[PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[luca.boccassi]

From: Luca Boccassi <luca.boccassi@gmail.com>

Userspace when requesting a session specifies a name and gets a FD,
but then there is no way to go back the other way and get the name
given a LUO session FD. This is problematic especially when there
is a userspace orchestrator that wants to check what FDs it is
handling for clients.

Resolving the /proc/self/fd/X is lossy as that has a hard limit
of characters, so names might be truncated. Also requiring going
through procfs and doing manual string mangling is not a nice
pattern.

Add a ioctl to simply get the name from an FD.

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
---
Need this for integration in systemd, so that I can check what
FDs I get from clients and what they are, and so that I can know
where to hand it back to

 include/uapi/linux/liveupdate.h               | 19 +++++
 kernel/liveupdate/luo_session.c               | 13 ++++
 .../testing/selftests/liveupdate/liveupdate.c | 72 +++++++++++++++++++
 3 files changed, 104 insertions(+)

diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
index 30bc66ee9436a..41dc44d239dde 100644
--- a/include/uapi/linux/liveupdate.h
+++ b/include/uapi/linux/liveupdate.h
@@ -59,6 +59,7 @@ enum {
 	LIVEUPDATE_CMD_SESSION_PRESERVE_FD = LIVEUPDATE_CMD_SESSION_BASE,
 	LIVEUPDATE_CMD_SESSION_RETRIEVE_FD = 0x41,
 	LIVEUPDATE_CMD_SESSION_FINISH = 0x42,
+	LIVEUPDATE_CMD_SESSION_GET_NAME = 0x43,
 };
 
 /**
@@ -213,4 +214,22 @@ struct liveupdate_session_finish {
 #define LIVEUPDATE_SESSION_FINISH					\
 	_IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_FINISH)
 
+/**
+ * struct liveupdate_session_get_name - ioctl(LIVEUPDATE_SESSION_GET_NAME)
+ * @size:  Input; sizeof(struct liveupdate_session_get_name)
+ * @name:  Output; A null-terminated string with the full session name.
+ *
+ * Retrieves the full name of the session associated with this file descriptor.
+ * This is useful because the kernel may truncate the name shown in /proc.
+ *
+ * Return: 0 on success, negative error code on failure.
+ */
+struct liveupdate_session_get_name {
+	__u32		size;
+	__u8		name[LIVEUPDATE_SESSION_NAME_LENGTH];
+};
+
+#define LIVEUPDATE_SESSION_GET_NAME					\
+	_IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_GET_NAME)
+
 #endif /* _UAPI_LIVEUPDATE_H */
diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
index 4a40c7fdfb44f..819e8864869fd 100644
--- a/kernel/liveupdate/luo_session.c
+++ b/kernel/liveupdate/luo_session.c
@@ -289,10 +289,21 @@ static int luo_session_finish(struct luo_session *session,
 	return luo_ucmd_respond(ucmd, sizeof(*argp));
 }
 
+static int luo_session_get_name(struct luo_session *session,
+				struct luo_ucmd *ucmd)
+{
+	struct liveupdate_session_get_name *argp = ucmd->cmd;
+
+	strscpy((char *)argp->name, session->name, sizeof(argp->name));
+
+	return luo_ucmd_respond(ucmd, sizeof(*argp));
+}
+
 union ucmd_buffer {
 	struct liveupdate_session_finish finish;
 	struct liveupdate_session_preserve_fd preserve;
 	struct liveupdate_session_retrieve_fd retrieve;
+	struct liveupdate_session_get_name get_name;
 };
 
 struct luo_ioctl_op {
@@ -319,6 +330,8 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
 		 struct liveupdate_session_preserve_fd, token),
 	IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
 		 struct liveupdate_session_retrieve_fd, token),
+	IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
+		 struct liveupdate_session_get_name, name),
 };
 
 static long luo_session_ioctl(struct file *filep, unsigned int cmd,
diff --git a/tools/testing/selftests/liveupdate/liveupdate.c b/tools/testing/selftests/liveupdate/liveupdate.c
index c2878e3d5ef90..510a583371fac 100644
--- a/tools/testing/selftests/liveupdate/liveupdate.c
+++ b/tools/testing/selftests/liveupdate/liveupdate.c
@@ -102,6 +102,22 @@ static int create_session(int lu_fd, const char *name)
 	return args.fd;
 }
 
