- Reconnect with some minor modifications, in particular now selsocket()
internals are adapted to use sbintime units after recent'ish calloutng
switch.
sockaddr_in6 structures. getnameinfo(3) does the same thing, but it is
also able to represent a scope zone id as described in the RFC 4007.
MFC after: 2 weeks
The option tells kdump to convert numeric UIDs and GIDs into user and
group names plus to convert times and dates into locallized versions.
This all needs opening various files at various occasions.
Make use of Capsicum to protect kdump(1), as it might be used to parse data
from untrusted sources:
- Sandbox kdump(1) using capability mode.
- Limit stdin descriptor (where opened file is moved to) to only
CAP_READ and CAP_FSTAT rights.
- Limit stdout descriptor to only CAP_WRITE, CAP_FSTAT and CAP_IOCTL.
Plus limit allowed ioctls to TIOCGETA only, which is needed for
isatty() to work.
- Limit stderr descriptor to only CAP_WRITE and CAP_FSTAT. In addition
if the -s option is not given, grant CAP_IOCTL right, but allow for
TIOCGWINSZ ioctl only, as we need screen width to dump the data.
- Before entering capability mode call catopen("libc", NL_CAT_LOCALE),
which opens message catalogs and caches data, so that strerror(3)
and strsignal(3) can work in a sandbox.
Sponsored by: The FreeBSD Foundation
Discussed with: rwatson
Rearrange the code so we don't call ioctl(TIOCGWINSZ) if the -s option is given,
as the result won't be used then.
Sponsored by: The FreeBSD Foundation
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
GIANT from VFS. In addition, disconnect also netsmb, which is a base
requirement for SMBFS.
In the while SMBFS regular users can use FUSE interface and smbnetfs
port to work with their SMBFS partitions.
Also, there are ongoing efforts by vendor to support in-kernel smbfs,
so there are good chances that it will get relinked once properly locked.
This is not targeted for MFC.
Revamp the CAM enclosure services driver.
This updated driver uses an in-kernel daemon to track state changes and
publishes physical path location information\for disk elements into the
CAM device database.
Sponsored by: Spectra Logic Corporation
Sponsored by: iXsystems, Inc.
Submitted by: gibbs, will, mav
a pair of records similar to syscall entry and return that a user can
use to determine how long page faults take. The new ktrace records are
enabled via the 'p' trace type, and are enabled in the default set of
trace points.
Reviewed by: kib
MFC after: 2 weeks
ioctlname() to return a pointer to the name rather than print it. This did
not show up in testing because truss had its own prototype for ioctlname(),
so it would build fine and run fine as long as the program being traced did
not issue an ioctl.
Teach mkioctls to generate different versions of ioctlname() based on its
first command-line argument.
Pointed out by: Garrett Cooper <yanegomi@gmail.com>
only logged instances where an operation on a file descriptor required
capabilities which the file descriptor did not have. By adding a type enum
to struct ktr_cap_fail, we can catch other types of capability failures as
well, such as disallowed system calls or attempts to wrap a file descriptor
with more capabilities than it had to begin with.
ipfilter headers contain a duplicated function declaration. Turn off
-Werror to allow kdump to compile in spite of this.
It would be neat to be able to turn off -Werror on a file-by-file basis...
PR: bin/161478
Submitted by: Garrett Cooper <yanegomi@gmail.com>
actually print the name (or the numeric value, if they can't figure out
the correct name) instead of just returning a pointer to it. Also, since
ioctl numbers are not and probably never will be unique, drop support for
using a switch statement instead of an if/else chain.
return value is intentionally ignored, but frankly, all it does is
get in the way of the code.
Also fix a few other incorrect casts, such as (void *)malloc(foo) and
passing signed values to %x.
functions may be wider than int, so use intmax_t throughout. Also
add missing casts in printf() calls.
2) Clean up some of the auto-generated code to improve readability.
3) Auto-generate kdump_subr.h. Note that this requires a semi-ugly hack
in the Makefile to make sure it is generated before make(1) tries to
build kdump.c, or preprocess it for 'make depend'.
MFC after: 3 weeks
Fix bug introduced in my previous commit: the kernel always dump native
signal numbers, so no need to check the ABI in ktrpsig().
Suggested by: jhb
MFC after: 1 Month.
is in accordance with the information provided at
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
Also add $FreeBSD$ to a few files to keep svn happy.
Discussed with: imp, rwatson
bitwise parameters (e.g. mmap), print the syscall parameter value first.
The resulting output looks like the %b specifier of printf(9).
Before:
mmap(0,0x8000,PROT_READ|PROT_WRITE,...
After:
mmap(0,0x8000,0x3<PROT_READ|PROT_WRITE>,...
