2005-01-06 23:35:40 +00:00
|
|
|
/*-
|
1994-05-24 10:09:53 +00:00
|
|
|
* Copyright (c) 1982, 1986, 1989, 1993
|
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
* (c) UNIX System Laboratories, Inc.
|
|
|
|
* All or some portions of this file are derived from material licensed
|
|
|
|
* to the University of California by American Telephone and Telegraph
|
|
|
|
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
|
|
|
|
* the permission of UNIX System Laboratories, Inc.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* @(#)sys_generic.c 8.5 (Berkeley) 1/21/94
|
|
|
|
*/
|
|
|
|
|
2003-06-11 00:56:59 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2011-08-11 12:30:23 +00:00
|
|
|
#include "opt_capsicum.h"
|
2005-06-30 00:19:08 +00:00
|
|
|
#include "opt_compat.h"
|
1996-01-03 21:42:35 +00:00
|
|
|
#include "opt_ktrace.h"
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
1995-11-12 06:43:28 +00:00
|
|
|
#include <sys/sysproto.h>
|
2014-03-16 10:55:57 +00:00
|
|
|
#include <sys/capsicum.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/filedesc.h>
|
1997-03-24 11:52:29 +00:00
|
|
|
#include <sys/filio.h>
|
1997-03-23 03:37:54 +00:00
|
|
|
#include <sys/fcntl.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/file.h>
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
#include <sys/lock.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/proc.h>
|
1994-10-02 17:35:40 +00:00
|
|
|
#include <sys/signalvar.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/socketvar.h>
|
|
|
|
#include <sys/uio.h>
|
|
|
|
#include <sys/kernel.h>
|
2008-01-07 20:05:19 +00:00
|
|
|
#include <sys/ktr.h>
|
2003-04-29 13:36:06 +00:00
|
|
|
#include <sys/limits.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/malloc.h>
|
1997-09-14 02:30:32 +00:00
|
|
|
#include <sys/poll.h>
|
2001-02-07 23:28:01 +00:00
|
|
|
#include <sys/resourcevar.h>
|
2001-01-09 04:33:49 +00:00
|
|
|
#include <sys/selinfo.h>
|
Switch the sleep/wakeup and condition variable implementations to use the
sleep queue interface:
- Sleep queues attempt to merge some of the benefits of both sleep queues
and condition variables. Having sleep qeueus in a hash table avoids
having to allocate a queue head for each wait channel. Thus, struct cv
has shrunk down to just a single char * pointer now. However, the
hash table does not hold threads directly, but queue heads. This means
that once you have located a queue in the hash bucket, you no longer have
to walk the rest of the hash chain looking for threads. Instead, you have
a list of all the threads sleeping on that wait channel.
- Outside of the sleepq code and the sleep/cv code the kernel no longer
differentiates between cv's and sleep/wakeup. For example, calls to
abortsleep() and cv_abort() are replaced with a call to sleepq_abort().
Thus, the TDF_CVWAITQ flag is removed. Also, calls to unsleep() and
cv_waitq_remove() have been replaced with calls to sleepq_remove().
- The sched_sleep() function no longer accepts a priority argument as
sleep's no longer inherently bump the priority. Instead, this is soley
a propery of msleep() which explicitly calls sched_prio() before
blocking.
- The TDF_ONSLEEPQ flag has been dropped as it was never used. The
associated TDF_SET_ONSLEEPQ and TDF_CLR_ON_SLEEPQ macros have also been
dropped and replaced with a single explicit clearing of td_wchan.
TD_SET_ONSLEEPQ() would really have only made sense if it had taken
the wait channel and message as arguments anyway. Now that that only
happens in one place, a macro would be overkill.
2004-02-27 18:52:44 +00:00
|
|
|
#include <sys/sleepqueue.h>
|
2002-09-01 20:37:28 +00:00
|
|
|
#include <sys/syscallsubr.h>
|
2000-01-05 19:40:17 +00:00
|
|
|
#include <sys/sysctl.h>
|
1997-09-14 02:30:32 +00:00
|
|
|
#include <sys/sysent.h>
|
2004-01-20 01:27:42 +00:00
|
|
|
#include <sys/vnode.h>
|
2000-11-18 21:01:04 +00:00
|
|
|
#include <sys/bio.h>
|
|
|
|
#include <sys/buf.h>
|
2001-05-14 05:26:48 +00:00
|
|
|
#include <sys/condvar.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef KTRACE
|
|
|
|
#include <sys/ktrace.h>
|
|
|
|
#endif
|
|
|
|
|
2008-01-07 20:05:19 +00:00
|
|
|
#include <security/audit/audit.h>
|
2007-12-16 06:21:20 +00:00
|
|
|
|
2013-10-15 06:35:22 +00:00
|
|
|
int iosize_max_clamp = 0;
|
2012-03-04 14:55:37 +00:00
|
|
|
SYSCTL_INT(_debug, OID_AUTO, iosize_max_clamp, CTLFLAG_RW,
|
|
|
|
&iosize_max_clamp, 0, "Clamp max i/o size to INT_MAX");
|
2013-10-15 06:33:10 +00:00
|
|
|
int devfs_iosize_max_clamp = 1;
|
|
|
|
SYSCTL_INT(_debug, OID_AUTO, devfs_iosize_max_clamp, CTLFLAG_RW,
|
|
|
|
&devfs_iosize_max_clamp, 0, "Clamp max i/o size to INT_MAX for devices");
|
|
|
|
|
2012-03-04 14:55:37 +00:00
|
|
|
/*
|
|
|
|
* Assert that the return value of read(2) and write(2) syscalls fits
|
|
|
|
* into a register. If not, an architecture will need to provide the
|
|
|
|
* usermode wrappers to reconstruct the result.
|
|
|
|
*/
|
|
|
|
CTASSERT(sizeof(register_t) >= sizeof(size_t));
|
2012-02-21 01:05:12 +00:00
|
|
|
|
1997-10-12 20:26:33 +00:00
|
|
|
static MALLOC_DEFINE(M_IOCTLOPS, "ioctlops", "ioctl data buffer");
|
|
|
|
static MALLOC_DEFINE(M_SELECT, "select", "select() buffer");
|
|
|
|
MALLOC_DEFINE(M_IOV, "iov", "large iov's");
|
1997-10-11 18:31:40 +00:00
|
|
|
|
2010-08-28 17:42:08 +00:00
|
|
|
static int pollout(struct thread *, struct pollfd *, struct pollfd *,
|
|
|
|
u_int);
|
2002-03-09 22:44:37 +00:00
|
|
|
static int pollscan(struct thread *, struct pollfd *, u_int);
|
2007-12-16 06:21:20 +00:00
|
|
|
static int pollrescan(struct thread *);
|
2002-03-09 22:44:37 +00:00
|
|
|
static int selscan(struct thread *, fd_mask **, fd_mask **, int);
|
2007-12-16 06:21:20 +00:00
|
|
|
static int selrescan(struct thread *, fd_mask **, fd_mask **);
|
|
|
|
static void selfdalloc(struct thread *, void *);
|
|
|
|
static void selfdfree(struct seltd *, struct selfd *);
|
2005-07-07 18:17:55 +00:00
|
|
|
static int dofileread(struct thread *, int, struct file *, struct uio *,
|
|
|
|
off_t, int);
|
|
|
|
static int dofilewrite(struct thread *, int, struct file *, struct uio *,
|
|
|
|
off_t, int);
|
2003-11-09 09:17:26 +00:00
|
|
|
static void doselwakeup(struct selinfo *, int);
|
2007-12-16 06:21:20 +00:00
|
|
|
static void seltdinit(struct thread *);
|
2013-03-04 16:41:27 +00:00
|
|
|
static int seltdwait(struct thread *, sbintime_t, sbintime_t);
|
2007-12-16 06:21:20 +00:00
|
|
|
static void seltdclear(struct thread *);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* One seltd per-thread allocated on demand as needed.
|
|
|
|
*
|
|
|
|
* t - protected by st_mtx
|
|
|
|
* k - Only accessed by curthread or read-only
|
|
|
|
*/
|
|
|
|
struct seltd {
|
|
|
|
STAILQ_HEAD(, selfd) st_selq; /* (k) List of selfds. */
|
|
|
|
struct selfd *st_free1; /* (k) free fd for read set. */
|
|
|
|
struct selfd *st_free2; /* (k) free fd for write set. */
|
|
|
|
struct mtx st_mtx; /* Protects struct seltd */
|
|
|
|
struct cv st_wait; /* (t) Wait channel. */
|
|
|
|
int st_flags; /* (t) SELTD_ flags. */
|
|
|
|
};
|
|
|
|
|
|
|
|
#define SELTD_PENDING 0x0001 /* We have pending events. */
|
|
|
|
#define SELTD_RESCAN 0x0002 /* Doing a rescan. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* One selfd allocated per-thread per-file-descriptor.
|
|
|
|
* f - protected by sf_mtx
|
|
|
|
*/
|
|
|
|
struct selfd {
|
|
|
|
STAILQ_ENTRY(selfd) sf_link; /* (k) fds owned by this td. */
|
|
|
|
TAILQ_ENTRY(selfd) sf_threads; /* (f) fds on this selinfo. */
|
|
|
|
struct selinfo *sf_si; /* (f) selinfo when linked. */
|
|
|
|
struct mtx *sf_mtx; /* Pointer to selinfo mtx. */
|
|
|
|
struct seltd *sf_td; /* (k) owning seltd. */
|
|
|
|
void *sf_cookie; /* (k) fd or pollfd. */
|
|
|
|
};
|
|
|
|
|
|
|
|
static uma_zone_t selfd_zone;
|
2009-07-01 20:43:46 +00:00
|
|
|
static struct mtx_pool *mtxpool_select;
|
1999-04-04 21:41:28 +00:00
|
|
|
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct read_args {
|
|
|
|
int fd;
|
1998-09-05 14:30:11 +00:00
|
|
|
void *buf;
|
|
|
|
size_t nbyte;
|
1994-05-24 10:09:53 +00:00
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_read(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2001-11-14 06:30:36 +00:00
|
|
|
struct read_args *uap;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2005-07-07 18:17:55 +00:00
|
|
|
struct uio auio;
|
|
|
|
struct iovec aiov;
|
2000-11-18 21:01:04 +00:00
|
|
|
int error;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2012-02-21 01:05:12 +00:00
|
|
|
if (uap->nbyte > IOSIZE_MAX)
|
2005-07-07 18:17:55 +00:00
|
|
|
return (EINVAL);
|
|
|
|
aiov.iov_base = uap->buf;
|
|
|
|
aiov.iov_len = uap->nbyte;
|
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
auio.uio_iovcnt = 1;
|
|
|
|
auio.uio_resid = uap->nbyte;
|
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
|
|
|
error = kern_readv(td, uap->fd, &auio);
|
2000-11-18 21:01:04 +00:00
|
|
|
return(error);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
1999-03-27 21:16:58 +00:00
|
|
|
/*
|
2005-07-07 18:17:55 +00:00
|
|
|
* Positioned read system call
|
1999-03-27 21:16:58 +00:00
|
|
|
*/
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct pread_args {
|
|
|
|
int fd;
|
|
|
|
void *buf;
|
|
|
|
size_t nbyte;
|
1999-04-04 21:41:28 +00:00
|
|
|
int pad;
|
|
|
|
off_t offset;
|
1999-03-27 21:16:58 +00:00
|
|
|
};
|
|
|
|
#endif
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_pread(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2001-11-14 06:30:36 +00:00
|
|
|
struct pread_args *uap;
|
1999-04-04 21:41:28 +00:00
|
|
|
{
|
1999-03-27 21:16:58 +00:00
|
|
|
struct uio auio;
|
|
|
|
struct iovec aiov;
|
2005-07-07 18:17:55 +00:00
|
|
|
int error;
|
1999-03-27 21:16:58 +00:00
|
|
|
|
2012-02-21 01:05:12 +00:00
|
|
|
if (uap->nbyte > IOSIZE_MAX)
|
2005-07-07 18:17:55 +00:00
|
|
|
return (EINVAL);
|
|
|
|
aiov.iov_base = uap->buf;
|
|
|
|
aiov.iov_len = uap->nbyte;
|
1999-03-27 21:16:58 +00:00
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
auio.uio_iovcnt = 1;
|
2005-07-07 18:17:55 +00:00
|
|
|
auio.uio_resid = uap->nbyte;
|
1999-03-27 21:16:58 +00:00
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
2005-07-07 18:17:55 +00:00
|
|
|
error = kern_preadv(td, uap->fd, &auio, uap->offset);
|
|
|
|
return(error);
|
1999-03-27 21:16:58 +00:00
|
|
|
}
|
|
|
|
|
2007-07-04 22:57:21 +00:00
|
|
|
int
|
|
|
|
freebsd6_pread(td, uap)
|
|
|
|
struct thread *td;
|
|
|
|
struct freebsd6_pread_args *uap;
|
|
|
|
{
|
|
|
|
struct pread_args oargs;
|
|
|
|
|
|
|
|
oargs.fd = uap->fd;
|
|
|
|
oargs.buf = uap->buf;
|
|
|
|
oargs.nbyte = uap->nbyte;
|
|
|
|
oargs.offset = uap->offset;
|
2011-09-16 13:58:51 +00:00
|
|
|
return (sys_pread(td, &oargs));
|
2007-07-04 22:57:21 +00:00
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Scatter read system call.
