[libcamera-devel] [PATCH v4 0/8] Add IPA process isolation

[Paul Elder]

We need to be able to isolate untrusted IPA implementations into a
separate process. To achieve this, we use an IPA proxy, that acts like a
regular IPAInterface to the pipeline handler, but will initialize and
communicate with the real IPA module in a separate, isolated process.

Changes in v4:
- minor changes
- added IPAModule::isOpenSource()

Changes in v3:
- a lot, i forgot to put them in last time

Changes in v2:
- renamed Shim to Proxy
- build proxies into libcamera, and not into separate .so
- add Process and ProcessManager
- add license field to IPAModuleInfo (as opposed to a "please isolate me" flag)
- use IPCUnixSocket (it's only initialized for now)
- moved out some patches into their own series

Paul Elder (8):
  libcamera: ipa_module_info: add license field
  libcamera: ipa_module: add isOpenSource
  libcamera: Add Process and ProcessManager classes
  libcamera: add IPA proxy
  libcamera: proxy: add default linux IPA proxy
  libcamera: ipa_manager: use proxy
  libcamera: ipa: add dummy IPA that needs to be isolated
  libcamera: ipa: meson: build dummy IPA that needs isolation

 Documentation/Doxyfile.in                     |   3 +-
 include/libcamera/ipa/ipa_module_info.h       |   1 +
 src/ipa/ipa_dummy.cpp                         |   1 +
 src/ipa/ipa_dummy_isolate.cpp                 |  47 +++
 src/ipa/meson.build                           |  21 +-
 src/libcamera/include/ipa_module.h            |   2 +
 src/libcamera/include/ipa_proxy.h             |  66 ++++
 src/libcamera/include/process.h               |  55 +++
 src/libcamera/ipa_manager.cpp                 |  34 +-
 src/libcamera/ipa_module.cpp                  |  46 +++
 src/libcamera/ipa_proxy.cpp                   | 204 ++++++++++
 src/libcamera/meson.build                     |   8 +
 src/libcamera/process.cpp                     | 357 ++++++++++++++++++
 src/libcamera/process_manager.cpp             |   0
 src/libcamera/proxy/ipa_proxy_linux.cpp       |  96 +++++
 src/libcamera/proxy/meson.build               |   3 +
 .../proxy/worker/ipa_proxy_linux_worker.cpp   |  86 +++++
 src/libcamera/proxy/worker/meson.build        |  16 +
 test/ipa/ipa_test.cpp                         |   1 +
 test/libtest/test.cpp                         |   4 +
 test/meson.build                              |   1 +
 test/process/meson.build                      |  12 +
 test/process/process_test.cpp                 | 100 +++++
 23 files changed, 1152 insertions(+), 12 deletions(-)
 create mode 100644 src/ipa/ipa_dummy_isolate.cpp
 create mode 100644 src/libcamera/include/ipa_proxy.h
 create mode 100644 src/libcamera/include/process.h
 create mode 100644 src/libcamera/ipa_proxy.cpp
 create mode 100644 src/libcamera/process.cpp
 create mode 100644 src/libcamera/process_manager.cpp
 create mode 100644 src/libcamera/proxy/ipa_proxy_linux.cpp
 create mode 100644 src/libcamera/proxy/meson.build
 create mode 100644 src/libcamera/proxy/worker/ipa_proxy_linux_worker.cpp
 create mode 100644 src/libcamera/proxy/worker/meson.build
 create mode 100644 test/process/meson.build
 create mode 100644 test/process/process_test.cpp

-- 
2.20.1