+/* Helper function to get a session name via ioctl. */
+static int get_session_name(int session_fd, char *name, size_t name_len)
+{
+	struct liveupdate_session_get_name args = {};
+
+	args.size = sizeof(args);
+
+	if (ioctl(session_fd, LIVEUPDATE_SESSION_GET_NAME, &args))
+		return -errno;
+
+	strncpy(name, (char *)args.name, name_len - 1);
+	name[name_len - 1] = '\0';
+
+	return 0;
+}
+
 /*
  * Test Case: Create Duplicate Session
  *
@@ -345,4 +361,60 @@ TEST_F(liveupdate_device, preserve_unsupported_fd)
 	ASSERT_EQ(close(session_fd), 0);
 }
 
+/*
+ * Test Case: Get Session Name
+ *
+ * Verifies that the full session name can be retrieved from a session file
+ * descriptor via ioctl. This is important because /proc may truncate the
+ * anon_inode name.
+ */
+TEST_F(liveupdate_device, get_session_name)
+{
+	char name_buf[LIVEUPDATE_SESSION_NAME_LENGTH] = {};
+	const char *session_name = "get-name-test-session";
+	int session_fd;
+
+	self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
+	if (self->fd1 < 0 && errno == ENOENT)
+		SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
+	ASSERT_GE(self->fd1, 0);
+
+	session_fd = create_session(self->fd1, session_name);
+	ASSERT_GE(session_fd, 0);
+
+	ASSERT_EQ(get_session_name(session_fd, name_buf, sizeof(name_buf)), 0);
+	ASSERT_STREQ(name_buf, session_name);
+
+	ASSERT_EQ(close(session_fd), 0);
+}
+
+/*
+ * Test Case: Get Session Name at Maximum Length
+ *
+ * Verifies that a session name using the full LIVEUPDATE_SESSION_NAME_LENGTH
+ * (minus the null terminator) can be correctly retrieved.
+ */
+TEST_F(liveupdate_device, get_session_name_max_length)
+{
+	char name_buf[LIVEUPDATE_SESSION_NAME_LENGTH] = {};
+	char long_name[LIVEUPDATE_SESSION_NAME_LENGTH];
+	int session_fd;
+
+	memset(long_name, 'A', sizeof(long_name) - 1);
+	long_name[sizeof(long_name) - 1] = '\0';
+
+	self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
+	if (self->fd1 < 0 && errno == ENOENT)
+		SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
+	ASSERT_GE(self->fd1, 0);
+
+	session_fd = create_session(self->fd1, long_name);
+	ASSERT_GE(session_fd, 0);
+
+	ASSERT_EQ(get_session_name(session_fd, name_buf, sizeof(name_buf)), 0);
+	ASSERT_STREQ(name_buf, long_name);
+
+	ASSERT_EQ(close(session_fd), 0);
+}
+
 TEST_HARNESS_MAIN
-- 
2.47.3

Re: [PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[Pasha Tatashin]

On Tue, Mar 31, 2026 at 1:56 PM <luca.boccassi@gmail.com> wrote:
>
> From: Luca Boccassi <luca.boccassi@gmail.com>
>
> Userspace when requesting a session specifies a name and gets a FD,
> but then there is no way to go back the other way and get the name
> given a LUO session FD. This is problematic especially when there
> is a userspace orchestrator that wants to check what FDs it is
> handling for clients.
>
> Resolving the /proc/self/fd/X is lossy as that has a hard limit
> of characters, so names might be truncated. Also requiring going
> through procfs and doing manual string mangling is not a nice
> pattern.

Hi Luca,

Thank you for working on this.

This needs more explanation. The way I see it, the user orchestrator
can be the only one that has access to /dev/liveupdate (and this is
actually enforced by kernel). It opens it and creates session_fds for
any client out there. So, the orchestrator already has the FDs and
sends them to clients(e.g. via SCM_RIGHTS). It then monitors the PIDs
of the clients, and if they die, it closes the session_fds for them,
as their data does not need to be preserved.