Submitted by: Norberto Lopes <nlopes.ml at gmail.com>
Idea from: freebsd-arch/2006-April/005116.html
sockaddr structures. As such, we have top copy the data structure
into a local buffer before we can reference it, otherwise we have
unaligned references (these are fixed up automatically on some CPUs,
but not on others). We do this unconditionally to make the code
easier to read and understand.
Submitted by: Grzegorz Bernacki
ktrsyscall(). print_number() does decrement the number of arguments,
leading to infinite loops for negative values.
Reported by: Patrick Lamaiziere <patpr at davenulle dot org>,
Jonathan Pascal <jkpyvxmzsa at mailinator dot com>
Submitted by: jh
PR: bin/120055, kern/119564
MFC: 1 week
I don't entirely like this approach, but it will only be temporarily,
namely until we get rid of COMPAT_43TTY. I do want <sys/ioctl_compat.h>
to cause a compiler error when included, because it's just there for
binary compatibility.
Reported by: Andrzej Tobola <ato iem pw edu pl>
At first I allowed ioctl_compat.h to be included, but it just returned
an empty file. I had to do this, to keep kdump happy. I really want to
raise a compiler error when including this header, so now it will just
throw an error if you don't set COMPAT_43TTY.
internal sysctl_sysctl_name() handler to map the MIB array to a string
name and logs this name in the trace log. This can be useful to see
exactly which sysctls a thread is invoking.
MFC after: 1 month
NET_NEEDS_GIANT. netatm has been disconnected from the build for ten
months in HEAD/RELENG_7. Specifics:
- netatm include files
- netatm command line management tools
- libatm
- ATM parts in rescue and sysinstall
- sample configuration files and documents
- kernel support as a module or in NOTES
- netgraph wrapper nodes for netatm
- ctags data for netatm.
- netatm-specific device drivers.
MFC after: 3 weeks
Reviewed by: bz
Discussed with: bms, bz, harti
consists of the null-terminated name and the contents of any structure
you wish to record. A new ktrstruct() function constructs and emits a
KTR_STRUCT record. It is accompanied by convenience macros for struct
stat and struct sockaddr.
In kdump(1), KTR_STRUCT records are handled by a dispatcher function
that runs stringent sanity checks on its contents before handing it
over to individual decoding funtions for each type of structure.
Currently supported structures are struct stat and struct sockaddr for
the AF_INET, AF_INET6 and AF_UNIX families; support for AF_APPLETALK
and AF_IPX is present but disabled, as I am unable to test it properly.
Since 's' was already taken, the letter 't' is used by ktrace(1) to
enable KTR_STRUCT trace points, and in kdump(1) to enable their
decoding.
Derived from patches by Andrew Li <andrew2.li@citi.com>.
PR: kern/117836
MFC after: 3 weeks
were recently), a simple 'make cleandepend; make depend' is sufficient
to keep the tree buildable after a cvs update when doing incremental
builds.
However, kdump and truss use a script which searches for header files
that define ioctls, and generates C code that includes them. This
script will usually not need updating when a header file is removed,
so the normal dependency mechanism will not realize that it needs to
be re-run. One is therefore left with code that references dead files
but will only be removed by a full 'make clean', which defeats the
purpose of incremental builds.
To work around this, modify the cleandepend target in bsd.dep.mk to
also remove any files listed in a new variable named CLEANDEPFILES,
and modify kdump's and truss's Makefiles accordingly.
MFC after: 2 weeks
NET_NEEDS_GIANT, which will shortly be removed. This is done in a
away that it may be easily reattached to the build before 7.1 if
appropriate locking is added. Specifics:
- Don't install netatm include files
- Disconnect netatm command line management tools
- Don't build libatm
- Don't include ATM parts in rescue or sysinstall
- Don't install sample configuration files and documents
- Don't build kernel support as a module or in NOTES
- Don't build netgraph wrapper nodes for netatm
This removes the last remaining consumer of NET_NEEDS_GIANT.
Reviewed by: harti
Discussed with: bz, bms
Approved by: re (kensmith)
activate the traces, set the LD_UTRACE (or LD_32_UTRACE) environment
variable. This also includes code in kdump(8) to parse the traces.
Reviewed by: kan, jdp
MFC after: 2 weeks
human-readable format. Note that we report 'realloc(p, 0)' as 'free(p)'
since both cases are encoded the same way and 'free()' is more common
than a realloc() to 0.
MFC after: 1 week
of a socket() call with sockipprotoname() if the first parameter (domain)
is PF_INET or PF_INET6.
