask. Handles may be transferred from various processes. The reduced size of the handles may reduce memory/cache requirements, may reduce power consumption, and may increase the speed of capability validation for each object.
[0016] Referring to FIG. 1, an example operating system environment 100 is shown. The operating system environment 100 may comprise a kernel 102, a process 104, and a kernel object 106. In particular embodiments, the kernel 102 and the process 104 may communicate through a link 110. In particular embodiments, the link 110 may include various communications sent back and forth between the kernel 102 and the process 104. In particular embodiments, the kernel 102 and the kernel object 106 may communicate through a link 120. In particular embodiments, the process 104 and the kernel object 106 may communicate through a link 130. In particular embodiments, the kernel 102 may generate the kernel object 106. In particular embodiments, the kernel 102 may generate an object handle 112 to send to the process 104 through an interaction. As an example and not by way of limitation, the process 104 may initially request for an object handle 112. As another example and not by way of limitation, the kernel 102 may generate the object handle upon generation of the kernel object 106 and send the object handle 112 to the process 104. In particular embodiments, the object handle may comprise data that identifies an object type of a kernel object and specifies a bit string. As an example and not by way of limitation, the object handle 112 may comprise data that identifies the object type of the kernel object 106 and specifies a bit string. The bit string may be any number of bits long. In particular embodiments, data that identifies the object type may be another bit string. As an example and not by way of limitation, a thread object type may be specified by the bit string “1010.”
[0017] In particular embodiments, the process 104 may send a system call 114 to the kernel 102. The system call 114 may be a request to perform an operation on the kernel object 106. In particular embodiments, the operation may be one of a suspend operation, a resume operation, a query operation, a terminate operation, or the like. In particular embodiments, there may be specific operations only available for a given object type. In particular embodiments, the system call 114 may comprise the object handle 112 to the kernel object 106. When the kernel 102 receives the system call 114 from the process 104, the kernel 102 may access data associated with the object handle 112. The kernel 102 may access the data from a memory space allocated to the kernel 102. The accessed data may identify the object type of the kernel object 106 and specify a bit string. In particular embodiments, the kernel 102 may use the object type and the bit string to identify a list of capabilities of the process 104. In particular embodiments, for each object type there may be a corresponding list of capabilities. As an example and not by way of limitation, the list of capabilities for a thread may be represented by a handle table that includes a capability for each bit of the bit string. For instance, the list of capabilities may indicate that the first bit number corresponds to a read capability, the second bit number corresponds to a write capability, and so on. If the bit string has the first two bits “10 … “, then that would be indicative of the process 104 having the capability to read the kernel object 106, but not the capability to write to the kernel object 106. In particular embodiments, each capability in the list may indicate whether the process 104 has permission to perform a predetermined operation (e.g., read/write, etc.) on the kernel object 106. In particular embodiments, particular object types may have capabilities that are specific to that particular object type. In particular embodiments, the kernel 102 may determine whether the process 104 has permission to perform the operation on the kernel object 106. The kernel 102 may determine whether the process 104 has permission by comparing the operation to the list of capabilities. As an example and not by way of limitation, the operation may be a read operation and the kernel 102 may identify whether the process 104 has permission based on the bit string. If the bit number associated with the capability of a read operation is “1” then the kernel 102 may determine that the process 104 has permission to perform the read operation. Otherwise, the kernel 102 may deny the process 104 from performing the operation. In particular embodiments, the kernel 102 may send a response 116 to the process 104 indicating whether or not it has permission to perform the operation. In particular embodiments, the kernel 102 may send no response 116 in response to determining the process 104 does not have permission to perform the operation. If the kernel 102 determines that the process 104 has permission to perform the operation, the process 104 may perform the operation on the kernel object 106 or the kernel may perform the operation on the kernel object 106. In particular embodiments, the kernel 102 may communicate/access the kernel object 106 through the link 120. In particular embodiments, the kernel 102 may send any communications regarding the operation to the process 104 through the link 110. In particular embodiments, the process 104 may communicate/access the kernel object 106 through link 130 to perform the operation.
[0018] Referring to FIG. 2, an example object handle 200 and its corresponding handle table 208 is shown. In particular embodiments, the object handle 200 may be sent with a system call from a process to a kernel to request to perform an operation. In particular embodiments, the object handle 200 may have a list of capabilities 202 for all object types. As an example and not by way of limitation, the object handle 200 may have a list of capabilities 202 for a thread object type, a process object type, an interrupt object type, and so on. The capabilities 202 may indicate whether the process has the right to perform an operation. In particular embodiments, the object handle 200 may be for a kernel object. The kernel object may be one of a thread, a process, or an interrupt. In particular embodiments, the object handle 200 may comprise a bit string 204 that comprises bits 206 corresponding to the capabilities 202. In particular embodiments, the object handle 200 may be generated for a process by a kernel when a kernel object associated with the object handle 200 is generated. As an example and not by way of limitation, a process may send a system call to a kernel, which generates a kernel object. The kernel may also generate an object handle to the kernel object to send to the process. The capabilities may be determined based on which operations the process requires to function.