|
|
|
|
*/
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct readv_args {
|
1995-11-11 06:57:34 +00:00
|
|
|
int fd;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct iovec *iovp;
|
|
|
|
u_int iovcnt;
|
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_readv(struct thread *td, struct readv_args *uap)
|
2005-03-31 22:51:18 +00:00
|
|
|
{
|
|
|
|
struct uio *auio;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = copyinuio(uap->iovp, uap->iovcnt, &auio);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
error = kern_readv(td, uap->fd, auio);
|
|
|
|
free(auio, M_IOV);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_readv(struct thread *td, int fd, struct uio *auio)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2001-11-14 06:30:36 +00:00
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2002-05-09 02:30:41 +00:00
|
|
|
int error;
|
2005-07-07 18:17:55 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget_read(td, fd, cap_rights_init(&rights, CAP_READ), &fp);
|
2005-07-07 18:17:55 +00:00
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
error = dofileread(td, fd, fp, auio, (off_t)-1, 0);
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Scatter positioned read system call.
|
|
|
|
*/
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct preadv_args {
|
|
|
|
int fd;
|
|
|
|
struct iovec *iovp;
|
|
|
|
u_int iovcnt;
|
|
|
|
off_t offset;
|
|
|
|
};
|
1994-05-24 10:09:53 +00:00
|
|
|
#endif
|
2005-07-07 18:17:55 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_preadv(struct thread *td, struct preadv_args *uap)
|
2005-07-07 18:17:55 +00:00
|
|
|
{
|
|
|
|
struct uio *auio;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = copyinuio(uap->iovp, uap->iovcnt, &auio);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
error = kern_preadv(td, uap->fd, auio, uap->offset);
|
|
|
|
free(auio, M_IOV);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_preadv(td, fd, auio, offset)
|
|
|
|
struct thread *td;
|
|
|
|
int fd;
|
|
|
|
struct uio *auio;
|
|
|
|
off_t offset;
|
|
|
|
{
|
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2005-07-07 18:17:55 +00:00
|
|
|
int error;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget_read(td, fd, cap_rights_init(&rights, CAP_PREAD), &fp);
|
2004-07-10 15:42:16 +00:00
|
|
|
if (error)
|
|
|
|
return (error);
|
2005-07-07 18:17:55 +00:00
|
|
|
if (!(fp->f_ops->fo_flags & DFLAG_SEEKABLE))
|
|
|
|
error = ESPIPE;
|
|
|
|
else if (offset < 0 && fp->f_vnode->v_type != VCHR)
|
|
|
|
error = EINVAL;
|
|
|
|
else
|
|
|
|
error = dofileread(td, fd, fp, auio, offset, FOF_OFFSET);
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Common code for readv and preadv that reads data in
|
|
|
|
* from a file using the passed in uio, offset, and flags.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
dofileread(td, fd, fp, auio, offset, flags)
|
|
|
|
struct thread *td;
|
|
|
|
int fd;
|
|
|
|
struct file *fp;
|
|
|
|
struct uio *auio;
|
|
|
|
off_t offset;
|
|
|
|
int flags;
|
|
|
|
{
|
|
|
|
ssize_t cnt;
|
|
|
|
int error;
|
|
|
|
#ifdef KTRACE
|
|
|
|
struct uio *ktruio = NULL;
|
|
|
|
#endif
|
|
|
|
|
2005-01-25 09:15:32 +00:00
|
|
|
/* Finish zero length reads right here */
|
|
|
|
if (auio->uio_resid == 0) {
|
|
|
|
td->td_retval[0] = 0;
|
|
|
|
return(0);
|
|
|
|
}
|
2004-07-10 15:42:16 +00:00
|
|
|
auio->uio_rw = UIO_READ;
|
2005-07-07 18:17:55 +00:00
|
|
|
auio->uio_offset = offset;
|
2004-07-10 15:42:16 +00:00
|
|
|
auio->uio_td = td;
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef KTRACE
|
2004-07-10 15:42:16 +00:00
|
|
|
if (KTRPOINT(td, KTR_GENIO))
|
|
|
|
ktruio = cloneuio(auio);
|
1994-05-24 10:09:53 +00:00
|
|
|
#endif
|
2004-07-10 15:42:16 +00:00
|
|
|
cnt = auio->uio_resid;
|
2005-07-07 18:17:55 +00:00
|
|
|
if ((error = fo_read(fp, auio, td->td_ucred, flags, td))) {
|
2004-07-10 15:42:16 +00:00
|
|
|
if (auio->uio_resid != cnt && (error == ERESTART ||
|
1994-05-24 10:09:53 +00:00
|
|
|
error == EINTR || error == EWOULDBLOCK))
|
|
|
|
error = 0;
|
2000-11-18 21:01:04 +00:00
|
|
|
}
|
2004-07-10 15:42:16 +00:00
|
|
|
cnt -= auio->uio_resid;
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef KTRACE
|
2004-07-10 15:42:16 +00:00
|
|
|
if (ktruio != NULL) {
|
|
|
|
ktruio->uio_resid = cnt;
|
2005-03-31 22:51:18 +00:00
|
|
|
ktrgenio(fd, UIO_READ, ktruio, error);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
#endif
|
2001-09-12 08:38:13 +00:00
|
|
|
td->td_retval[0] = cnt;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct write_args {
|
|
|
|
int fd;
|
1998-09-05 14:30:11 +00:00
|
|
|
const void *buf;
|
|
|
|
size_t nbyte;
|
1994-05-24 10:09:53 +00:00
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_write(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2001-11-14 06:30:36 +00:00
|
|
|
struct write_args *uap;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2005-07-07 18:17:55 +00:00
|
|
|
struct uio auio;
|
|
|
|
struct iovec aiov;
|
2000-11-18 21:01:04 +00:00
|
|
|
int error;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2012-02-21 01:05:12 +00:00
|
|
|
if (uap->nbyte > IOSIZE_MAX)
|
2005-07-07 18:17:55 +00:00
|
|
|
return (EINVAL);
|
|
|
|
aiov.iov_base = (void *)(uintptr_t)uap->buf;
|
|
|
|
aiov.iov_len = uap->nbyte;
|
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
auio.uio_iovcnt = 1;
|
|
|
|
auio.uio_resid = uap->nbyte;
|
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
|
|
|
error = kern_writev(td, uap->fd, &auio);
|
2000-11-18 21:01:04 +00:00
|
|
|
return(error);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
1999-03-27 21:16:58 +00:00
|
|
|
/*
|
2007-03-04 22:36:48 +00:00
|
|
|
* Positioned write system call.
|
1999-03-27 21:16:58 +00:00
|
|
|
*/
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct pwrite_args {
|
|
|
|
int fd;
|
|
|
|
const void *buf;
|
|
|
|
size_t nbyte;
|
1999-04-04 21:41:28 +00:00
|
|
|
int pad;
|
|
|
|
off_t offset;
|
1999-03-27 21:16:58 +00:00
|
|
|
};
|
|
|
|
#endif
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_pwrite(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *td;
|
2001-11-14 06:30:36 +00:00
|
|
|
struct pwrite_args *uap;
|
1999-04-04 21:41:28 +00:00
|
|
|
{
|
1999-03-27 21:16:58 +00:00
|
|
|
struct uio auio;
|
|
|
|
struct iovec aiov;
|
2005-07-07 18:17:55 +00:00
|
|
|
int error;
|
1999-03-27 21:16:58 +00:00
|
|
|
|
2012-02-21 01:05:12 +00:00
|
|
|
if (uap->nbyte > IOSIZE_MAX)
|
2005-07-07 18:17:55 +00:00
|
|
|
return (EINVAL);
|
|
|
|
aiov.iov_base = (void *)(uintptr_t)uap->buf;
|
|
|
|
aiov.iov_len = uap->nbyte;
|
1999-03-27 21:16:58 +00:00
|
|
|
auio.uio_iov = &aiov;
|
|
|
|
auio.uio_iovcnt = 1;
|
2005-07-07 18:17:55 +00:00
|
|
|
auio.uio_resid = uap->nbyte;
|
1999-03-27 21:16:58 +00:00
|
|
|
auio.uio_segflg = UIO_USERSPACE;
|
2005-07-07 18:17:55 +00:00
|
|
|
error = kern_pwritev(td, uap->fd, &auio, uap->offset);
|
|
|
|
return(error);
|
1999-03-27 21:16:58 +00:00
|
|
|
}
|
|
|
|
|
2007-07-04 22:57:21 +00:00
|
|
|
int
|
|
|
|
freebsd6_pwrite(td, uap)
|
|
|
|
struct thread *td;
|
|
|
|
struct freebsd6_pwrite_args *uap;
|
|
|
|
{
|
|
|
|
struct pwrite_args oargs;
|
|
|
|
|
|
|
|
oargs.fd = uap->fd;
|
|
|
|
oargs.buf = uap->buf;
|
|
|
|
oargs.nbyte = uap->nbyte;
|
|
|
|
oargs.offset = uap->offset;
|
2011-09-16 13:58:51 +00:00
|
|
|
return (sys_pwrite(td, &oargs));
|
2007-07-04 22:57:21 +00:00
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
2007-03-04 22:36:48 +00:00
|
|
|
* Gather write system call.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct writev_args {
|
|
|
|
int fd;
|
|
|
|
struct iovec *iovp;
|
|
|
|
u_int iovcnt;
|
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_writev(struct thread *td, struct writev_args *uap)
|
2005-03-31 22:51:18 +00:00
|
|
|
{
|
|
|
|
struct uio *auio;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = copyinuio(uap->iovp, uap->iovcnt, &auio);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
error = kern_writev(td, uap->fd, auio);
|
|
|
|
free(auio, M_IOV);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_writev(struct thread *td, int fd, struct uio *auio)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2001-11-14 06:30:36 +00:00
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2004-07-10 15:42:16 +00:00
|
|
|
int error;
|
2005-07-07 18:17:55 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget_write(td, fd, cap_rights_init(&rights, CAP_WRITE), &fp);
|
2005-07-07 18:17:55 +00:00
|
|
|
if (error)
|
2006-01-06 16:34:22 +00:00
|
|
|
return (error);
|
2005-07-07 18:17:55 +00:00
|
|
|
error = dofilewrite(td, fd, fp, auio, (off_t)-1, 0);
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-03-04 22:36:48 +00:00
|
|
|
* Gather positioned write system call.