Could you please explain why the user orchestrator would need to query
the session_fds, since it is the one that creates them in the first
place and has to keep them open in order to preserve them during a
live update?

Thank you,
Pasha

>
> Add a ioctl to simply get the name from an FD.
>
> Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
> ---
> Need this for integration in systemd, so that I can check what
> FDs I get from clients and what they are, and so that I can know
> where to hand it back to
>
>  include/uapi/linux/liveupdate.h               | 19 +++++
>  kernel/liveupdate/luo_session.c               | 13 ++++
>  .../testing/selftests/liveupdate/liveupdate.c | 72 +++++++++++++++++++
>  3 files changed, 104 insertions(+)
>
> diff --git a/include/uapi/linux/liveupdate.h b/include/uapi/linux/liveupdate.h
> index 30bc66ee9436a..41dc44d239dde 100644
> --- a/include/uapi/linux/liveupdate.h
> +++ b/include/uapi/linux/liveupdate.h
> @@ -59,6 +59,7 @@ enum {
>         LIVEUPDATE_CMD_SESSION_PRESERVE_FD = LIVEUPDATE_CMD_SESSION_BASE,
>         LIVEUPDATE_CMD_SESSION_RETRIEVE_FD = 0x41,
>         LIVEUPDATE_CMD_SESSION_FINISH = 0x42,
> +       LIVEUPDATE_CMD_SESSION_GET_NAME = 0x43,
>  };
>
>  /**
> @@ -213,4 +214,22 @@ struct liveupdate_session_finish {
>  #define LIVEUPDATE_SESSION_FINISH                                      \
>         _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_FINISH)
>
> +/**
> + * struct liveupdate_session_get_name - ioctl(LIVEUPDATE_SESSION_GET_NAME)
> + * @size:  Input; sizeof(struct liveupdate_session_get_name)
> + * @name:  Output; A null-terminated string with the full session name.
> + *
> + * Retrieves the full name of the session associated with this file descriptor.
> + * This is useful because the kernel may truncate the name shown in /proc.
> + *
> + * Return: 0 on success, negative error code on failure.
> + */
> +struct liveupdate_session_get_name {
> +       __u32           size;
> +       __u8            name[LIVEUPDATE_SESSION_NAME_LENGTH];
> +};
> +
> +#define LIVEUPDATE_SESSION_GET_NAME                                    \
> +       _IO(LIVEUPDATE_IOCTL_TYPE, LIVEUPDATE_CMD_SESSION_GET_NAME)
> +
>  #endif /* _UAPI_LIVEUPDATE_H */
> diff --git a/kernel/liveupdate/luo_session.c b/kernel/liveupdate/luo_session.c
> index 4a40c7fdfb44f..819e8864869fd 100644
> --- a/kernel/liveupdate/luo_session.c
> +++ b/kernel/liveupdate/luo_session.c
> @@ -289,10 +289,21 @@ static int luo_session_finish(struct luo_session *session,
>         return luo_ucmd_respond(ucmd, sizeof(*argp));
>  }
>
> +static int luo_session_get_name(struct luo_session *session,
> +                               struct luo_ucmd *ucmd)
> +{
> +       struct liveupdate_session_get_name *argp = ucmd->cmd;
> +
> +       strscpy((char *)argp->name, session->name, sizeof(argp->name));
> +
> +       return luo_ucmd_respond(ucmd, sizeof(*argp));
> +}
> +
>  union ucmd_buffer {
>         struct liveupdate_session_finish finish;
>         struct liveupdate_session_preserve_fd preserve;
>         struct liveupdate_session_retrieve_fd retrieve;
> +       struct liveupdate_session_get_name get_name;
>  };
>
>  struct luo_ioctl_op {
> @@ -319,6 +330,8 @@ static const struct luo_ioctl_op luo_session_ioctl_ops[] = {
>                  struct liveupdate_session_preserve_fd, token),
>         IOCTL_OP(LIVEUPDATE_SESSION_RETRIEVE_FD, luo_session_retrieve_fd,
