Commit Graph

251 Commits

Author SHA1 Message Date
John Baldwin
ec1f24a934 Add missing dependencies on the SYSVIPC modules. 2005-07-29 19:41:04 +00:00
John Baldwin
ac5ee935dd Regen. 2005-07-13 20:35:09 +00:00
John Baldwin
8683e7fdc1 Make a pass through all the compat ABIs sychronizing the MP safe flags
with the master syscall table as well as marking several ABI wrapper
functions safe.

MFC after:	1 week
2005-07-13 20:32:42 +00:00
John Baldwin
a3b324f003 Lock Giant around a call to userland_sysctl() in ibcs2_sysi86().
Approved by:	re (scottl)
2005-07-07 19:30:30 +00:00
John Baldwin
e9ccc53c63 Remove an extra call to read() in ibcs2_read() that can never be reached.
(It's already called a few lines earlier.)

Approved by:	re (scottl)
2005-07-07 19:29:42 +00:00
John Baldwin
92df1b8f6f Conditionally acquire Giant around the ISC and Xenix system calls based
on the SYF_MPSAFE flag in the wrapper system calls for the ISC and Xenix
system call vectors.

Approved by:	re (scottl)
2005-07-07 19:28:55 +00:00
Robert Watson
269c49d31b Regenerate after addition of audit event type number to syscalls.master
file format.

Approved by:	re (scottl)
2005-06-29 17:29:06 +00:00
Robert Watson
e099829817 During the system call table format change adding audit record event
fields for each system call, I missed two system call files because
they weren't named syscalls.master.  Catch up with this last two,
mapping the system calls to the NULL event for now.

Spotted by:	jhb
Approved by:	re (scottl)
2005-06-29 17:27:40 +00:00
Robert Watson
3984b2328c Rebuild generated system call definition files following the addition of
the audit event field to the syscalls.master file format.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2005-05-30 15:20:21 +00:00
Robert Watson
f3596e3370 Introduce a new field in the syscalls.master file format to hold the
audit event identifier associated with each system call, which will
be stored by makesyscalls.sh in the sy_auevent field of struct sysent.
For now, default the audit identifier on all system calls to AUE_NULL,
but in the near future, other BSM event identifiers will be used.  The
mapping of system calls to event identifiers is many:one due to
multiple system calls that map to the same end functionality across
compatibility wrappers, ABI wrappers, etc.

Submitted by:	wsalamon
Obtained from:	TrustedBSD Project
2005-05-30 15:09:18 +00:00
Jeff Roberson
7625cbf3cc - Pass the ISOPEN flag to namei so filesystems will know we're about to
open them or otherwise access the data.
2005-04-27 09:05:19 +00:00
John Baldwin
98df9218da - Change the vm_mmap() function to accept an objtype_t parameter specifying
the type of object represented by the handle argument.
- Allow vm_mmap() to map device memory via cdev objects in addition to
  vnodes and anonymous memory.  Note that mmaping a cdev directly does not
  currently perform any MAC checks like mapping a vnode does.
- Unbreak the DRM getbufs ioctl by having it call vm_mmap() directly on the
  cdev the ioctl is acting on rather than trying to find a suitable vnode
  to map from.

Reviewed by:	alc, arch@
2005-04-01 20:00:11 +00:00
John Baldwin
67d1e9191e Use kern_settimeofday() to avoid stackgap use. 2005-03-31 22:58:37 +00:00
Sam Leffler
3b30e64d22 correct bounds check of fd parameter
Noticed by:	Coverity Prevent analysis tool
2005-02-25 20:15:11 +00:00
Maxim Sobolev
1a88a252fd Backout previous change (disabling of security checks for signals delivered
in emulation layers), since it appears to be too broad.

Requested by:   rwatson
2005-02-13 17:37:20 +00:00
Maxim Sobolev
d8ff44b79f Split out kill(2) syscall service routine into user-level and kernel part, the
former is callable from user space and the latter from the kernel one. Make
kernel version take additional argument which tells if the respective call
should check for additional restrictions for sending signals to suid/sugid
applications or not.

Make all emulation layers using non-checked version, since signal numbers in
emulation layers can have different meaning that in native mode and such
protection can cause misbehaviour.

As a result remove LIBTHR from the signals allowed to be delivered to a
suid/sugid application.