|
2005-07-07 18:17:55 +00:00
|
|
|
*/
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct pwritev_args {
|
|
|
|
int fd;
|
|
|
|
struct iovec *iovp;
|
|
|
|
u_int iovcnt;
|
|
|
|
off_t offset;
|
|
|
|
};
|
1994-05-24 10:09:53 +00:00
|
|
|
#endif
|
2005-07-07 18:17:55 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_pwritev(struct thread *td, struct pwritev_args *uap)
|
2005-07-07 18:17:55 +00:00
|
|
|
{
|
|
|
|
struct uio *auio;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = copyinuio(uap->iovp, uap->iovcnt, &auio);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
error = kern_pwritev(td, uap->fd, auio, uap->offset);
|
|
|
|
free(auio, M_IOV);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_pwritev(td, fd, auio, offset)
|
|
|
|
struct thread *td;
|
|
|
|
struct uio *auio;
|
|
|
|
int fd;
|
|
|
|
off_t offset;
|
|
|
|
{
|
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2005-07-07 18:17:55 +00:00
|
|
|
int error;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget_write(td, fd, cap_rights_init(&rights, CAP_PWRITE), &fp);
|
2004-07-10 15:42:16 +00:00
|
|
|
if (error)
|
2006-01-06 16:34:22 +00:00
|
|
|
return (error);
|
2005-07-07 18:17:55 +00:00
|
|
|
if (!(fp->f_ops->fo_flags & DFLAG_SEEKABLE))
|
|
|
|
error = ESPIPE;
|
|
|
|
else if (offset < 0 && fp->f_vnode->v_type != VCHR)
|
|
|
|
error = EINVAL;
|
|
|
|
else
|
|
|
|
error = dofilewrite(td, fd, fp, auio, offset, FOF_OFFSET);
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Common code for writev and pwritev that writes data to
|
|
|
|
* a file using the passed in uio, offset, and flags.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
dofilewrite(td, fd, fp, auio, offset, flags)
|
|
|
|
struct thread *td;
|
|
|
|
int fd;
|
|
|
|
struct file *fp;
|
|
|
|
struct uio *auio;
|
|
|
|
off_t offset;
|
|
|
|
int flags;
|
|
|
|
{
|
|
|
|
ssize_t cnt;
|
|
|
|
int error;
|
|
|
|
#ifdef KTRACE
|
|
|
|
struct uio *ktruio = NULL;
|
|
|
|
#endif
|
|
|
|
|
2004-07-10 15:42:16 +00:00
|
|
|
auio->uio_rw = UIO_WRITE;
|
|
|
|
auio->uio_td = td;
|
2005-07-07 18:17:55 +00:00
|
|
|
auio->uio_offset = offset;
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef KTRACE
|
2004-07-10 15:42:16 +00:00
|
|
|
if (KTRPOINT(td, KTR_GENIO))
|
|
|
|
ktruio = cloneuio(auio);
|
1994-05-24 10:09:53 +00:00
|
|
|
#endif
|
2004-07-10 15:42:16 +00:00
|
|
|
cnt = auio->uio_resid;
|
2012-12-23 22:43:27 +00:00
|
|
|
if (fp->f_type == DTYPE_VNODE &&
|
|
|
|
(fp->f_vnread_flags & FDEVFS_VNODE) == 0)
|
2000-12-07 23:45:57 +00:00
|
|
|
bwillwrite();
|
2005-07-07 18:17:55 +00:00
|
|
|
if ((error = fo_write(fp, auio, td->td_ucred, flags, td))) {
|
2004-07-10 15:42:16 +00:00
|
|
|
if (auio->uio_resid != cnt && (error == ERESTART ||
|
1994-05-24 10:09:53 +00:00
|
|
|
error == EINTR || error == EWOULDBLOCK))
|
|
|
|
error = 0;
|
2005-07-07 18:17:55 +00:00
|
|
|
/* Socket layer is responsible for issuing SIGPIPE. */
|
2007-03-01 19:20:25 +00:00
|
|
|
if (fp->f_type != DTYPE_SOCKET && error == EPIPE) {
|
2001-09-12 08:38:13 +00:00
|
|
|
PROC_LOCK(td->td_proc);
|
2010-06-29 20:44:19 +00:00
|
|
|
tdsignal(td, SIGPIPE);
|
2001-09-12 08:38:13 +00:00
|
|
|
PROC_UNLOCK(td->td_proc);
|
2001-03-07 03:37:06 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2004-07-10 15:42:16 +00:00
|
|
|
cnt -= auio->uio_resid;
|
1994-05-24 10:09:53 +00:00
|
|
|
#ifdef KTRACE
|
2004-07-10 15:42:16 +00:00
|
|
|
if (ktruio != NULL) {
|
|
|
|
ktruio->uio_resid = cnt;
|
2005-03-31 22:51:18 +00:00
|
|
|
ktrgenio(fd, UIO_WRITE, ktruio, error);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
#endif
|
2012-02-21 01:05:12 +00:00
|
|
|
td->td_retval[0] = cnt;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2008-01-07 20:05:19 +00:00
|
|
|
/*
|
|
|
|
* Truncate a file given a file descriptor.
|
|
|
|
*
|
|
|
|
* Can't use fget_write() here, since must return EINVAL and not EBADF if the
|
|
|
|
* descriptor isn't writable.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
kern_ftruncate(td, fd, length)
|
|
|
|
struct thread *td;
|
|
|
|
int fd;
|
|
|
|
off_t length;
|
|
|
|
{
|
|
|
|
struct file *fp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2008-01-07 20:05:19 +00:00
|
|
|
int error;
|
|
|
|
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FD(fd);
|
2008-01-07 20:05:19 +00:00
|
|
|
if (length < 0)
|
|
|
|
return (EINVAL);
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget(td, fd, cap_rights_init(&rights, CAP_FTRUNCATE), &fp);
|
2008-01-07 20:05:19 +00:00
|
|
|
if (error)
|
|
|
|
return (error);
|
2009-06-27 13:58:44 +00:00
|
|
|
AUDIT_ARG_FILE(td->td_proc, fp);
|
2008-01-07 20:05:19 +00:00
|
|
|
if (!(fp->f_flag & FWRITE)) {
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (EINVAL);
|
|
|
|
}
|
|
|
|
error = fo_truncate(fp, length, td->td_ucred, td);
|
|
|
|
fdrop(fp, td);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct ftruncate_args {
|
|
|
|
int fd;
|
|
|
|
int pad;
|
|
|
|
off_t length;
|
|
|
|
};
|
|
|
|
#endif
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_ftruncate(td, uap)
|
2008-01-07 20:05:19 +00:00
|
|
|
struct thread *td;
|
|
|
|
struct ftruncate_args *uap;
|
|
|
|
{
|
|
|
|
|
|
|
|
return (kern_ftruncate(td, uap->fd, uap->length));
|
|
|
|
}
|
|
|
|
|
|
|
|
#if defined(COMPAT_43)
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct oftruncate_args {
|
|
|
|
int fd;
|
|
|
|
long length;
|
|
|
|
};
|
|
|
|
#endif
|
|
|
|
int
|
|
|
|
oftruncate(td, uap)
|
|
|
|
struct thread *td;
|
|
|
|
struct oftruncate_args *uap;
|
|
|
|
{
|
|
|
|
|
|
|
|
return (kern_ftruncate(td, uap->fd, uap->length));
|
|
|
|
}
|
|
|
|
#endif /* COMPAT_43 */
|
|
|
|
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct ioctl_args {
|
|
|
|
int fd;
|
1998-08-24 08:39:39 +00:00
|
|
|
u_long com;
|
1994-05-24 10:09:53 +00:00
|
|
|
caddr_t data;
|
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
/* ARGSUSED */
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_ioctl(struct thread *td, struct ioctl_args *uap)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2014-11-04 11:29:49 +00:00
|
|
|
#ifndef SYS_IOCTL_SMALL_SIZE
|
|
|
|
#define SYS_IOCTL_SMALL_SIZE 128
|
|
|
|
#endif
|
|
|
|
u_char smalldata[SYS_IOCTL_SMALL_SIZE] __aligned(8);
|
2004-11-14 12:04:34 +00:00
|
|
|
u_long com;
|
2006-09-27 19:57:02 +00:00
|
|
|
int arg, error;
|
2004-11-14 12:04:34 +00:00
|
|
|
u_int size;
|
2006-09-27 19:57:02 +00:00
|
|
|
caddr_t data;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2005-01-18 07:37:05 +00:00
|
|
|
if (uap->com > 0xffffffff) {
|
|
|
|
printf(
|
|
|
|
"WARNING pid %d (%s): ioctl sign-extension ioctl %lx\n",
|
2007-11-14 06:21:24 +00:00
|
|
|
td->td_proc->p_pid, td->td_name, uap->com);
|
2005-01-18 07:37:05 +00:00
|
|
|
uap->com &= 0xffffffff;
|
|
|
|
}
|
2006-07-08 20:12:14 +00:00
|
|
|
com = uap->com;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Interpret high order word to find amount of data to be
|
|
|
|
* copied to/from the user's address space.
|
|
|
|
*/
|
|
|
|
size = IOCPARM_LEN(com);
|
2004-11-14 14:34:12 +00:00
|
|
|
if ((size > IOCPARM_MAX) ||
|
|
|
|
((com & (IOC_VOID | IOC_IN | IOC_OUT)) == 0) ||
|
2005-06-30 00:19:08 +00:00
|
|
|
#if defined(COMPAT_FREEBSD5) || defined(COMPAT_FREEBSD4) || defined(COMPAT_43)
|
|
|
|
((com & IOC_OUT) && size == 0) ||
|
|
|
|
#else
|
|
|
|
((com & (IOC_IN | IOC_OUT)) && size == 0) ||
|
|
|
|
#endif
|
2006-09-27 19:57:02 +00:00
|
|
|
((com & IOC_VOID) && size > 0 && size != sizeof(int)))
|
2002-01-13 11:58:06 +00:00
|
|
|
return (ENOTTY);
|
2000-11-18 21:01:04 +00:00
|
|
|
|
2004-11-14 14:34:12 +00:00
|
|
|
if (size > 0) {
|
2008-09-23 14:25:38 +00:00
|
|
|
if (com & IOC_VOID) {
|
2006-09-27 19:57:02 +00:00
|
|
|
/* Integer argument. */
|
|
|
|
arg = (intptr_t)uap->data;
|
|
|
|
data = (void *)&arg;
|
|
|
|
size = 0;
|
2014-11-03 07:46:51 +00:00
|
|
|
} else {
|
2014-11-04 11:29:49 +00:00
|
|
|
if (size > SYS_IOCTL_SMALL_SIZE)
|
2014-11-03 07:46:51 +00:00
|
|
|
data = malloc((u_long)size, M_IOCTLOPS, M_WAITOK);
|
2014-11-04 11:29:49 +00:00
|
|
|
else
|
|
|
|
data = smalldata;
|
2014-11-03 07:46:51 +00:00
|
|
|
}
|
2006-09-27 19:57:02 +00:00
|
|
|
} else
|
2004-11-14 14:34:12 +00:00
|
|
|
data = (void *)&uap->data;
|
|
|
|
if (com & IOC_IN) {
|
|
|
|
error = copyin(uap->data, data, (u_int)size);
|
2014-11-03 07:46:51 +00:00
|
|
|
if (error != 0)
|
|
|
|
goto out;
|
2004-11-14 14:34:12 +00:00
|
|
|
} else if (com & IOC_OUT) {
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Zero the buffer so the user always
|
|
|
|
* gets back something deterministic.