>                  struct liveupdate_session_retrieve_fd, token),
> +       IOCTL_OP(LIVEUPDATE_SESSION_GET_NAME, luo_session_get_name,
> +                struct liveupdate_session_get_name, name),
>  };
>
>  static long luo_session_ioctl(struct file *filep, unsigned int cmd,
> diff --git a/tools/testing/selftests/liveupdate/liveupdate.c b/tools/testing/selftests/liveupdate/liveupdate.c
> index c2878e3d5ef90..510a583371fac 100644
> --- a/tools/testing/selftests/liveupdate/liveupdate.c
> +++ b/tools/testing/selftests/liveupdate/liveupdate.c
> @@ -102,6 +102,22 @@ static int create_session(int lu_fd, const char *name)
>         return args.fd;
>  }
>
> +/* Helper function to get a session name via ioctl. */
> +static int get_session_name(int session_fd, char *name, size_t name_len)
> +{
> +       struct liveupdate_session_get_name args = {};
> +
> +       args.size = sizeof(args);
> +
> +       if (ioctl(session_fd, LIVEUPDATE_SESSION_GET_NAME, &args))
> +               return -errno;
> +
> +       strncpy(name, (char *)args.name, name_len - 1);
> +       name[name_len - 1] = '\0';
> +
> +       return 0;
> +}
> +
>  /*
>   * Test Case: Create Duplicate Session
>   *
> @@ -345,4 +361,60 @@ TEST_F(liveupdate_device, preserve_unsupported_fd)
>         ASSERT_EQ(close(session_fd), 0);
>  }
>
> +/*
> + * Test Case: Get Session Name
> + *
> + * Verifies that the full session name can be retrieved from a session file
> + * descriptor via ioctl. This is important because /proc may truncate the
> + * anon_inode name.
> + */
> +TEST_F(liveupdate_device, get_session_name)
> +{
> +       char name_buf[LIVEUPDATE_SESSION_NAME_LENGTH] = {};
> +       const char *session_name = "get-name-test-session";
> +       int session_fd;
> +
> +       self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
> +       if (self->fd1 < 0 && errno == ENOENT)
> +               SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
> +       ASSERT_GE(self->fd1, 0);
> +
> +       session_fd = create_session(self->fd1, session_name);
> +       ASSERT_GE(session_fd, 0);
> +
> +       ASSERT_EQ(get_session_name(session_fd, name_buf, sizeof(name_buf)), 0);
> +       ASSERT_STREQ(name_buf, session_name);
> +
> +       ASSERT_EQ(close(session_fd), 0);
> +}
> +
> +/*
> + * Test Case: Get Session Name at Maximum Length
> + *
> + * Verifies that a session name using the full LIVEUPDATE_SESSION_NAME_LENGTH
> + * (minus the null terminator) can be correctly retrieved.
> + */
> +TEST_F(liveupdate_device, get_session_name_max_length)
> +{
> +       char name_buf[LIVEUPDATE_SESSION_NAME_LENGTH] = {};
> +       char long_name[LIVEUPDATE_SESSION_NAME_LENGTH];
> +       int session_fd;
> +
> +       memset(long_name, 'A', sizeof(long_name) - 1);
> +       long_name[sizeof(long_name) - 1] = '\0';
> +
> +       self->fd1 = open(LIVEUPDATE_DEV, O_RDWR);
> +       if (self->fd1 < 0 && errno == ENOENT)
> +               SKIP(return, "%s does not exist", LIVEUPDATE_DEV);
> +       ASSERT_GE(self->fd1, 0);
> +
> +       session_fd = create_session(self->fd1, long_name);
> +       ASSERT_GE(session_fd, 0);
> +
> +       ASSERT_EQ(get_session_name(session_fd, name_buf, sizeof(name_buf)), 0);
> +       ASSERT_STREQ(name_buf, long_name);
> +
> +       ASSERT_EQ(close(session_fd), 0);
> +}
> +
>  TEST_HARNESS_MAIN
> --
> 2.47.3
>

Re: [PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[Luca Boccassi]

