Commit Graph

4330 Commits

Author SHA1 Message Date
Robert Watson
f8cf411e49 o Back out portions of 1.50 and 1.47, eliminating sonewconn3() and
always deriving the credential for a newly accepted connection from
  the listen socket.  Previously, the selection of the credential
  depended on the protocol: UNIX domain sockets would use the
  connecting process's credential, and protocols supporting a creation
  of the socket before the receiving end called accept() would use
  the listening socket.  After this change, it is always the listening
  credential.

Reviewed by:	green
2001-12-13 22:09:37 +00:00
Mike Silbersack
ebacce5e99 Limit maxprocperuid to 9/10 maxproc, and limit maxfilesperproc to 9/10
maxfiles.  This should make local resource exhaustion attacks easier
to handle with a non-tweaked setup.

MFC after:	3 days
2001-12-13 20:00:45 +00:00
John Baldwin
69e9495750 Use a per-thread variable for keeping state when a thread is processing
a KTR log entry.  Any KTR requests made while working on an entry are
ignored/discarded to prevent recursion.  This is a better fix for the
hack to futz with the CPU mask and call getnanotime() if KTR_LOCK or
KTR_WITNESS was on.  It also covers the actual formatting of the log entry
including dumping it to the display which the earlier hacks did not.
2001-12-13 10:33:20 +00:00
Andrew R. Reiter
83aee5a8d5 - Move _jail sysctl node underneath _kern_security in order to standardize
where our security related sysctl tuneables are located.  Also, this
  will help if/when we move _security node out from under _kern as to help
  make _kern less cluttered.

Approved by:	rwatson
Review by:	rwatson
2001-12-12 05:23:20 +00:00
John Baldwin
0bbc882680 Overhaul the per-CPU support a bit:
- The MI portions of struct globaldata have been consolidated into a MI
  struct pcpu.  The MD per-CPU data are specified via a macro defined in
  machine/pcpu.h.  A macro was chosen over a struct mdpcpu so that the
  interface would be cleaner (PCPU_GET(my_md_field) vs.
  PCPU_GET(md.md_my_md_field)).
- All references to globaldata are changed to pcpu instead.  In a UP kernel,
  this data was stored as global variables which is where the original name
  came from.  In an SMP world this data is per-CPU and ideally private to each
  CPU outside of the context of debuggers.  This also included combining
  machine/globaldata.h and machine/globals.h into machine/pcpu.h.
- The pointer to the thread using the FPU on i386 was renamed from
  npxthread to fpcurthread to be identical with other architectures.
- Make the show pcpu ddb command MI with a MD callout to display MD
  fields.
- The globaldata_register() function was renamed to pcpu_init() and now
  init's MI fields of a struct pcpu in addition to registering it with
  the internal array and list.
- A pcpu_destroy() function was added to remove a struct pcpu from the
  internal array and list.

Tested on:	alpha, i386
Reviewed by:	peter, jake
2001-12-11 23:33:44 +00:00
Guido van Rooij
f4029c1446 Fix boot -p for DDBless kernels
Pointed out by: John Hay <jhay@icomtek.csir.co.za>
2001-12-11 10:21:26 +00:00
Peter Wemm
b21d3f5c61 Wrap Dangerously Dedicated printf under if (bootverbose) 2001-12-11 05:35:43 +00:00
David E. O'Brien
071087f3d7 Missed an assignment of arg6 in previous commit. 2001-12-10 20:58:39 +00:00
David E. O'Brien
b45df7b4ae Adjust for the addition of CTR6. 2001-12-10 20:18:17 +00:00
Guido van Rooij
28703190c5 Add new boot flag to i386 boot: -p.
This flag adds a pausing utility. When ran with -p, during the kernel
probing phase, the kernel will pause after each line of output.
This pausing can be ended with the '.' key, and is automatically
suspended when entering ddb.