Old parsing behavior before this change:
ping6 CALL socket(PF_INET6,SOCK_RAW,0x3a)
New behavior after this change:
ping6 CALL socket(PF_INET6,SOCK_RAW,IPPROTO_ICMPV6)
of auto_or_type.
The old parsing code would incorrectly decode a socket() call in the
ping6 program as:
CALL socket(PF_PUP|PF_ECMA|PF_APPLETALK|PF_COIP|PF_SIP,SOCK_DGRAM,0)
The new parsing code decodes the same socket() call as:
CALL socket(PF_INET6,SOCK_DGRAM,0)
However, auto_if_type() uses if/else statements in C instead
of a single switch statement, when mapping an integer value to
a #define. For certain cases where multiple #define constants
alias to a single integer value, auto_if_type() makes things easier
to parse than auto_switch_type().
it as an enum.
If an SCTP SOCK_SEQPACKET socket was opened, kdump would display this
wrong output:
socket(PF_INET,SOCK_STREAM|SOCK_RDM|SOCK_SEQPACKET,0x84)
instead of this correct output:
socket(PF_INET,SOCK_SEQPACKET,0x84)
MFC after: 2 weeks
32229 telnet CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)
32229 telnet CALL open(0x2807bc28,0,0x1b6)
32229 telnet CALL socket(0x2,0x2,0)
to
32229 telnet CALL mmap(0,0x8000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,0xffffffff,0,0,0)
32229 telnet CALL open(0x2807bc28,O_RDONLY,<unused>0x1b6)
32229 telnet CALL socket(PF_INET,SOCK_DGRAM,0)
David wanted to implement the suggestions which came up at the review from
arch@ too, but real life rejected this proposal. So I commit what we already
got and let another volunteer pick the remaining work from the ideas list.
Submitted by: "David Kirchner" <dpk@dpk.net>
Suggested by: FreeBSD ideas list page
Reviewed by: arch
field holding the threadid. This is more useful for libthr than
libpthread, but still quite useful in libpthread as it can be used to
process interlaced records from multiple threads over the course of a
system call.
Detect old ktr_buffer values using the heuristic "if it's negative,
then it must not be a valid threadid". This may leave something to be
desired.
MFC after: 1 month
Reviewed by: davidxu
- sort the -E switch into the right place.
- add previously missing -p pid in usage (from the last few commits).
- add -E to usage.
- consistently use trfile in the man page.
I knew I shouldn't have touched the man page. If I commit to a man page,
it just makes people suspicious. :-)
1) add a "-p pid", which is rather useful for selecting a single pid in
a combined trace file (eg: with ktrace -i).
2) display binary genio data in a more precise format.
KTR_DROP set in its header, then we output an extra line to stdout to
indicate that events were dropped between the previous record and this
record. It is a bit trickier because we need to always notify the user
if events are dropped even if KTR_DROP is set on a record of a type that
we aren't interested in since kdump(8) doesn't know if the dropped events
were of the types that the user has requested. To avoid outputting
multiple events dropped notices in between actual event logs, a state
variable is set whenever a drop is logged and cleared whenever an actual
record is output.
Requested by: phk
1) Define _KERNEL while including sys/time.h to get some function prototypes.
2) Add prototypes and ANSIify definitions.
3) Constness changes.
4) Remove register keyword.
5) Actually return a sensible value from main.
6) Make fread_tail take a void * instead of a char *.
7) Avoid a signedness warning by casting to a size_t. Should be safe
enough 'cos we also check for nonnegativity.
8) Be extra chummy with sigset_t rather than passing a struct to printf
and pretending it is an int.
breakage with ioctl.c. The .depend file should track dependencies
just fine, and the worst we can have is to miss new ioctls.
But I still think it's a good idea to have -DNOCLEAN build produce
the same ioctl.c as it would without -DNOCLEAN.
Prodded for a long time by: bde
Currently, cs_CZ.ISO_8859-2 locale's collation sequence is
broken, and this caused grep(1) to skip some include files.
Reported by: Michal Mertl <mime@traveller.cz>
Some of the major changes include:
- The SCSI error handling portion of cam_periph_error() has
been broken out into a number of subfunctions to better
modularize the code that handles the hierarchy of SCSI errors.
As a result, the code is now much easier to read.
- String handling and error printing has been significantly
revamped. We now use sbufs to do string formatting instead
of using printfs (for the kernel) and snprintf/strncat (for
userland) as before.
There is a new catchall error printing routine,
cam_error_print() and its string-based counterpart,
cam_error_string() that allow the kernel and userland
applications to pass in a CCB and have errors printed out
properly, whether or not they're SCSI errors. Among other
things, this helped eliminate a fair amount of duplicate code
in camcontrol.