|
|
|
|
*/
|
|
|
|
bzero(data, size);
|
2000-11-18 21:01:04 +00:00
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2006-07-08 20:12:14 +00:00
|
|
|
error = kern_ioctl(td, uap->fd, com, data);
|
|
|
|
|
|
|
|
if (error == 0 && (com & IOC_OUT))
|
|
|
|
error = copyout(data, uap->data, (u_int)size);
|
|
|
|
|
2014-11-03 07:46:51 +00:00
|
|
|
out:
|
2014-11-04 11:29:49 +00:00
|
|
|
if (size > SYS_IOCTL_SMALL_SIZE)
|
2006-09-27 19:57:02 +00:00
|
|
|
free(data, M_IOCTLOPS);
|
2006-07-08 20:12:14 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_ioctl(struct thread *td, int fd, u_long com, caddr_t data)
|
|
|
|
{
|
|
|
|
struct file *fp;
|
|
|
|
struct filedesc *fdp;
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
#ifndef CAPABILITIES
|
|
|
|
cap_rights_t rights;
|
|
|
|
#endif
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
int error, tmp, locked;
|
2006-07-08 20:12:14 +00:00
|
|
|
|
2009-07-02 09:16:25 +00:00
|
|
|
AUDIT_ARG_FD(fd);
|
|
|
|
AUDIT_ARG_CMD(com);
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
|
2006-07-08 20:12:14 +00:00
|
|
|
fdp = td->td_proc->p_fd;
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
|
2006-07-08 20:12:14 +00:00
|
|
|
switch (com) {
|
|
|
|
case FIONCLEX:
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
case FIOCLEX:
|
Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock. This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention. All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently. Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.
- Generally eliminate the distinction between "fast" and regular
acquisisition of the filedesc lock; the plan is that they will now all
be fast. Change all locking instances to either shared or exclusive
locks.
- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
was called without the mutex held; sx_sleep() is now always called with
the sxlock held exclusively.
- Universally hold the struct file lock over changes to struct file,
rather than the filedesc lock or no lock. Always update the f_ops
field last. A further memory barrier is required here in the future
(discussed with jhb).
- Improve locking and reference management in linux_at(), which fails to
properly acquire vnode references before using vnode pointers. Annotate
improper use of vn_fullpath(), which will be replaced at a future date.
In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).
Tested by: kris
Discussed with: jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
|
|
|
FILEDESC_XLOCK(fdp);
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
locked = LA_XLOCKED;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
#ifdef CAPABILITIES
|
|
|
|
FILEDESC_SLOCK(fdp);
|
|
|
|
locked = LA_SLOCKED;
|
|
|
|
#else
|
|
|
|
locked = LA_UNLOCKED;
|
|
|
|
#endif
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CAPABILITIES
|
|
|
|
if ((fp = fget_locked(fdp, fd)) == NULL) {
|
|
|
|
error = EBADF;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if ((error = cap_ioctl_check(fdp, fd, com)) != 0) {
|
|
|
|
fp = NULL; /* fhold() was not called yet */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
fhold(fp);
|
|
|
|
if (locked == LA_SLOCKED) {
|
|
|
|
FILEDESC_SUNLOCK(fdp);
|
|
|
|
locked = LA_UNLOCKED;
|
|
|
|
}
|
|
|
|
#else
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
error = fget(td, fd, cap_rights_init(&rights, CAP_IOCTL), &fp);
|
|
|
|
if (error != 0) {
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
fp = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
if ((fp->f_flag & (FREAD | FWRITE)) == 0) {
|
|
|
|
error = EBADF;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (com) {
|
|
|
|
case FIONCLEX:
|
|
|
|
fdp->fd_ofiles[fd].fde_flags &= ~UF_EXCLOSE;
|
2006-07-08 20:12:14 +00:00
|
|
|
goto out;
|
|
|
|
case FIOCLEX:
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
fdp->fd_ofiles[fd].fde_flags |= UF_EXCLOSE;
|
2006-07-08 20:12:14 +00:00
|
|
|
goto out;
|
|
|
|
case FIONBIO:
|
1994-09-25 19:34:02 +00:00
|
|
|
if ((tmp = *(int *)data))
|
2007-12-30 01:42:15 +00:00
|
|
|
atomic_set_int(&fp->f_flag, FNONBLOCK);
|
1994-05-24 10:09:53 +00:00
|
|
|
else
|
2007-12-30 01:42:15 +00:00
|
|
|
atomic_clear_int(&fp->f_flag, FNONBLOCK);
|
2004-11-16 14:47:04 +00:00
|
|
|
data = (void *)&tmp;
|
2006-07-08 20:12:14 +00:00
|
|
|
break;
|
|
|
|
case FIOASYNC:
|
1994-09-25 19:34:02 +00:00
|
|
|
if ((tmp = *(int *)data))
|
2007-12-30 01:42:15 +00:00
|
|
|
atomic_set_int(&fp->f_flag, FASYNC);
|
1994-05-24 10:09:53 +00:00
|
|
|
else
|
2007-12-30 01:42:15 +00:00
|
|
|
atomic_clear_int(&fp->f_flag, FASYNC);
|
2004-11-16 14:47:04 +00:00
|
|
|
data = (void *)&tmp;
|
2006-07-08 20:12:14 +00:00
|
|
|
break;
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2004-11-16 14:47:04 +00:00
|
|
|
|
|
|
|
error = fo_ioctl(fp, com, data, td->td_ucred, td);
|
2006-07-08 20:12:14 +00:00
|
|
|
out:
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
switch (locked) {
|
|
|
|
case LA_XLOCKED:
|
|
|
|
FILEDESC_XUNLOCK(fdp);
|
|
|
|
break;
|
|
|
|
#ifdef CAPABILITIES
|
|
|
|
case LA_SLOCKED:
|
|
|
|
FILEDESC_SUNLOCK(fdp);
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
FILEDESC_UNLOCK_ASSERT(fdp);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (fp != NULL)
|
|
|
|
fdrop(fp, td);
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2009-03-06 15:35:37 +00:00
|
|
|
int
|
|
|
|
poll_no_poll(int events)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Return true for read/write. If the user asked for something
|
|
|
|
* special, return POLLNVAL, so that clients have a way of
|
|
|
|
* determining reliably whether or not the extended
|
|
|
|
* functionality is present without hard-coding knowledge
|
|
|
|
* of specific filesystem implementations.
|
|
|
|
*/
|
|
|
|
if (events & ~POLLSTANDARD)
|
|
|
|
return (POLLNVAL);
|
|
|
|
|
|
|
|
return (events & (POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM));
|
|
|
|
}
|
|
|
|
|
2009-10-27 10:55:34 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_pselect(struct thread *td, struct pselect_args *uap)
|
2009-10-27 10:55:34 +00:00
|
|
|
{
|
|
|
|
struct timespec ts;
|
|
|
|
struct timeval tv, *tvp;
|
|
|
|
sigset_t set, *uset;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (uap->ts != NULL) {
|
|
|
|
error = copyin(uap->ts, &ts, sizeof(ts));
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
TIMESPEC_TO_TIMEVAL(&tv, &ts);
|
|
|
|
tvp = &tv;
|
|
|
|
} else
|
|
|
|
tvp = NULL;
|
|
|
|
if (uap->sm != NULL) {
|
|
|
|
error = copyin(uap->sm, &set, sizeof(set));
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
uset = &set;
|
|
|
|
} else
|
|
|
|
uset = NULL;
|
|
|
|
return (kern_pselect(td, uap->nd, uap->in, uap->ou, uap->ex, tvp,
|
|
|
|
uset, NFDBITS));
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_pselect(struct thread *td, int nd, fd_set *in, fd_set *ou, fd_set *ex,
|
|
|
|
struct timeval *tvp, sigset_t *uset, int abi_nfdbits)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (uset != NULL) {
|
|
|
|
error = kern_sigprocmask(td, SIG_SETMASK, uset,
|
|
|
|
&td->td_oldsigmask, 0);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
td->td_pflags |= TDP_OLDMASK;
|
|
|
|
/*
|
|
|
|
* Make sure that ast() is called on return to
|
|
|
|
* usermode and TDP_OLDMASK is cleared, restoring old
|
|
|
|
* sigmask.
|
|
|
|
*/
|
|
|
|
thread_lock(td);
|
|
|
|
td->td_flags |= TDF_ASTPENDING;
|
|
|
|
thread_unlock(td);
|
|
|
|
}
|
|
|
|
error = kern_select(td, nd, in, ou, ex, tvp, abi_nfdbits);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
1995-11-12 06:43:28 +00:00
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
1994-05-24 10:09:53 +00:00
|
|
|
struct select_args {
|
1996-08-20 07:18:10 +00:00
|
|
|
int nd;
|
1994-05-24 10:09:53 +00:00
|
|
|
fd_set *in, *ou, *ex;
|
|
|
|
struct timeval *tv;
|
|
|
|
};
|
1995-11-12 06:43:28 +00:00
|
|
|
#endif
|
1994-05-25 09:21:21 +00:00
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_select(struct thread *td, struct select_args *uap)
|
2002-09-01 20:37:28 +00:00
|
|
|
{
|
|
|
|
struct timeval tv, *tvp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (uap->tv != NULL) {
|
|
|
|
error = copyin(uap->tv, &tv, sizeof(tv));
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
tvp = &tv;
|
|
|
|
} else
|
|
|
|
tvp = NULL;
|
|
|
|
|
2009-09-09 20:59:01 +00:00
|
|
|
return (kern_select(td, uap->nd, uap->in, uap->ou, uap->ex, tvp,
|
|
|
|
NFDBITS));
|
2002-09-01 20:37:28 +00:00
|
|
|
}
|
|
|
|
|
To limit amount of the kernel memory allocated, and to optimize the
iteration over the fdsets, kern_select() limits the length of the
fdsets copied in by the last valid file descriptor index. If any bit
is set in a mask above the limit, current implementation ignores the
filedescriptor, instead of returning EBADF.
Fix the issue by scanning the tails of fdset before entering the
select loop and returning EBADF if any bit above last valid
filedescriptor index is set. The performance impact of the additional
check is only imposed on the (somewhat) buggy applications that pass
bad file descriptors to select(2) or pselect(2).