This flag comes in handy at systems without a serial port that either hang
during booting or reser.
Reviewed by:	(partly by jlemon)
MFC after:	1 week
2001-12-10 20:02:22 +00:00
David E. O'Brien
a48740b6c5 Update to C99, s/__FUNCTION__/__func__/. 2001-12-10 05:51:45 +00:00
David E. O'Brien
91f9161737 Repeat after me -- "Use of ANSI string concatenation can be bad."
In this case, C99's __func__ is properly defined as:

	static const char __func__[] = "function-name";

and GCC 3.1 will not allow it to be used in bogus string concatenation.
2001-12-10 05:40:12 +00:00
Alan Cox
604035c5f2 o Eliminate compilation warnings on 64-bit architectures. 2001-12-10 03:34:06 +00:00
Alan Cox
91369fc768 o Eliminate unnecessary synchronization from filt_aiodetach().
o The manual page for kevent says that EVFILT_AIO returns under the same
   conditions as aio_error().  With that in mind, set the data field
   of the returned struct kevent to the value that would be returned
   by aio_error().
 o Fix two compilation warnings.
2001-12-09 08:16:36 +00:00
Matthew Dillon
66a11b9fb1 Allow maxusers to be specified as 0 in the kernel config, which will
cause the system to auto-size to between 32 and 512 depending on the
amount of memory.

MFC after:	1 week
2001-12-09 01:57:09 +00:00
Matthew Dillon
a4233d5dc3 The nbuf calculation was assuming that PAGE_SIZE = 4096 bytes, which is
bogus.  The calculation has been adjusted to use units of kilobytes.

Noticed by: Chad David <davidc@acns.ab.ca>
MFC after:	1 week
2001-12-08 20:37:08 +00:00
Chad David
995a2227c5 Update the comment about System initialization to reflect the use of
DOMAIN_SET(9) instead of SYSINIT for adding domains at startup.

Reviewed by: alfred
2001-12-08 04:20:54 +00:00
Robert Watson
5a92ee3c00 o A few more minor whitespace and other style fixes.
Submitted by:	bde
2001-12-06 21:58:47 +00:00
Robert Watson
9147519a91 o Remove unnecessary inclusion of opt_global.h.
Submitted by:	bde
2001-12-06 21:55:41 +00:00
Robert Watson
65bbadfbbc o Make kern.security.bsd.suser_enabled TUNABLE.
Requested by:	green
2001-12-05 18:49:20 +00:00
Kirk McKusick
dd58224e31 Update pathnames for creation of tags file. 2001-12-05 01:23:21 +00:00
Robert Watson
5d476e73ce o Update an instance of 'unprivileged_procdebug_permitted' missed
in the previous commit: the comment should also call it
  'unprivileged_proc_debug'.
2001-12-03 19:10:21 +00:00
Robert Watson
011376308f o Introduce pr_mtx into struct prison, providing protection for the
mutable contents of struct prison (hostname, securelevel, refcount,
  pr_linux, ...)
o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/
  so as to enforce these protections, in particular, in kern_mib.c
  protection sysctl access to the hostname and securelevel, as well as
  kern_prot.c access to the securelevel for access control purposes.
o Rewrite linux emulator abstractions for accessing per-jail linux
  mib entries (osname, osrelease, osversion) so that they don't return
  a pointer to the text in the struct linux_prison, rather, a copy
  to an array passed into the calls.  Likewise, update linprocfs to
  use these primitives.
o Update in_pcb.c to always use prison_getip() rather than directly
  accessing struct prison.

Reviewed by:	jhb
2001-12-03 16:12:27 +00:00
Robert Watson
4f5a4612d3 o Uniformly copy uap arguments into local variables before grabbing
giant, and make whitespace more consistent around giant-frobbing.
2001-12-02 15:22:56 +00:00
Robert Watson
f605567c24 o Remove KSE race in setuid() in which oldcred was preserved before giant
was grabbed.  This was introduced in 1.101 when the giant pushdown
  for kern_prot.c was originally performed.
2001-12-02 15:15:29 +00:00
Robert Watson
eb725b4e6a o General style, formatting, etc, improvements:
- uid's -> uids
	- whitespace improvements, linewrap improvements
	- reorder copyright more appropriately
	- remove redundant MP SAFE comments, add one "NOT MPSAFE?"
	  for setgroups(), which seems to be the sole un-changed system
	  call in the file.
	- clean up securelevel_g?() functions, improve comments.