On Tue, 31 Mar 2026 at 19:34, Pasha Tatashin <pasha.tatashin@soleen.com> wrote:
>
> On Tue, Mar 31, 2026 at 1:56 PM <luca.boccassi@gmail.com> wrote:
> >
> > From: Luca Boccassi <luca.boccassi@gmail.com>
> >
> > Userspace when requesting a session specifies a name and gets a FD,
> > but then there is no way to go back the other way and get the name
> > given a LUO session FD. This is problematic especially when there
> > is a userspace orchestrator that wants to check what FDs it is
> > handling for clients.
> >
> > Resolving the /proc/self/fd/X is lossy as that has a hard limit
> > of characters, so names might be truncated. Also requiring going
> > through procfs and doing manual string mangling is not a nice
> > pattern.
>
> Hi Luca,
>
> Thank you for working on this.
>
> This needs more explanation. The way I see it, the user orchestrator
> can be the only one that has access to /dev/liveupdate (and this is
> actually enforced by kernel). It opens it and creates session_fds for
> any client out there. So, the orchestrator already has the FDs and
> sends them to clients(e.g. via SCM_RIGHTS). It then monitors the PIDs
> of the clients, and if they die, it closes the session_fds for them,
> as their data does not need to be preserved.
>
> Could you please explain why the user orchestrator would need to query
> the session_fds, since it is the one that creates them in the first
> place and has to keep them open in order to preserve them during a
> live update?

The orchestrator cannot and will not hold on to all this state, that
is not possible. It will simply hand out session FDs on-demand via an
IPC, enforcing a naming convention for the client, and immediately
forget about them. Clients will hold them and use them as they see
fit, and then store them in the FD store on shutdown if they want to
commit them, and that's where the orchestrator will get them back, and
they need to be verified that they come from the right cgroup, what
the client's portion of the name is to be able to hand them back after
reboot, and so on.

Aside from all this, given the session name is input to the FD, it is
also good design to have a way to get it out of the FD again on
demand, regardless of the use case. Right now this is not possible,
since resolving /proc/fd/ is lossy and fails completely once the
session name goes above 52 characters.

Re: [PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[Pasha Tatashin]

On Tue, Mar 31, 2026 at 3:07 PM Luca Boccassi <luca.boccassi@gmail.com> wrote:
>
> On Tue, 31 Mar 2026 at 19:34, Pasha Tatashin <pasha.tatashin@soleen.com> wrote:
> >
> > On Tue, Mar 31, 2026 at 1:56 PM <luca.boccassi@gmail.com> wrote:
> > >
> > > From: Luca Boccassi <luca.boccassi@gmail.com>
> > >
> > > Userspace when requesting a session specifies a name and gets a FD,
> > > but then there is no way to go back the other way and get the name
> > > given a LUO session FD. This is problematic especially when there
> > > is a userspace orchestrator that wants to check what FDs it is
> > > handling for clients.
> > >
> > > Resolving the /proc/self/fd/X is lossy as that has a hard limit
> > > of characters, so names might be truncated. Also requiring going
> > > through procfs and doing manual string mangling is not a nice
> > > pattern.
> >
> > Hi Luca,
> >
> > Thank you for working on this.
> >
> > This needs more explanation. The way I see it, the user orchestrator
> > can be the only one that has access to /dev/liveupdate (and this is
> > actually enforced by kernel). It opens it and creates session_fds for
> > any client out there. So, the orchestrator already has the FDs and
> > sends them to clients(e.g. via SCM_RIGHTS). It then monitors the PIDs
> > of the clients, and if they die, it closes the session_fds for them,
> > as their data does not need to be preserved.
> >
> > Could you please explain why the user orchestrator would need to query
> > the session_fds, since it is the one that creates them in the first
> > place and has to keep them open in order to preserve them during a
> > live update?
>
> The orchestrator cannot and will not hold on to all this state, that
> is not possible. It will simply hand out session FDs on-demand via an
> IPC, enforcing a naming convention for the client, and immediately
> forget about them. Clients will hold them and use them as they see
> fit, and then store them in the FD store on shutdown if they want to
> commit them, and that's where the orchestrator will get them back, and

I see. The idea is to expand the LUO Session API to be compatible with
the systemd FD store API.