We now print out more information than before, including
the CAM status and SCSI status and the error recovery action
taken to remedy the problem.
- sbufs are now available in userland, via libsbuf. This
change was necessary since most of the error printing code
is shared between libcam and the kernel.
- A new transfer settings interface is included in this checkin.
This code is #ifdef'ed out, and is primarily intended to aid
discussion with HBA driver authors on the final form the
interface should take. There is example code in the ahc(4)
driver that implements the HBA driver side of the new
interface. The new transfer settings code won't be enabled
until we're ready to switch all HBA drivers over to the new
interface.
src/Makefile.inc1,
lib/Makefile: Add libsbuf. It must be built before libcam,
since libcam uses sbuf routines.
libcam/Makefile: libcam now depends on libsbuf.
libsbuf/Makefile: Add a makefile for libsbuf. This pulls in the
sbuf sources from sys/kern.
bsd.libnames.mk: Add LIBSBUF.
camcontrol/Makefile: Add -lsbuf. Since camcontrol is statically
linked, we can't depend on the dynamic linker
to pull in libsbuf.
camcontrol.c: Use cam_error_print() instead of checking for
CAM_SCSI_STATUS_ERROR on every failed CCB.
sbuf.9: Change the prototypes for sbuf_cat() and
sbuf_cpy() so that the source string is now a
const char *. This is more in line wth the
standard system string functions, and helps
eliminate warnings when dealing with a const
source buffer.
Fix a typo.
cam.c: Add description strings for the various CAM
error status values, as well as routines to
look up those strings.
Add new cam_error_string() and
cam_error_print() routines for userland and
the kernel.
cam.h: Add a new CAM flag, CAM_RETRY_SELTO.
Add enumerated types for the various options
available with cam_error_print() and
cam_error_string().
cam_ccb.h: Add new transfer negotiation structures/types.
Change inq_len in the ccb_getdev structure to
be "reserved". This field has never been
filled in, and will be removed when we next
bump the CAM version.
cam_debug.h: Fix typo.
cam_periph.c: Modularize cam_periph_error(). The SCSI error
handling part of cam_periph_error() is now
in camperiphscsistatuserror() and
camperiphscsisenseerror().
In cam_periph_lock(), increase the reference
count on the periph while we wait for our lock
attempt to succeed so that the periph won't go
away while we're sleeping.
cam_xpt.c: Add new transfer negotiation code. (ifdefed
out)
Add a new function, xpt_path_string(). This
is a string/sbuf analog to xpt_print_path().
scsi_all.c: Revamp string handing and error printing code.
We now use sbufs for much of the string
formatting code. More of that code is shared
between userland the kernel.
scsi_all.h: Get rid of SS_TURSTART, it wasn't terribly
useful in the first place.
Add a new error action, SS_REQSENSE. (Send a
request sense and then retry the command.)
This is useful when the controller hasn't
performed autosense for some reason.
Change the default actions around a bit.
scsi_cd.c,
scsi_da.c,
scsi_pt.c,
scsi_ses.c: SF_RETRY_SELTO -> CAM_RETRY_SELTO. Selection
timeouts shouldn't be covered by a sense flag.
scsi_pass.[ch]: SF_RETRY_SELTO -> CAM_RETRY_SELTO.
Get rid of the last vestiges of a read/write
interface.
libkern/bsearch.c,
sys/libkern.h,
conf/files: Add bsearch.c, which is needed for some of the
new table lookup routines.
aic7xxx_freebsd.c: Define AHC_NEW_TRAN_SETTINGS if
CAM_NEW_TRAN_CODE is defined.
sbuf.h,
subr_sbuf.c: Add the appropriate #ifdefs so sbufs can
compile and run in userland.
Change sbuf_printf() to use vsnprintf()
instead of kvprintf(), which is only available
in the kernel.
Change the source string for sbuf_cpy() and
sbuf_cat() to be a const char *.
Add __BEGIN_DECLS and __END_DECLS around
function prototypes since they're now exported
to userland.
kdump/mkioctls: Include stdio.h before cam.h since cam.h now
includes a function with a FILE * argument.
Submitted by: gibbs (mostly)
Reviewed by: jdp, marcel (libsbuf makefile changes)
Reviewed by: des (sbuf changes)
Reviewed by: ken
since it could potentially depend on any ${DESTDIR}/usr/include
preprocessor file. This fixes the broken -DNOCLEAN world build
I experienced yesterday.
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot). This is consistant with the other
BSD's who made this change quite some time ago. More commits to come.
now be specified on the command line. Accept a '-s' option which
controls whether a switch-statement is to be used instead of a series
of if-statements.
Replace cpp with gcc -E.
Discussed with: bde