[0019] In particular embodiments, the object handle 200 may have its corresponding handle table 208 that identifies which capabilities 202 that a process may have. In particular embodiments, the handle table 208 may comprise a bit number 210, a capability 212, and an indication of whether the process has the right 214 to perform the operation. In particular embodiments, the bit number 210 may reflect the order the bit 206 is in the bit string 204. As an example and not by way of limitation, the bit number 210a may correspond to the first bit 206a. In particular embodiments, each capability 212 may correspond to a different capability 212 or operation for each bit number 210. The handle table 208 may determine whether the process has the right 214 to perform an operation based on the bit string 204 compared to the bit number 210. As an example and not by way of limitation, since the bit 206a is a “1” for the bit number 1, the process would be allowed to perform the read operation. In particular embodiments, the object handle 200 may have a bit string 204 that corresponds to a bit string 204 associated with capabilities 212 for multiple objects. As an example and not by way of limitation, the bits 206 from bit number 210a to one before bit number 210b may correspond to capabilities 212 for a particular object type. The remainder bits 206 may correspond to capabilities 212 for another object type. Although only capabilities 212 of two object types are shown, any number of capabilities 212 for other object types may be included in the object handle 200. In particular embodiments, the object handle 200 may have a whole bit string of “0”s for the capabilities 212 for an object type. As such, the bit string 204 may have a large number of bits 206 that may not be necessary. As an example and not by way of limitation, since the object handle 200 may be associated with a thread, the bits 206 corresponding to capabilities 212 for a process may be represented by a bit string of “0”s. In particular embodiments, the object handle 200 may comprise other bits 206 in the bit string 204 that are not related to the capabilities 202. In particular embodiments, the object handle 200 may comprise one or more of a magic, a generation, and an offset. In particular embodiments, a magic may be a randomly generated number. The randomly generated number may be generated in any suitable way. In particular embodiments, the generation may be a predetermined number to detect the offset. In particular embodiments, the magic, the generation, and the offset may correspond to bits 206 outside of the capabilities 202.
[0020] Referring to FIG. 3, another example object handle 300 and its corresponding handle table 310 is shown. In particular embodiments, the object handle 300 may comprise data associated with an object type 302 and a list of capabilities 304. In particular embodiments, the object handle 300 may comprise a bit string 306 that corresponds to the object type 302 and the list of capabilities 304. As an example and not by way of limitation, the first four bits 308 of the bit string 306 may correspond to the object type 302. Although the object type 302 is shown to be represented by the first four bits 308, the object type 302 may be represented by any number of bits 308. In particular embodiments, there may be a table of object types that a kernel may use to determine what the bits 308 that correspond to the object type 302 indicates is the object type 302. As an example and not by way of limitation, the four bits 308 corresponding to the object type 302 may indicate the object type 302 is a thread. The kernel may determine this based on identifying the bit sequence “1010” is associated with a thread object type.
[0021] In particular embodiments, the object handle 300 may have its corresponding handle table 310 that identifies which capabilities 304 that a process may have. The object table 310 may have a corresponding object type 312 that indicates what the object type 312 of the kernel object associated with the object handle 300. In particular embodiments, the handle table 310 may comprise a bit number 314, a capability 316, and an indication of whether the process has the right 318 to perform the operation. In particular embodiments, the bit number 314 may reflect the order the bit 308 is in the bit string 306. In particular embodiments, each capability 316 may correspond to a different capability 316 or operation for each bit number 314. Similarly to handle table 208, the handle table 310 may determine whether the process has the right 318 to perform an operation based on the bit string 306 compared to the bit number 314. In particular embodiments, the capabilities 316 may include only capabilities to perform operations specific to the object type 312, which would be a thread object type. Thereby reducing the number of bits 308 within the bit string 306 of the object handle 300 as compared to the bits 206 of the bit string 204. The reduction in the number of bits reduces the aggregated memory requirement and in turn to conserve power consumption. In particular embodiments, there may be operations specific to a thread object type. As an example and not by way of limitation, a suspend operation and a resume operation may be specific to a thread object type.
[0022] Referring to FIG. 4, another example object handle 400 and its corresponding handle table 410 is shown. In particular embodiments, the object handle 400 may comprise data associated with an object type 402 and a list of capabilities 404. In particular embodiments, the object handle 400 may comprise a bit string 406 that corresponds to the object type 402 and the list of capabilities 404. As an example and not by way of limitation, the first four bits 408 of the bit string 406 may correspond to the object type 402. Although the object type 402 is shown to be represented by the first four bits 408, the object type 402 may be represented by any number of bits 408. In particular embodiments, a kernel may use a table of object types to determine what the bits 408 that correspond to the object type 402 indicates is the object type 402. As an example and not by way of limitation, the four bits 408 corresponding to the object type 402 may indicate the object type 402 is a process. The kernel may determine this based on identifying the bit sequence “1011” is associated with a process object type.
……
……
……