PR: kern/155606, kern/162379
Discussed with: cognet, glebius
Tested by: andreast (powerpc, all 64/32bit ABI combinations, big-endian),
marius (sparc64, big-endian)
MFC after: 2 weeks
2011-11-13 10:28:01 +00:00
|
|
|
/*
|
|
|
|
* In the unlikely case when user specified n greater then the last
|
|
|
|
* open file descriptor, check that no bits are set after the last
|
|
|
|
* valid fd. We must return EBADF if any is set.
|
|
|
|
*
|
|
|
|
* There are applications that rely on the behaviour.
|
|
|
|
*
|
|
|
|
* nd is fd_lastfile + 1.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
select_check_badfd(fd_set *fd_in, int nd, int ndu, int abi_nfdbits)
|
|
|
|
{
|
|
|
|
char *addr, *oaddr;
|
|
|
|
int b, i, res;
|
|
|
|
uint8_t bits;
|
|
|
|
|
|
|
|
if (nd >= ndu || fd_in == NULL)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
oaddr = NULL;
|
|
|
|
bits = 0; /* silence gcc */
|
|
|
|
for (i = nd; i < ndu; i++) {
|
|
|
|
b = i / NBBY;
|
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
|
|
|
addr = (char *)fd_in + b;
|
|
|
|
#else
|
|
|
|
addr = (char *)fd_in;
|
|
|
|
if (abi_nfdbits == NFDBITS) {
|
|
|
|
addr += rounddown(b, sizeof(fd_mask)) +
|
|
|
|
sizeof(fd_mask) - 1 - b % sizeof(fd_mask);
|
|
|
|
} else {
|
|
|
|
addr += rounddown(b, sizeof(uint32_t)) +
|
|
|
|
sizeof(uint32_t) - 1 - b % sizeof(uint32_t);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
if (addr != oaddr) {
|
|
|
|
res = fubyte(addr);
|
|
|
|
if (res == -1)
|
|
|
|
return (EFAULT);
|
|
|
|
oaddr = addr;
|
|
|
|
bits = res;
|
|
|
|
}
|
|
|
|
if ((bits & (1 << (i % NBBY))) != 0)
|
|
|
|
return (EBADF);
|
|
|
|
}
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2002-09-01 20:37:28 +00:00
|
|
|
int
|
|
|
|
kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou,
|
2009-09-09 20:59:01 +00:00
|
|
|
fd_set *fd_ex, struct timeval *tvp, int abi_nfdbits)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2002-01-13 11:58:06 +00:00
|
|
|
struct filedesc *fdp;
|
1997-02-20 11:51:52 +00:00
|
|
|
/*
|
|
|
|
* The magic 2048 here is chosen to be just enough for FD_SETSIZE
|
|
|
|
* infds with the new FD_SETSIZE of 1024, and more than enough for
|
|
|
|
* FD_SETSIZE infds, outfds and exceptfds with the old FD_SETSIZE
|
|
|
|
* of 256.
|
|
|
|
*/
|
|
|
|
fd_mask s_selbits[howmany(2048, NFDBITS)];
|
2002-01-29 22:54:19 +00:00
|
|
|
fd_mask *ibits[3], *obits[3], *selbits, *sbp;
|
2013-03-04 16:41:27 +00:00
|
|
|
struct timeval rtv;
|
|
|
|
sbintime_t asbt, precision, rsbt;
|
2009-09-09 20:59:01 +00:00
|
|
|
u_int nbufbytes, ncpbytes, ncpubytes, nfdbits;
|
2013-03-04 16:41:27 +00:00
|
|
|
int error, lf, ndu;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2002-09-01 20:37:28 +00:00
|
|
|
if (nd < 0)
|
1996-08-20 15:03:41 +00:00
|
|
|
return (EINVAL);
|
2002-01-13 11:58:06 +00:00
|
|
|
fdp = td->td_proc->p_fd;
|
To limit amount of the kernel memory allocated, and to optimize the
iteration over the fdsets, kern_select() limits the length of the
fdsets copied in by the last valid file descriptor index. If any bit
is set in a mask above the limit, current implementation ignores the
filedescriptor, instead of returning EBADF.
Fix the issue by scanning the tails of fdset before entering the
select loop and returning EBADF if any bit above last valid
filedescriptor index is set. The performance impact of the additional
check is only imposed on the (somewhat) buggy applications that pass
bad file descriptors to select(2) or pselect(2).
PR: kern/155606, kern/162379
Discussed with: cognet, glebius
Tested by: andreast (powerpc, all 64/32bit ABI combinations, big-endian),
marius (sparc64, big-endian)
MFC after: 2 weeks
2011-11-13 10:28:01 +00:00
|
|
|
ndu = nd;
|
|
|
|
lf = fdp->fd_lastfile;
|
|
|
|
if (nd > lf + 1)
|
|
|
|
nd = lf + 1;
|
|
|
|
|
|
|
|
error = select_check_badfd(fd_in, nd, ndu, abi_nfdbits);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
error = select_check_badfd(fd_ou, nd, ndu, abi_nfdbits);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
error = select_check_badfd(fd_ex, nd, ndu, abi_nfdbits);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
1996-08-20 07:18:10 +00:00
|
|
|
|
|
|
|
/*
|
1997-02-20 11:51:52 +00:00
|
|
|
* Allocate just enough bits for the non-null fd_sets. Use the
|
|
|
|
* preallocated auto buffer if possible.
|
1996-08-20 07:18:10 +00:00
|
|
|
*/
|
2002-09-01 20:37:28 +00:00
|
|
|
nfdbits = roundup(nd, NFDBITS);
|
1997-02-20 11:51:52 +00:00
|
|
|
ncpbytes = nfdbits / NBBY;
|
2009-09-09 20:59:01 +00:00
|
|
|
ncpubytes = roundup(nd, abi_nfdbits) / NBBY;
|
1997-02-20 11:51:52 +00:00
|
|
|
nbufbytes = 0;
|
2002-09-01 20:37:28 +00:00
|
|
|
if (fd_in != NULL)
|
1997-02-20 11:51:52 +00:00
|
|
|
nbufbytes += 2 * ncpbytes;
|
2002-09-01 20:37:28 +00:00
|
|
|
if (fd_ou != NULL)
|
1997-02-20 11:51:52 +00:00
|
|
|
nbufbytes += 2 * ncpbytes;
|
2002-09-01 20:37:28 +00:00
|
|
|
if (fd_ex != NULL)
|
1997-02-20 11:51:52 +00:00
|
|
|
nbufbytes += 2 * ncpbytes;
|
|
|
|
if (nbufbytes <= sizeof s_selbits)
|
|
|
|
selbits = &s_selbits[0];
|
|
|
|
else
|
2003-02-19 05:47:46 +00:00
|
|
|
selbits = malloc(nbufbytes, M_SELECT, M_WAITOK);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1997-02-20 11:51:52 +00:00
|
|
|
/*
|
|
|
|
* Assign pointers into the bit buffers and fetch the input bits.
|
|
|
|
* Put the output buffers together so that they can be bzeroed
|
|
|
|
* together.
|
|
|
|
*/
|
|
|
|
sbp = selbits;
|
1994-05-24 10:09:53 +00:00
|
|
|
#define getbits(name, x) \
|
1997-02-20 11:51:52 +00:00
|
|
|
do { \
|
2010-03-11 14:49:06 +00:00
|
|
|
if (name == NULL) { \
|
1997-02-20 11:51:52 +00:00
|
|
|
ibits[x] = NULL; \
|
2010-03-11 14:49:06 +00:00
|
|
|
obits[x] = NULL; \
|
|
|
|
} else { \
|
1997-02-20 11:51:52 +00:00
|
|
|
ibits[x] = sbp + nbufbytes / 2 / sizeof *sbp; \
|
|
|
|
obits[x] = sbp; \
|
|
|
|
sbp += ncpbytes / sizeof *sbp; \
|
2009-09-09 20:59:01 +00:00
|
|
|
error = copyin(name, ibits[x], ncpubytes); \
|
2001-05-14 05:26:48 +00:00
|
|
|
if (error != 0) \
|
2007-12-16 06:21:20 +00:00
|
|
|
goto done; \
|
2009-09-09 20:59:01 +00:00
|
|
|
bzero((char *)ibits[x] + ncpubytes, \
|
|
|
|
ncpbytes - ncpubytes); \
|
1997-02-20 11:51:52 +00:00
|
|
|
} \
|
|
|
|
} while (0)
|
2002-09-01 20:37:28 +00:00
|
|
|
getbits(fd_in, 0);
|
|
|
|
getbits(fd_ou, 1);
|
|
|
|
getbits(fd_ex, 2);
|
1994-05-24 10:09:53 +00:00
|
|
|
#undef getbits
|
2010-03-11 14:49:06 +00:00
|
|
|
|
|
|
|
#if BYTE_ORDER == BIG_ENDIAN && defined(__LP64__)
|
|
|
|
/*
|
|
|
|
* XXX: swizzle_fdset assumes that if abi_nfdbits != NFDBITS,
|
|
|
|
* we are running under 32-bit emulation. This should be more
|
|
|
|
* generic.