> they need to be verified that they come from the right cgroup, what
> the client's portion of the name is to be able to hand them back after
> reboot, and so on.

So, if I understand correctly, the enforcement of who gets a systemd
stored fd returned to them is based on the cgroup name, right?
Presumably, after a reboot, each VMM would have to start in a separate
cgroup (using the same name as in the previous kernel) and request its
session FDs back from systemd. That is what will be used to verify
ownership, am I correct?

Re: [PATCH] liveupdate: add LIVEUPDATE_SESSION_GET_NAME ioctl

[Luca Boccassi]

On Tue, 31 Mar 2026 at 20:28, Pasha Tatashin <pasha.tatashin@soleen.com> wrote:
>
> On Tue, Mar 31, 2026 at 3:07 PM Luca Boccassi <luca.boccassi@gmail.com> wrote:
> >
> > On Tue, 31 Mar 2026 at 19:34, Pasha Tatashin <pasha.tatashin@soleen.com> wrote:
> > >
> > > On Tue, Mar 31, 2026 at 1:56 PM <luca.boccassi@gmail.com> wrote:
> > > >
> > > > From: Luca Boccassi <luca.boccassi@gmail.com>
> > > >
> > > > Userspace when requesting a session specifies a name and gets a FD,
> > > > but then there is no way to go back the other way and get the name
> > > > given a LUO session FD. This is problematic especially when there
> > > > is a userspace orchestrator that wants to check what FDs it is
> > > > handling for clients.
> > > >
> > > > Resolving the /proc/self/fd/X is lossy as that has a hard limit
> > > > of characters, so names might be truncated. Also requiring going
> > > > through procfs and doing manual string mangling is not a nice
> > > > pattern.
> > >
> > > Hi Luca,
> > >
> > > Thank you for working on this.
> > >
> > > This needs more explanation. The way I see it, the user orchestrator
> > > can be the only one that has access to /dev/liveupdate (and this is
> > > actually enforced by kernel). It opens it and creates session_fds for
> > > any client out there. So, the orchestrator already has the FDs and
> > > sends them to clients(e.g. via SCM_RIGHTS). It then monitors the PIDs
> > > of the clients, and if they die, it closes the session_fds for them,
> > > as their data does not need to be preserved.
> > >
> > > Could you please explain why the user orchestrator would need to query
> > > the session_fds, since it is the one that creates them in the first
> > > place and has to keep them open in order to preserve them during a
> > > live update?
> >
> > The orchestrator cannot and will not hold on to all this state, that
> > is not possible. It will simply hand out session FDs on-demand via an
> > IPC, enforcing a naming convention for the client, and immediately
> > forget about them. Clients will hold them and use them as they see
> > fit, and then store them in the FD store on shutdown if they want to
> > commit them, and that's where the orchestrator will get them back, and
>
> I see. The idea is to expand the LUO Session API to be compatible with
> the systemd FD store API.
>
> > they need to be verified that they come from the right cgroup, what
> > the client's portion of the name is to be able to hand them back after
> > reboot, and so on.
>
> So, if I understand correctly, the enforcement of who gets a systemd
> stored fd returned to them is based on the cgroup name, right?
> Presumably, after a reboot, each VMM would have to start in a separate
> cgroup (using the same name as in the previous kernel) and request its
> session FDs back from systemd. That is what will be used to verify
> ownership, am I correct?

It could work either way, it depends on what the client wants to do
w.r.t state separation. If the client is fine with having a single
service being in charge of all sessions, that's of course ok, it can
have as many as it wants to.
But this also makes it possible to have strict state separation
enforced when that is instead desired. I intend to make the interface
to request a session privileged by default, but also gated by polkit,
so that it is easy to make it unprivileged and scoped to specific
uid/gid/services/etc if one wants to, with a simple polkit rule, and
in that case we really want to be sure that nobody is playing games
with other cgroups' sessions, as a precaution.

I haven't finished getting this part going, but I'm close - the client
asks for a session and provides a name, and the cgroup path of the
caller is prefixed to it when creating the session. That way they are
all tagged in a way that is immutable and unique, and that clients
cannot mess with. If the client wants multiple sessions they'll all
have the same prefix.