Largely submitted by:	bde
2001-12-02 15:07:10 +00:00
Alfred Perlstein
59aff5fcf3 make LOCKF_DEBUG kernel option work (sorta)
Submitted by: Maxim Konovalov <maxim@macomnet.ru>
PR: kern/32267
2001-12-02 12:47:25 +00:00
Luigi Rizzo
60363fb9f7 vm/vm_kern.c: rate limit (to once per second) diagnostic printf when
you run out of mbuf address space.

kern/subr_mbuf.c: print a warning message when mb_alloc fails, again
	rate-limited to at most once per second. This covers other
	cases of mbuf allocation failures. Probably it also overlaps the
	one handled in vm/vm_kern.c, so maybe the latter should go away.

This warning will let us gradually remove the printf that are scattered
across most network drivers to report mbuf allocation failures.
Those are potentially dangerous, in that they are not rate-limited and
can easily cause systems to panic.

Unless there is disagreement (which does not seem to be the case
judging from the discussion on -net so far), and because this is
sort of a safety bugfix, I plan to commit a similar change to STABLE
during the weekend (it affects kern/uipc_mbuf.c there).

Discussed-with: jlemon, silby and -net
2001-12-01 00:21:30 +00:00
Robert Watson
6f3933fa6f o Introduce kern.security.bsd.unprivileged_read_msgbuf, which allows
the administrator to restrict access to the kernel message buffer.
  It defaults to '1', which permits access, but if set to '0', requires
  that the process making the sysctl() have appropriate privilege.
o Note that for this to be effective, access to this data via system
  logs derived from /dev/klog must also be limited.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2001-11-30 21:40:52 +00:00
Robert Watson
e409590d0e o Further sysctl name simplification, generally stripping 'permitted',
using '_'s more consistently.

Discussed with:	bde, jhb
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2001-11-30 21:33:16 +00:00
Robert Watson
48713bdc3c o Move current inhabitants of kern.security to kern.security.bsd, so
that new models can inhabit kern.security.<modelname>.
o While I'm there, shorten somewhat excessive variable names, and clean
  things up a little.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2001-11-30 20:58:31 +00:00
Robert Watson
1e4b531bb6 o Cache req->td->td_proc->p_ucred->cr_prison in pr to improve
readability.
o Conditionalize only the SYSCTL definitions for the regression
  tree, not the variables itself, decreasing the number of #ifdef
  REGRESSIONs scattered in kern_mib.c, and making the code more
  readable.

Sponsored by:	DARPA, NAI Labs
2001-11-28 21:22:05 +00:00
John W. De Boskey
a5f75648d8 Return a more meaningful errno when the length of the interpreter
exceeds MAXSHELLCMDLEN to avoid secondary /bin/sh execution.

Update execve man page to reflect change.

Increase MAXSHELLCMDLEN to a slightly more meaningful value.

PR:		kern/32106
Submitted by:	b@etek.chalmers.se
Reviewed by:	bsd
MFC after:	2 weeks
2001-11-28 03:26:58 +00:00
Peter Wemm
023a0e6100 Dont print the sysctl node tree unless you're root.
Found by:	jkb (Yahoo OS troublemaker)
2001-11-28 03:11:16 +00:00
Bosko Milekic
a705398be0 Context:
For an object type, we maintain a variable mb_mapfull. It is 0 by default
and is only raised to 1 in one place: when an mb_pop_cont() fails for
the first time, on the assumption that the reason for the failure is
due to the underlying map for the object (e.g. clust_map, mbuf_map) being
exhausted.