|
|
|
|
*/
|
|
|
|
#define swizzle_fdset(bits) \
|
|
|
|
if (abi_nfdbits != NFDBITS && bits != NULL) { \
|
|
|
|
int i; \
|
|
|
|
for (i = 0; i < ncpbytes / sizeof *sbp; i++) \
|
|
|
|
bits[i] = (bits[i] >> 32) | (bits[i] << 32); \
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define swizzle_fdset(bits)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/* Make sure the bit order makes it through an ABI transition */
|
|
|
|
swizzle_fdset(ibits[0]);
|
|
|
|
swizzle_fdset(ibits[1]);
|
|
|
|
swizzle_fdset(ibits[2]);
|
|
|
|
|
1997-02-20 11:51:52 +00:00
|
|
|
if (nbufbytes != 0)
|
|
|
|
bzero(selbits, nbufbytes / 2);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2013-03-04 16:41:27 +00:00
|
|
|
precision = 0;
|
2002-09-01 20:37:28 +00:00
|
|
|
if (tvp != NULL) {
|
2013-03-04 16:41:27 +00:00
|
|
|
rtv = *tvp;
|
|
|
|
if (rtv.tv_sec < 0 || rtv.tv_usec < 0 ||
|
|
|
|
rtv.tv_usec >= 1000000) {
|
1994-05-24 10:09:53 +00:00
|
|
|
error = EINVAL;
|
2007-12-16 06:21:20 +00:00
|
|
|
goto done;
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2013-03-09 09:07:13 +00:00
|
|
|
if (!timevalisset(&rtv))
|
2013-03-06 19:37:38 +00:00
|
|
|
asbt = 0;
|
2013-03-09 09:07:13 +00:00
|
|
|
else if (rtv.tv_sec <= INT32_MAX) {
|
2013-03-06 19:37:38 +00:00
|
|
|
rsbt = tvtosbt(rtv);
|
|
|
|
precision = rsbt;
|
|
|
|
precision >>= tc_precexp;
|
|
|
|
if (TIMESEL(&asbt, rsbt))
|
|
|
|
asbt += tc_tick_sbt;
|
2014-04-12 23:29:29 +00:00
|
|
|
if (asbt <= SBT_MAX - rsbt)
|
2013-03-09 09:07:13 +00:00
|
|
|
asbt += rsbt;
|
|
|
|
else
|
2013-03-06 19:37:38 +00:00
|
|
|
asbt = -1;
|
|
|
|
} else
|
|
|
|
asbt = -1;
|
2013-03-04 16:41:27 +00:00
|
|
|
} else
|
|
|
|
asbt = -1;
|
2007-12-16 06:21:20 +00:00
|
|
|
seltdinit(td);
|
|
|
|
/* Iterate until the timeout expires or descriptors become ready. */
|
|
|
|
for (;;) {
|
|
|
|
error = selscan(td, ibits, obits, nd);
|
|
|
|
if (error || td->td_retval[0] != 0)
|
|
|
|
break;
|
2013-03-04 16:41:27 +00:00
|
|
|
error = seltdwait(td, asbt, precision);
|
2007-12-16 06:21:20 +00:00
|
|
|
if (error)
|
|
|
|
break;
|
|
|
|
error = selrescan(td, ibits, obits);
|
|
|
|
if (error || td->td_retval[0] != 0)
|
|
|
|
break;
|
2002-03-14 01:32:30 +00:00
|
|
|
}
|
2007-12-16 06:21:20 +00:00
|
|
|
seltdclear(td);
|
2001-05-14 05:26:48 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
done:
|
|
|
|
/* select is not restarted after signals... */
|
|
|
|
if (error == ERESTART)
|
|
|
|
error = EINTR;
|
|
|
|
if (error == EWOULDBLOCK)
|
|
|
|
error = 0;
|
2010-03-11 14:49:06 +00:00
|
|
|
|
|
|
|
/* swizzle bit order back, if necessary */
|
|
|
|
swizzle_fdset(obits[0]);
|
|
|
|
swizzle_fdset(obits[1]);
|
|
|
|
swizzle_fdset(obits[2]);
|
|
|
|
#undef swizzle_fdset
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#define putbits(name, x) \
|
2009-09-09 20:59:01 +00:00
|
|
|
if (name && (error2 = copyout(obits[x], name, ncpubytes))) \
|
1994-05-24 10:09:53 +00:00
|
|
|
error = error2;
|
|
|
|
if (error == 0) {
|
|
|
|
int error2;
|
|
|
|
|
2002-09-01 20:37:28 +00:00
|
|
|
putbits(fd_in, 0);
|
|
|
|
putbits(fd_ou, 1);
|
|
|
|
putbits(fd_ex, 2);
|
1994-05-24 10:09:53 +00:00
|
|
|
#undef putbits
|
|
|
|
}
|
1997-02-20 11:51:52 +00:00
|
|
|
if (selbits != &s_selbits[0])
|
|
|
|
free(selbits, M_SELECT);
|
2001-09-01 19:34:23 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
return (error);
|
|
|
|
}
|
2009-01-25 07:24:34 +00:00
|
|
|
/*
|
|
|
|
* Convert a select bit set to poll flags.
|
2009-01-25 09:17:16 +00:00
|
|
|
*
|
2009-01-25 07:24:34 +00:00
|
|
|
* The backend always returns POLLHUP/POLLERR if appropriate and we
|
|
|
|
* return this as a set bit in any set.
|
|
|
|
*/
|
|
|
|
static int select_flags[3] = {
|
|
|
|
POLLRDNORM | POLLHUP | POLLERR,
|
|
|
|
POLLWRNORM | POLLHUP | POLLERR,
|
2010-05-21 10:36:29 +00:00
|
|
|
POLLRDBAND | POLLERR
|
2009-01-25 07:24:34 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Compute the fo_poll flags required for a fd given by the index and
|
|
|
|
* bit position in the fd_mask array.
|
|
|
|
*/
|
|
|
|
static __inline int
|
2009-02-02 03:34:40 +00:00
|
|
|
selflags(fd_mask **ibits, int idx, fd_mask bit)
|
2009-01-25 07:24:34 +00:00
|
|
|
{
|
|
|
|
int flags;
|
|
|
|
int msk;
|
|
|
|
|
|
|
|
flags = 0;
|
|
|
|
for (msk = 0; msk < 3; msk++) {
|
|
|
|
if (ibits[msk] == NULL)
|
|
|
|
continue;
|
2009-02-02 03:34:40 +00:00
|
|
|
if ((ibits[msk][idx] & bit) == 0)
|
2009-01-25 07:24:34 +00:00
|
|
|
continue;
|
|
|
|
flags |= select_flags[msk];
|
|
|
|
}
|
|
|
|
return (flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set the appropriate output bits given a mask of fired events and the
|
|
|
|
* input bits originally requested.
|
|
|
|
*/
|
|
|
|
static __inline int
|
|
|
|
selsetbits(fd_mask **ibits, fd_mask **obits, int idx, fd_mask bit, int events)
|
|
|
|
{
|
|
|
|
int msk;
|
|
|
|
int n;
|
|
|
|
|
|
|
|
n = 0;
|
|
|
|
for (msk = 0; msk < 3; msk++) {
|
|
|
|
if ((events & select_flags[msk]) == 0)
|
|
|
|
continue;
|
|
|
|
if (ibits[msk] == NULL)
|
|
|
|
continue;
|
|
|
|
if ((ibits[msk][idx] & bit) == 0)
|
|
|
|
continue;
|
|
|
|
/*
|
|
|
|
* XXX Check for a duplicate set. This can occur because a
|
|
|
|
* socket calls selrecord() twice for each poll() call
|
|
|
|
* resulting in two selfds per real fd. selrescan() will
|
|
|
|
* call selsetbits twice as a result.
|
|
|
|
*/
|
|
|
|
if ((obits[msk][idx] & bit) != 0)
|
|
|
|
continue;
|
|
|
|
obits[msk][idx] |= bit;
|
|
|
|
n++;
|
|
|
|
}
|
|
|
|
|
|
|
|
return (n);
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2011-08-11 12:30:23 +00:00
|
|
|
static __inline int
|
|
|
|
getselfd_cap(struct filedesc *fdp, int fd, struct file **fpp)
|
|
|
|
{
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2011-08-11 12:30:23 +00:00
|
|
|
|
2013-11-15 19:55:35 +00:00
|
|
|
cap_rights_init(&rights, CAP_EVENT);
|
|
|
|
|
|
|
|
return (fget_unlocked(fdp, fd, &rights, 0, fpp, NULL));
|
2011-08-11 12:30:23 +00:00
|
|
|
}
|
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Traverse the list of fds attached to this thread's seltd and check for
|
|
|
|
* completion.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
selrescan(struct thread *td, fd_mask **ibits, fd_mask **obits)
|
|
|
|
{
|
2009-01-25 07:24:34 +00:00
|
|
|
struct filedesc *fdp;
|
|
|
|
struct selinfo *si;
|
2007-12-16 06:21:20 +00:00
|
|
|
struct seltd *stp;
|
|
|
|
struct selfd *sfp;
|
|
|
|
struct selfd *sfn;
|
|
|
|
struct file *fp;
|
2009-01-25 18:38:42 +00:00
|
|
|
fd_mask bit;
|
|
|
|
int fd, ev, n, idx;
|
2011-08-11 12:30:23 +00:00
|
|
|
int error;
|
2007-12-16 06:21:20 +00:00
|
|
|
|
2009-01-25 07:24:34 +00:00
|
|
|
fdp = td->td_proc->p_fd;
|
2007-12-16 06:21:20 +00:00
|
|
|
stp = td->td_sel;
|
2009-01-25 07:24:34 +00:00
|
|
|
n = 0;
|
2007-12-16 06:21:20 +00:00
|
|
|
STAILQ_FOREACH_SAFE(sfp, &stp->st_selq, sf_link, sfn) {
|
|
|
|
fd = (int)(uintptr_t)sfp->sf_cookie;
|
|
|
|
si = sfp->sf_si;
|
|
|
|
selfdfree(stp, sfp);
|
|
|
|
/* If the selinfo wasn't cleared the event didn't fire. */
|
|
|
|
if (si != NULL)
|
|
|
|
continue;
|
2011-08-11 12:30:23 +00:00
|
|
|
error = getselfd_cap(fdp, fd, &fp);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
2009-01-25 07:24:34 +00:00
|
|
|
idx = fd / NFDBITS;
|
2009-01-25 18:38:42 +00:00
|
|
|
bit = (fd_mask)1 << (fd % NFDBITS);
|
2009-01-25 07:24:34 +00:00
|
|
|
ev = fo_poll(fp, selflags(ibits, idx, bit), td->td_ucred, td);
|
2009-05-14 03:24:22 +00:00
|
|
|
fdrop(fp, td);
|
2009-01-25 07:24:34 +00:00
|
|
|
if (ev != 0)
|
|
|
|
n += selsetbits(ibits, obits, idx, bit, ev);
|
2007-12-16 06:21:20 +00:00
|
|
|
}
|
|
|
|
stp->st_flags = 0;
|
|
|
|
td->td_retval[0] = n;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Perform the initial filedescriptor scan and register ourselves with
|
|
|
|
* each selinfo.