Requested (sorta) by:	rwatson
MFC after:	2 weeks
2005-02-13 16:42:08 +00:00
John Baldwin
0ba59a6f70 - Implement ibcs2_emul_find() using kern_alternate_path(). This changes
the semantics in that the returned filename to use is now a kernel
  pointer rather than a user space pointer.  This required changing the
  arguments to the CHECKALT*() macros some and changing the various system
  calls that used pathnames to use the kern_foo() functions that can accept
  kernel space filename pointers instead of calling the system call
  directly.
- Use kern_open(), kern_access(), kern_execve(), kern_mkfifo(), kern_mknod(),
  kern_setitimer(), kern_getrusage(), kern_utimes(), kern_unlink(),
  kern_chdir(), kern_chmod(), kern_chown(), kern_symlink(), kern_readlink(),
  kern_select(), kern_statfs(), kern_fstatfs(), kern_stat(), kern_lstat(),
  kern_fstat().
- Drop the unused 'uap' argument from spx_open().
- Replace a stale duplication of vn_access() in xenix_access() lacking
  recent additions such as MAC checks, etc. with a call to kern_access().
2005-02-07 22:02:18 +00:00
Maxim Sobolev
610ecfe035 o Split out kernel part of execve(2) syscall into two parts: one that
copies arguments into the kernel space and one that operates
  completely in the kernel space;

o use kernel-only version of execve(2) to kill another stackgap in
  linuxlator/i386.

Obtained from:  DragonFlyBSD (partially)
MFC after:      2 weeks
2005-01-29 23:12:00 +00:00
Warner Losh
7ce2255642 /* -> /*- for license, add FreeBSD tag 2005-01-06 23:22:04 +00:00
John Baldwin
c88379381b - Move the function prototypes for kern_setrlimit() and kern_wait() to
sys/syscallsubr.h where all the other kern_foo() prototypes live.
- Resort kern_execve() while I'm there.
2005-01-05 22:19:44 +00:00
Poul-Henning Kamp
e1e785a3d4 Add missing zero flag arguments to sysctl calls.
Add missing pointy hat to peter@
2004-10-12 07:58:13 +00:00
John Baldwin
8a7aa72dec Regenerate after fcntl() wrappers were marked MP safe. 2004-08-24 20:24:34 +00:00
John Baldwin
2ca25ab53e Fix the ABI wrappers to use kern_fcntl() rather than calling fcntl()
directly.  This removes a few more users of the stackgap and also marks
the syscalls using these wrappers MP safe where appropriate.

Tested on:	i386 with linux acroread5
Compiled on:	i386, alpha LINT
2004-08-24 20:21:21 +00:00
Poul-Henning Kamp
3e019deaed Do a pass over all modules in the kernel and make them return EOPNOTSUPP
for unknown events.

A number of modules return EINVAL in this instance, and I have left
those alone for now and instead taught MOD_QUIESCE to accept this
as "didn't do anything".
2004-07-15 08:26:07 +00:00
Poul-Henning Kamp
ec66f15d14 Put the pre FreeBSD-2.x tty compat code under BURN_BRIDGES. 2004-06-21 22:57:16 +00:00
Julian Elischer
fa88511615 Nice, is a property of a process as a whole..
I mistakenly moved it to the ksegroup when breaking up the process
structure. Put it back in the proc structure.
2004-06-16 00:26:31 +00:00
Robert Watson
323eaa7554 Regen from ibcs2_wait() becoming MPSAFE.
Submitted by:	Dan Nelson <dnelson@allantgroup.com>
2004-03-28 22:51:40 +00:00
Robert Watson
50e3f47641 ibcs2_wait() now MPSAFE.
Submitted by:	Dan Nelson <dnelson@allantgroup.com>
2004-03-28 22:51:01 +00:00
John Baldwin
b7e23e826c - Replace wait1() with a kern_wait() function that accepts the pid,
options, status pointer and rusage pointer as arguments.  It is up to
  the caller to copyout the status and rusage to userland if needed.  This
  lets us axe the 'compat' argument and hide all that functionality in
  owait(), by the way.  This also cleans up some locking in kern_wait()
  since it no longer has to drop locks around copyout() since all the
  copyout()'s are deferred.
- Convert owait(), wait4(), and the various ABI compat wait() syscalls to
  use kern_wait() rather than wait1() or wait4().  This removes a bit
  more stackgap usage.

