Closed Bug 1187799 Opened 9 years ago Closed 6 years ago

[Meta] Move Android HAL drivers into separate address spaces

Categories

(Firefox OS Graveyard :: General, defect)

All
Gonk (Firefox OS)
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: tzimmermann, Unassigned)

References

Details

On Firefox OS, Gecko loads a number of HAL drivers into its address space. Each driver should be moved into its own, separate address space (i.e., process) for at least the following reasons (in no specific order):

  * Security

Gecko currently runs with root privileges. Driver-specific processes can run with reduced privileges. We can further reduce the allowed operations by using additional Linux security features, such as SE Linux or seccomp.

  * API/ABI compatiblity

The driver's binary interfaces change over time or between different vendors. Linking them directly requires a compatible implementation of Gecko. Driver-specific processes can handle the different ABIs/APIs internally and expose a single interface in the IPC primitives.

Different versions of IPC are easier to detect and support in Gecko than binary interfaces. This will ensure long-term support of devices with only a small number of Gecko builds.

  * System stability and fault isolation

HAL drivers are usually proprietary binaries. We have no control over them and cannot debug them. Running them in separate processes ensures system stability if such a driver crashes or leaks resources. The driver processes can easily be terminated and restarted.

We already run Bluedroid and NFC in daemon processes, and there is a prototype for Geolocation. Other candidates are the drivers for sensors and lights. We might even be able to implement driver daemons for display support, which apparently requires HWC, gralloc and power.
Just a side note about this. Currently we have 4 geolocation implementations, gonk, android, windows and mac. It would be nice if while developing the protocol we'd keep an eye on those ones too and evaluate if we'd like to move them out-of-process on other architectures besides gonk. The second point in comment 0 doesn't apply to them but if those implementations pull in other stuff (shared libraries, etc...) then points 1 & 3 do apply and it might be nice to pull them out in desktop Firefox too.
Depends on: 1194721
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.