|
|
|
|
*/
|
1995-12-14 08:32:45 +00:00
|
|
|
static int
|
2001-09-12 08:38:13 +00:00
|
|
|
selscan(td, ibits, obits, nfd)
|
|
|
|
struct thread *td;
|
1996-08-20 07:18:10 +00:00
|
|
|
fd_mask **ibits, **obits;
|
1997-11-06 19:29:57 +00:00
|
|
|
int nfd;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2009-01-25 07:24:34 +00:00
|
|
|
struct filedesc *fdp;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct file *fp;
|
2009-01-25 18:38:42 +00:00
|
|
|
fd_mask bit;
|
2009-01-25 07:24:34 +00:00
|
|
|
int ev, flags, end, fd;
|
2009-01-25 18:38:42 +00:00
|
|
|
int n, idx;
|
2011-08-11 12:30:23 +00:00
|
|
|
int error;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2009-01-25 07:24:34 +00:00
|
|
|
fdp = td->td_proc->p_fd;
|
|
|
|
n = 0;
|
2009-01-25 18:38:42 +00:00
|
|
|
for (idx = 0, fd = 0; fd < nfd; idx++) {
|
2009-01-25 07:24:34 +00:00
|
|
|
end = imin(fd + NFDBITS, nfd);
|
|
|
|
for (bit = 1; fd < end; bit <<= 1, fd++) {
|
|
|
|
/* Compute the list of events we're interested in. */
|
|
|
|
flags = selflags(ibits, idx, bit);
|
|
|
|
if (flags == 0)
|
|
|
|
continue;
|
2011-08-11 12:30:23 +00:00
|
|
|
error = getselfd_cap(fdp, fd, &fp);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
2009-01-25 07:24:34 +00:00
|
|
|
selfdalloc(td, (void *)(uintptr_t)fd);
|
|
|
|
ev = fo_poll(fp, flags, td->td_ucred, td);
|
2009-05-14 03:24:22 +00:00
|
|
|
fdrop(fp, td);
|
2009-01-25 07:24:34 +00:00
|
|
|
if (ev != 0)
|
|
|
|
n += selsetbits(ibits, obits, idx, bit, ev);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
}
|
2009-01-25 07:24:34 +00:00
|
|
|
|
2001-09-12 08:38:13 +00:00
|
|
|
td->td_retval[0] = n;
|
1994-05-24 10:09:53 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
1997-09-14 02:30:32 +00:00
|
|
|
int
|
2014-11-13 05:26:14 +00:00
|
|
|
sys_poll(struct thread *td, struct poll_args *uap)
|
|
|
|
{
|
|
|
|
struct timespec ts, *tsp;
|
|
|
|
|
|
|
|
if (uap->timeout != INFTIM) {
|
|
|
|
if (uap->timeout < 0)
|
|
|
|
return (EINVAL);
|
|
|
|
ts.tv_sec = uap->timeout / 1000;
|
|
|
|
ts.tv_nsec = (uap->timeout % 1000) * 1000000;
|
|
|
|
tsp = &ts;
|
|
|
|
} else
|
|
|
|
tsp = NULL;
|
|
|
|
|
|
|
|
return (kern_poll(td, uap->fds, uap->nfds, tsp, NULL));
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
kern_poll(struct thread *td, struct pollfd *fds, u_int nfds,
|
|
|
|
struct timespec *tsp, sigset_t *uset)
|
1997-09-14 02:30:32 +00:00
|
|
|
{
|
2004-08-27 21:23:50 +00:00
|
|
|
struct pollfd *bits;
|
|
|
|
struct pollfd smallbits[32];
|
2014-11-13 05:26:14 +00:00
|
|
|
sbintime_t sbt, precision, tmp;
|
|
|
|
time_t over;
|
|
|
|
struct timespec ts;
|
2013-03-04 16:41:27 +00:00
|
|
|
int error;
|
1997-09-14 02:30:32 +00:00
|
|
|
size_t ni;
|
|
|
|
|
2014-11-13 05:26:14 +00:00
|
|
|
precision = 0;
|
|
|
|
if (tsp != NULL) {
|
|
|
|
if (tsp->tv_sec < 0)
|
|
|
|
return (EINVAL);
|
|
|
|
if (tsp->tv_nsec < 0 || tsp->tv_nsec >= 1000000000)
|
|
|
|
return (EINVAL);
|
|
|
|
if (tsp->tv_sec == 0 && tsp->tv_nsec == 0)
|
|
|
|
sbt = 0;
|
|
|
|
else {
|
|
|
|
ts = *tsp;
|
|
|
|
if (ts.tv_sec > INT32_MAX / 2) {
|
|
|
|
over = ts.tv_sec - INT32_MAX / 2;
|
|
|
|
ts.tv_sec -= over;
|
|
|
|
} else
|
|
|
|
over = 0;
|
|
|
|
tmp = tstosbt(ts);
|
|
|
|
precision = tmp;
|
|
|
|
precision >>= tc_precexp;
|
|
|
|
if (TIMESEL(&sbt, tmp))
|
|
|
|
sbt += tc_tick_sbt;
|
|
|
|
sbt += tmp;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
sbt = -1;
|
|
|
|
|
2008-03-19 06:19:01 +00:00
|
|
|
if (nfds > maxfilesperproc && nfds > FD_SETSIZE)
|
2007-12-16 06:21:20 +00:00
|
|
|
return (EINVAL);
|
2001-02-07 23:28:01 +00:00
|
|
|
ni = nfds * sizeof(struct pollfd);
|
1997-09-14 02:30:32 +00:00
|
|
|
if (ni > sizeof(smallbits))
|
2003-02-19 05:47:46 +00:00
|
|
|
bits = malloc(ni, M_TEMP, M_WAITOK);
|
1997-09-14 02:30:32 +00:00
|
|
|
else
|
|
|
|
bits = smallbits;
|
2014-11-13 05:26:14 +00:00
|
|
|
error = copyin(fds, bits, ni);
|
1997-09-14 02:30:32 +00:00
|
|
|
if (error)
|
2007-12-16 06:21:20 +00:00
|
|
|
goto done;
|
2014-11-13 05:26:14 +00:00
|
|
|
|
|
|
|
if (uset != NULL) {
|
|
|
|
error = kern_sigprocmask(td, SIG_SETMASK, uset,
|
|
|
|
&td->td_oldsigmask, 0);
|
|
|
|
if (error)
|
2007-12-16 06:21:20 +00:00
|
|
|
goto done;
|
2014-11-13 05:26:14 +00:00
|
|
|
td->td_pflags |= TDP_OLDMASK;
|
|
|
|
/*
|
|
|
|
* Make sure that ast() is called on return to
|
|
|
|
* usermode and TDP_OLDMASK is cleared, restoring old
|
|
|
|
* sigmask.
|
|
|
|
*/
|
|
|
|
thread_lock(td);
|
|
|
|
td->td_flags |= TDF_ASTPENDING;
|
|
|
|
thread_unlock(td);
|
|
|
|
}
|
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
seltdinit(td);
|
|
|
|
/* Iterate until the timeout expires or descriptors become ready. */
|
|
|
|
for (;;) {
|
|
|
|
error = pollscan(td, bits, nfds);
|
|
|
|
if (error || td->td_retval[0] != 0)
|
|
|
|
break;
|
2014-11-13 05:26:14 +00:00
|
|
|
error = seltdwait(td, sbt, precision);
|
2007-12-16 06:21:20 +00:00
|
|
|
if (error)
|
|
|
|
break;
|
|
|
|
error = pollrescan(td);
|
|
|
|
if (error || td->td_retval[0] != 0)
|
|
|
|
break;
|
2002-03-14 01:32:30 +00:00
|
|
|
}
|
2007-12-16 06:21:20 +00:00
|
|
|
seltdclear(td);
|
2001-05-14 05:26:48 +00:00
|
|
|
|
1997-09-14 02:30:32 +00:00
|
|
|
done:
|
|
|
|
/* poll is not restarted after signals... */
|
|
|
|
if (error == ERESTART)
|
|
|
|
error = EINTR;
|
|
|
|
if (error == EWOULDBLOCK)
|
|
|
|
error = 0;
|
|
|
|
if (error == 0) {
|
2014-11-13 05:26:14 +00:00
|
|
|
error = pollout(td, bits, fds, nfds);
|
1997-09-14 02:30:32 +00:00
|
|
|
if (error)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
out:
|
|
|
|
if (ni > sizeof(smallbits))
|
|
|
|
free(bits, M_TEMP);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2014-11-13 05:26:14 +00:00
|
|
|
int
|
|
|
|
sys_ppoll(struct thread *td, struct ppoll_args *uap)
|
|
|
|
{
|
|
|
|
struct timespec ts, *tsp;
|
|
|
|
sigset_t set, *ssp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (uap->ts != NULL) {
|
|
|
|
error = copyin(uap->ts, &ts, sizeof(ts));
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
tsp = &ts;
|
|
|
|
} else
|
|
|
|
tsp = NULL;
|
|
|
|
if (uap->set != NULL) {
|
|
|
|
error = copyin(uap->set, &set, sizeof(set));
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
ssp = &set;
|
|
|
|
} else
|
|
|
|
ssp = NULL;
|
|
|
|
/*
|
|
|
|
* fds is still a pointer to user space. kern_poll() will
|
|
|
|
* take care of copyin that array to the kernel space.
|
|
|
|
*/
|
|
|
|
|
|
|
|
return (kern_poll(td, uap->fds, uap->nfds, tsp, ssp));
|
|
|
|
}
|
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
static int
|
|
|
|
pollrescan(struct thread *td)
|
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
struct selfd *sfp;
|
|
|
|
struct selfd *sfn;
|
|
|
|
struct selinfo *si;
|
|
|
|
struct filedesc *fdp;
|
|
|
|
struct file *fp;
|
|
|
|
struct pollfd *fd;
|
2013-09-05 03:46:44 +00:00
|
|
|
#ifdef CAPABILITIES
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2013-09-05 03:46:44 +00:00
|
|
|
#endif
|
2007-12-16 06:21:20 +00:00
|
|
|
int n;
|
|
|
|
|
|
|
|
n = 0;
|
|
|
|
fdp = td->td_proc->p_fd;
|
|
|
|
stp = td->td_sel;
|
|
|
|
FILEDESC_SLOCK(fdp);
|
|
|
|
STAILQ_FOREACH_SAFE(sfp, &stp->st_selq, sf_link, sfn) {
|
|
|
|
fd = (struct pollfd *)sfp->sf_cookie;
|
|
|
|
si = sfp->sf_si;
|
|
|
|
selfdfree(stp, sfp);
|
|
|
|
/* If the selinfo wasn't cleared the event didn't fire. */
|
|
|
|
if (si != NULL)
|
|
|
|
continue;
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
fp = fdp->fd_ofiles[fd->fd].fde_file;
|
2011-08-16 14:14:56 +00:00
|
|
|
#ifdef CAPABILITIES
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
if (fp == NULL ||
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_check(cap_rights(fdp, fd->fd),
|
2013-11-15 19:55:35 +00:00
|
|
|
cap_rights_init(&rights, CAP_EVENT)) != 0)
|
2011-08-16 14:14:56 +00:00
|
|
|
#else
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
if (fp == NULL)
|
2011-08-16 14:14:56 +00:00
|
|
|
#endif
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
{
|
2007-12-16 06:21:20 +00:00
|
|
|
fd->revents = POLLNVAL;
|
|
|
|
n++;
|
|
|
|
continue;
|
|
|
|
}
|
2011-08-16 14:14:56 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Note: backend also returns POLLHUP and
|
|
|
|
* POLLERR if appropriate.
|
|
|
|
*/
|
|
|
|
fd->revents = fo_poll(fp, fd->events, td->td_ucred, td);
|
|
|
|
if (fd->revents != 0)
|
|
|
|
n++;
|
|
|
|
}
|
|
|
|
FILEDESC_SUNLOCK(fdp);
|
|
|
|
stp->st_flags = 0;
|
|
|
|
td->td_retval[0] = n;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2009-03-11 22:00:03 +00:00
|
|
|
static int
|
2010-08-28 17:42:08 +00:00
|
|
|
pollout(td, fds, ufds, nfd)
|
|
|
|
struct thread *td;
|
2009-03-11 22:00:03 +00:00
|
|
|
struct pollfd *fds;
|
|
|
|
struct pollfd *ufds;
|
|
|
|
u_int nfd;
|
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
u_int i = 0;
|
2010-08-28 17:42:08 +00:00
|
|
|
u_int n = 0;
|
2009-03-11 22:00:03 +00:00
|
|
|
|
|
|
|
for (i = 0; i < nfd; i++) {
|
|
|
|
error = copyout(&fds->revents, &ufds->revents,
|
|
|
|
sizeof(ufds->revents));
|
|
|
|
if (error)
|
|
|
|
return (error);
|
2010-08-28 17:42:08 +00:00
|
|
|
if (fds->revents != 0)
|
|
|
|
n++;
|
2009-03-11 22:00:03 +00:00
|
|
|
fds++;
|
|
|
|
ufds++;
|
|
|
|
}
|
2010-08-28 17:42:08 +00:00
|
|
|
td->td_retval[0] = n;
|
2009-03-11 22:00:03 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
1997-09-14 02:30:32 +00:00
|
|
|
static int
|
2001-09-12 08:38:13 +00:00
|
|
|
pollscan(td, fds, nfd)
|
|
|
|
struct thread *td;
|
1997-09-14 02:30:32 +00:00
|
|
|
struct pollfd *fds;
|
2001-02-27 15:11:31 +00:00
|
|
|
u_int nfd;
|
1997-09-14 02:30:32 +00:00
|
|
|
{
|
2007-12-16 06:21:20 +00:00
|
|
|
struct filedesc *fdp = td->td_proc->p_fd;
|
1997-09-14 02:30:32 +00:00
|
|
|
struct file *fp;
|
2013-09-05 03:46:44 +00:00
|
|
|
#ifdef CAPABILITIES
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
cap_rights_t rights;
|
2013-09-05 03:46:44 +00:00
|
|
|
#endif
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
int i, n = 0;
|
1997-09-14 02:30:32 +00:00
|
|
|
|
Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock. This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention. All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently. Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.