Tested on:	i386
Compiled on:	i386, alpha, amd64
2004-03-17 20:00:00 +00:00
John Baldwin
28596eb0ea Regen. 2004-02-06 20:21:18 +00:00
John Baldwin
44c99fac14 Sync up MP safe flags with global syscalls.master. This includes write(),
close(), getpid(), ibcs2_setuid(), getuid(), ptrace(), ibcs2_pause(),
ibcs2_nice(), ibcs2_kill(), ibcs2_pgrpsys(), dup(), pipe(), ibcs2_setgid(),
getgid(), umask(), and sigreturn().
2004-02-06 20:20:07 +00:00
John Baldwin
0804ed5acc Regen. 2004-02-04 22:00:44 +00:00
John Baldwin
c3b612d935 The following compat syscalls are now mpsafe: linux_getrlimit(),
linux_setrlimit(), linux_old_getrlimit(), osf1_getrlimit(),
osf1_setrlimit(), svr4_sys_ulimit(), svr4_sys_setrlimit(),
svr4_sys_getrlimit(), svr4_sys_setrlimit64(), svr4_sys_getrlimit64(),
ibcs2_sysconf(), and ibcs2_ulimit().
2004-02-04 21:57:00 +00:00
John Baldwin
91d5354a2c Locking for the per-process resource limits structure.
- struct plimit includes a mutex to protect a reference count.  The plimit
  structure is treated similarly to struct ucred in that is is always copy
  on write, so having a reference to a structure is sufficient to read from
  it without needing a further lock.
- The proc lock protects the p_limit pointer and must be held while reading
  limits from a process to keep the limit structure from changing out from
  under you while reading from it.
- Various global limits that are ints are not protected by a lock since
  int writes are atomic on all the archs we support and thus a lock
  wouldn't buy us anything.
- All accesses to individual resource limits from a process are abstracted
  behind a simple lim_rlimit(), lim_max(), and lim_cur() API that return
  either an rlimit, or the current or max individual limit of the specified
  resource from a process.
- dosetrlimit() was renamed to kern_setrlimit() to match existing style of
  other similar syscall helper functions.
- The alpha OSF/1 compat layer no longer calls getrlimit() and setrlimit()
  (it didn't used the stackgap when it should have) but uses lim_rlimit()
  and kern_setrlimit() instead.
- The svr4 compat no longer uses the stackgap for resource limits calls,
  but uses lim_rlimit() and kern_setrlimit() instead.
- The ibcs2 compat no longer uses the stackgap for resource limits.  It
  also no longer uses the stackgap for accessing sysctl's for the
  ibcs2_sysconf() syscall but uses kernel_sysctl() instead.  As a result,
  ibcs2_sysconf() no longer needs Giant.
- The p_rlimit macro no longer exists.

Submitted by:	mtm (mostly, I only did a few cleanups and catchups)
Tested on:	i386
Compiled on:	alpha, amd64
2004-02-04 21:52:57 +00:00
Peter Wemm
bdbbbb1bb9 GC unused 'syshide' override to /dev/null. This was here to disable
the output of the namespc column.  Its functionality was removed some time
ago, but the overrides and the namespc column remained.
2003-12-24 00:32:07 +00:00
Peter Wemm
78cb533a0c Oops, remove references to namespc column in comment (I'm not going to
bother regenerating after this)
2003-12-24 00:17:24 +00:00
Peter Wemm
18513a2e43 Regen. (This should have been a NOP except it hasn't been regenerated
after makesyscalls.sh changes and the last few syscall.master changes, and
there have been some tree-sweeps that have touched generated files).
2003-12-24 00:15:20 +00:00
Peter Wemm
17ac3054d4 GC namespc column and unwrap long lines that now fit. 2003-12-24 00:14:08 +00:00
Tim J. Robbins
7e1985fcd8 Replace the dangerous strcpy() call with strlcpy(), instead of the safe one
that was incorrectly changed in rev. 1.61.