Problem and Changes:
Change how we define "mb_mapfull." It now means: "set to 1 when the first
mb_pop_cont() fails only in the kmem_malloc()-ing of the object, and
only if the call was with the M_TRYWAIT flag." This is a more conservative
definition and should avoid odd [but theoretically possible] situations
from occuring. i.e. we had set mb_mapfull to 1 thinking the map for the
object was actually exhausted when we _actually_ failed in malloc()ing
the space for the bucket structure managing the objects in the page
we're allocating.
2001-11-25 04:42:54 +00:00
Doug Rabson
c36e48514d Since we used '#ifdef __i386__', don't close with '#endif /* !__alpha__ */' 2001-11-24 10:11:14 +00:00
David E. O'Brien
d970bcc9db Remove the use of _PATH_DEV in the example.
The kernel certainly doesn't use _PATH_DEV or even /dev/ to find the device.
It cannot, since "/" has not been mounted.  Maybe the only affect of using
/dev/ is that it gets put in the mounted-from name for "/", so that mount(8),
etc., display an absolute path before "/" has been remounted.  Many have
never bothered typing the full path, and code that constructs a path in
rootdevnames[] never bothered to construct a full path, so the example
shouldn't have it.

Submitted by:	bde
2001-11-24 01:34:12 +00:00
Peter Wemm
fef8392d99 Recognize the "fixed" geometry in boot1 so that DD disks are not
interpreted as real fdisk tables (and fail).
2001-11-21 08:31:45 +00:00
David E. O'Brien
cabb03fc76 We only have slices on i386 and IA-64. 2001-11-20 23:48:00 +00:00
Maxim Sobolev
783c41d432 Make kevents on pipes work as described in the manpage - when the last
reader/writer disconnects, ensure that anybody who is waiting for the
kevent on the other end of the pipe gets EV_EOF.

MFC after:	2 weeks
2001-11-19 09:25:30 +00:00
Matthew Dillon
849948a7cd cast hashing index to (int)(intptr_t) for calculation.
mtx_init() with MTX_QUIET and MTX_NOWITNESS to avoid bogus warnings
2001-11-19 00:20:36 +00:00
Andrew R. Reiter
b489b4075c - Ensure that linker file id's are unique, rather than blindly
incrementing the value.

Reviewed by: dfr, peter
2001-11-18 18:19:35 +00:00
Matthew Dillon
b1e4abd246 Give struct socket structures a ref counting interface similar to
vnodes.  This will hopefully serve as a base from which we can
expand the MP code.  We currently do not attempt to obtain any
mutex or SX locks, but the door is open to add them when we nail
down exactly how that part of it is going to work.
2001-11-17 03:07:11 +00:00
Peter Wemm
1b27b1ad08 Fix some warnings on 64 bit platforms. 2001-11-17 00:42:02 +00:00
Peter Wemm
857ff6155b utime/stime.tv_sec are elapsed times, not relative to 1970. We can
safely print them as longs.  Even if ^T overflows after a process
has accumulated 68 years of user or system time, it is no big deal.
2001-11-17 00:26:57 +00:00
Peter Wemm
aa89942676 You cannot cast a time_t to quad_t and printf it with %lld. quad_t is
64 bits, not long long.
2001-11-16 23:53:48 +00:00
Ian Dowse
7b9716bad2 Fix a number of misspellings of "dependency" and "dependencies" in
comments and function names.

PR:		kern/8589
Submitted by:	Rajesh Vaidheeswarran <rv@fore.com>
2001-11-16 21:08:40 +00:00
Poul-Henning Kamp
24d5c95471 Back out the previous fix to the leading zero problem, I hadn't
noticed it in there already.  That should teach me to check exit
code from cvsup.
2001-11-16 17:07:47 +00:00
Poul-Henning Kamp
10786074c5 Reject leading zeros in dev_stdclone().
PR:		32019
Submitted by:	fenner
2001-11-16 17:05:07 +00:00
Josef Karthauser
9ea6d9ef6a Switch warnings and strict back on again in a way that's compatible
with -stable as well as -current.

Reviewed by:	imp
2001-11-16 02:02:42 +00:00