ubuntu-phone team mailing list archive

[Alberto Mardegan <alberto.mardegan@xxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/05/2013 08:09 PM, Jamie Strandboge wrote:
> On 09/05/2013 07:01 AM, Alberto Mardegan wrote:
>> Well, if we don't have a myAppIsRunning() API, apps can simply
>> busy-loop whenever they want, so I don't see much harm in adding
>> this API. We could also protect it with apparmor, so that the
>> usage of this API must be explicitly declared in the
>> application's manifest file (and then we could question whether
>> the app has any reason to use it).
>> 
> We can't control access to library calls in this manner. You can
> mmap the library and get everything, or you can't. We can't block
> the mmap of the library because an app could just ship its own
> version of the library and mmap it.
[...]

Right. Then what about this approach:

ubuntu_api_start_busy_work():
  - create an empty file in the app's namespace (maybe
    $XDG_RUNTIME_DIR/<appId>/busy_work). This will fail if the app is
    confined and not allowed to do busy work at all.
  - setup a signal handler for the SIGXCPU signal.

ubuntu_api_stop_busy_work():
  - removes the signal handler.

Then, when the watchgod service sees that an app is using "too much"
CPU time, it would:
  - check if $XDG_RUNTIME_DIR/<appId>/busy_work is present; if not,
    kill the app
  - send SIGXCPU

> I think the point of this API is not to protect against abuse, but
> to allow a well-intentioned app from getting killed. To me, an
> abusive app will be handled by bad reviews/bug reports ("This app
> sucks-- my battery is dead in 5 minutes whenever I use it").
> Because we don't have a way to distinguish between accidental and
> intentional high CPU usage now, we don't have anything other than 
> app reviews. If we introduce this call, we can detect the
> accidental high CPU usage now. The handful of apps that abuse it
> can still be handled via user reviews like they are now.

I agree, but having the application declare that it can be doing busy
work for some seconds in its manifest file can be of great help for
reviewers: if the capability is not mentioned in the manifest, it
means that the application doesn't need a lot of investigation
(because the app will automatically be killed if it misuses CPU).
Also, if users report problems about a shortened battery life, we
would first investigate those app which have the capability in their
manifest.

Ciao,
  Alberto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlItZgoACgkQVLQegMXeCFLu6wCeNzjXO73BqPVSzH0fpIhx1a+t
2QwAn3kte/w9nMFy6B9IsrshdaVq3iMa
=DvGZ
-----END PGP SIGNATURE-----