Approved by:	re
2003-11-18 14:21:34 +00:00
Tim J. Robbins
a95edcba94 Fix a multitude of security bugs in the iBCS2 emulator:
- Return NULL instead of returning memory outside of the stackgap
  in stackgap_alloc() (FreeBSD-SA-00:42.linux)
- Check for stackgap_alloc() returning NULL in ibcs2_emul_find();
  other calls to stackgap_alloc() have not been changed since they
  are small fixed-size allocations.
- Replace use of strcpy() with strlcpy() in exec_coff_imgact()
  to avoid buffer overflow
- Use strlcat() instead of strcat() to avoid a one byte buffer
  overflow in ibcs2_setipdomainname()
- Use copyinstr() instead of copyin() in ibcs2_setipdomainname()
  to ensure that the string is null-terminated
- Avoid integer overflow in ibcs2_setgroups() and ibcs2_setgroups()
  by checking that gidsetsize argument is non-negative and
  no larger than NGROUPS_MAX.
- Range-check signal numbers in ibcs2_wait(), ibcs2_sigaction(),
  ibcs2_sigsys() and ibcs2_kill() to avoid accessing array past
  the end (or before the start)
2003-10-12 04:25:26 +00:00
Peter Wemm
c460ac3a00 Add sysentvec->sv_fixlimits() hook so that we can catch cases on 64 bit
systems where the data/stack/etc limits are too big for a 32 bit process.

Move the 5 or so identical instances of ELF_RTLD_ADDR() into imgact_elf.c.

Supply an ia32_fixlimits function.  Export the clip/default values to
sysctl under the compat.ia32 heirarchy.

Have mmap(0, ...) respect the current p->p_limits[RLIMIT_DATA].rlim_max
value rather than the sysctl tweakable variable.  This allows mmap to
place mappings at sensible locations when limits have been reduced.

Have the imgact_elf.c ld-elf.so.1 placement algorithm use the same
method as mmap(0, ...) now does.

Note that we cannot remove all references to the sysctl tweakable
maxdsiz etc variables because /etc/login.conf specifies a datasize
of 'unlimited'.  And that causes exec etc to fail since it can no
longer find space to mmap things.
2003-09-25 01:10:26 +00:00
John Baldwin
606c689b95 Remove a few ushorts I missed in my earlier pass.
Requested by:	bde
2003-08-15 14:55:50 +00:00
Jacques Vidrine
e059b0f016 The iBCS2 system call translator for statfs(2) did not check the
length parameter for validity.

Submitted by:	David Rhodus <drhodus@catpa.com>
2003-08-10 23:26:16 +00:00
Poul-Henning Kamp
a8d43c90af Add a "int fd" argument to VOP_OPEN() which in the future will
contain the filedescriptor number on opens from userland.

The index is used rather than a "struct file *" since it conveys a bit
more information, which may be useful to in particular fdescfs and /dev/fd/*

For now pass -1 all over the place.
2003-07-26 07:32:23 +00:00
Poul-Henning Kamp
3b6d965263 Add a f_vnode field to struct file.
Several of the subtypes have an associated vnode which is used for
stuff like the f*() functions.

By giving the vnode a speparate field, a number of checks for the specific
subtype can be replaced simply with a check for f_vnode != NULL, and
we can later free f_data up to subtype specific use.

At this point in time, f_data still points to the vnode, so any code I
might have overlooked will still work.
2003-06-22 08:41:43 +00:00
David E. O'Brien
db31907c73 Use __FBSDID(). 2003-06-02 06:48:51 +00:00
John Baldwin
fe8cdcae87 - Replace inline implementations of sigprocmask() with calls to
kern_sigprocmask() in the various binary compatibility emulators.
- Replace calls to sigsuspend(), sigaltstack(), sigaction(), and
  sigprocmask() that used the stackgap with calls to the corresponding
  kern_sig*() functions instead without using the stackgap.
2003-04-22 18:23:49 +00:00
Jeff Roberson
4093529dee - Move p->p_sigmask to td->td_sigmask. Signal masks will be per thread with
a follow on commit to kern_sig.c
 - signotify() now operates on a thread since unmasked pending signals are
   stored in the thread.
 - PS_NEEDSIGCHK moves to TDF_NEEDSIGCHK.
2003-03-31 22:49:17 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Poul-Henning Kamp
91f1c2b3cc Split the global timezone structure into two integer fields to
prevent the compiler from optimizing assignments into byte-copy
operations which might make access to the individual fields non-atomic.

Use the individual fields throughout, and don't bother locking them with
Giant: it is no longer needed.

Inspired by:    tjr
2003-02-03 19:49:35 +00:00