- Generally eliminate the distinction between "fast" and regular
acquisisition of the filedesc lock; the plan is that they will now all
be fast. Change all locking instances to either shared or exclusive
locks.
- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
was called without the mutex held; sx_sleep() is now always called with
the sxlock held exclusively.
- Universally hold the struct file lock over changes to struct file,
rather than the filedesc lock or no lock. Always update the f_ops
field last. A further memory barrier is required here in the future
(discussed with jhb).
- Improve locking and reference management in linux_at(), which fails to
properly acquire vnode references before using vnode pointers. Annotate
improper use of vn_fullpath(), which will be replaced at a future date.
In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).
Tested by: kris
Discussed with: jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
|
|
|
FILEDESC_SLOCK(fdp);
|
1997-09-14 02:30:32 +00:00
|
|
|
for (i = 0; i < nfd; i++, fds++) {
|
2014-06-22 01:31:55 +00:00
|
|
|
if (fds->fd > fdp->fd_lastfile) {
|
1997-09-14 02:30:32 +00:00
|
|
|
fds->revents = POLLNVAL;
|
|
|
|
n++;
|
1998-12-10 01:53:26 +00:00
|
|
|
} else if (fds->fd < 0) {
|
|
|
|
fds->revents = 0;
|
1997-09-14 02:30:32 +00:00
|
|
|
} else {
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
fp = fdp->fd_ofiles[fds->fd].fde_file;
|
2011-08-16 14:14:56 +00:00
|
|
|
#ifdef CAPABILITIES
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
if (fp == NULL ||
|
|
|
|
cap_check(cap_rights(fdp, fds->fd),
|
2013-11-15 19:55:35 +00:00
|
|
|
cap_rights_init(&rights, CAP_EVENT)) != 0)
|
2011-08-16 14:14:56 +00:00
|
|
|
#else
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
if (fp == NULL)
|
2011-08-16 14:14:56 +00:00
|
|
|
#endif
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
{
|
1997-09-14 02:30:32 +00:00
|
|
|
fds->revents = POLLNVAL;
|
|
|
|
n++;
|
|
|
|
} else {
|
1997-11-23 10:30:50 +00:00
|
|
|
/*
|
|
|
|
* Note: backend also returns POLLHUP and
|
|
|
|
* POLLERR if appropriate.
|
|
|
|
*/
|
2007-12-16 06:21:20 +00:00
|
|
|
selfdalloc(td, fds);
|
This is what was "fdfix2.patch," a fix for fd sharing. It's pretty
far-reaching in fd-land, so you'll want to consult the code for
changes. The biggest change is that now, you don't use
fp->f_ops->fo_foo(fp, bar)
but instead
fo_foo(fp, bar),
which increments and decrements the fp refcount upon entry and exit.
Two new calls, fhold() and fdrop(), are provided. Each does what it
seems like it should, and if fdrop() brings the refcount to zero, the
fd is freed as well.
Thanks to peter ("to hell with it, it looks ok to me.") for his review.
Thanks to msmith for keeping me from putting locks everywhere :)
Reviewed by: peter
1999-09-19 17:00:25 +00:00
|
|
|
fds->revents = fo_poll(fp, fds->events,
|
Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential. Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential. Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument. This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.
Trickle this change down into fo_stat/poll() implementations:
- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
to vn_stat(). Pass active_cred to MAC and fp->f_cred to VOP_POLL()
to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
and consumers so that this distinction is maintained at the VFS
as well as 'struct file' layer. Pass active_cred instead of
td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.
- fifofs: modify the creation of a "filetemp" so that the file
credential is properly initialized and can be used in the socket
code if desired. Pass ap->a_td->td_ucred as the active
credential to soo_poll(). If we teach the vnop interface about
the distinction between file and active credentials, we would use
the active credential here.
Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained. It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
|
|
|
td->td_ucred, td);
|
2009-08-23 12:44:15 +00:00
|
|
|
/*
|
|
|
|
* POSIX requires POLLOUT to be never
|
|
|
|
* set simultaneously with POLLHUP.
|
|
|
|
*/
|
|
|
|
if ((fds->revents & POLLHUP) != 0)
|
|
|
|
fds->revents &= ~POLLOUT;
|
|
|
|
|
1997-09-14 02:30:32 +00:00
|
|
|
if (fds->revents != 0)
|
|
|
|
n++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
Replace custom file descriptor array sleep lock constructed using a mutex
and flags with an sxlock. This leads to a significant and measurable
performance improvement as a result of access to shared locking for
frequent lookup operations, reduced general overhead, and reduced overhead
in the event of contention. All of these are imported for threaded
applications where simultaneous access to a shared file descriptor array
occurs frequently. Kris has reported 2x-4x transaction rate improvements
on 8-core MySQL benchmarks; smaller improvements can be expected for many
workloads as a result of reduced overhead.
- Generally eliminate the distinction between "fast" and regular
acquisisition of the filedesc lock; the plan is that they will now all
be fast. Change all locking instances to either shared or exclusive
locks.
- Correct a bug (pointed out by kib) in fdfree() where previously msleep()
was called without the mutex held; sx_sleep() is now always called with
the sxlock held exclusively.
- Universally hold the struct file lock over changes to struct file,
rather than the filedesc lock or no lock. Always update the f_ops
field last. A further memory barrier is required here in the future
(discussed with jhb).
- Improve locking and reference management in linux_at(), which fails to
properly acquire vnode references before using vnode pointers. Annotate
improper use of vn_fullpath(), which will be replaced at a future date.
In fcntl(), we conservatively acquire an exclusive lock, even though in
some cases a shared lock may be sufficient, which should be revisited.
The dropping of the filedesc lock in fdgrowtable() is no longer required
as the sxlock can be held over the sleep operation; we should consider
removing that (pointed out by attilio).
Tested by: kris
Discussed with: jhb, kris, attilio, jeff
2007-04-04 09:11:34 +00:00
|
|
|
FILEDESC_SUNLOCK(fdp);
|
2001-09-12 08:38:13 +00:00
|
|
|
td->td_retval[0] = n;
|
1997-09-14 02:30:32 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OpenBSD poll system call.
|
2007-03-04 22:36:48 +00:00
|
|
|
*
|
1997-09-14 02:30:32 +00:00
|
|
|
* XXX this isn't quite a true representation.. OpenBSD uses select ops.
|
|
|
|
*/
|
|
|
|
#ifndef _SYS_SYSPROTO_H_
|
|
|
|
struct openbsd_poll_args {
|
|
|
|
struct pollfd *fds;
|
|
|
|
u_int nfds;
|
|
|
|
int timeout;
|
|
|
|
};
|
|
|
|
#endif
|
|
|
|
int
|
2011-09-16 13:58:51 +00:00
|
|
|
sys_openbsd_poll(td, uap)
|
2001-09-12 08:38:13 +00:00
|
|
|
register struct thread *td;
|
1997-09-14 02:30:32 +00:00
|
|
|
register struct openbsd_poll_args *uap;
|
|
|
|
{
|
2011-09-16 13:58:51 +00:00
|
|
|
return (sys_poll(td, (struct poll_args *)uap));
|
1997-09-14 02:30:32 +00:00
|
|
|
}
|
|
|
|
|
2013-06-28 21:00:08 +00:00
|
|
|
/*
|
|
|
|
* XXX This was created specifically to support netncp and netsmb. This
|
|
|
|
* allows the caller to specify a socket to wait for events on. It returns
|
|
|
|
* 0 if any events matched and an error otherwise. There is no way to
|
|
|
|
* determine which events fired.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
selsocket(struct socket *so, int events, struct timeval *tvp, struct thread *td)
|
|
|
|
{
|
|
|
|
struct timeval rtv;
|
|
|
|
sbintime_t asbt, precision, rsbt;
|
|
|
|
int error;
|
|
|
|
|
2013-06-29 04:35:04 +00:00
|
|
|
precision = 0; /* stupid gcc! */
|
2013-06-28 21:00:08 +00:00
|
|
|
if (tvp != NULL) {
|
|
|
|
rtv = *tvp;
|
|
|
|
if (rtv.tv_sec < 0 || rtv.tv_usec < 0 ||
|
|
|
|
rtv.tv_usec >= 1000000)
|
|
|
|
return (EINVAL);
|
|
|
|
if (!timevalisset(&rtv))
|
|
|
|
asbt = 0;
|
|
|
|
else if (rtv.tv_sec <= INT32_MAX) {
|
|
|
|
rsbt = tvtosbt(rtv);
|
|
|
|
precision = rsbt;
|
|
|
|
precision >>= tc_precexp;
|
|
|
|
if (TIMESEL(&asbt, rsbt))
|
|
|
|
asbt += tc_tick_sbt;
|
2014-04-12 23:29:29 +00:00
|
|
|
if (asbt <= SBT_MAX - rsbt)
|
2013-06-28 21:00:08 +00:00
|
|
|
asbt += rsbt;
|
|
|
|
else
|
|
|
|
asbt = -1;
|
|
|
|
} else
|
|
|
|
asbt = -1;
|
|
|
|
} else
|
|
|
|
asbt = -1;
|
|
|
|
seltdinit(td);
|
|
|
|
/*
|
|
|
|
* Iterate until the timeout expires or the socket becomes ready.
|
|
|
|
*/
|
|
|
|
for (;;) {
|
|
|
|
selfdalloc(td, NULL);
|
|
|
|
error = sopoll(so, events, NULL, td);
|
|
|
|
/* error here is actually the ready events. */
|
|
|
|
if (error)
|
|
|
|
return (0);
|
|
|
|
error = seltdwait(td, asbt, precision);
|
|
|
|
if (error)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
seltdclear(td);
|
|
|
|
/* XXX Duplicates ncp/smb behavior. */
|
|
|
|
if (error == ERESTART)
|
|
|
|
error = 0;
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Preallocate two selfds associated with 'cookie'. Some fo_poll routines
|
|
|
|
* have two select sets, one for read and another for write.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
selfdalloc(struct thread *td, void *cookie)
|
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
|
|
|
|
stp = td->td_sel;
|
|
|
|
if (stp->st_free1 == NULL)
|
|
|
|
stp->st_free1 = uma_zalloc(selfd_zone, M_WAITOK|M_ZERO);
|
|
|
|
stp->st_free1->sf_td = stp;
|
|
|
|
stp->st_free1->sf_cookie = cookie;
|
|
|
|
if (stp->st_free2 == NULL)
|
|
|
|
stp->st_free2 = uma_zalloc(selfd_zone, M_WAITOK|M_ZERO);
|
|
|
|
stp->st_free2->sf_td = stp;
|
|
|
|
stp->st_free2->sf_cookie = cookie;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
selfdfree(struct seltd *stp, struct selfd *sfp)
|
|
|
|
{
|
|
|
|
STAILQ_REMOVE(&stp->st_selq, sfp, selfd, sf_link);
|
2014-10-23 15:35:47 +00:00
|
|
|
if (sfp->sf_si != NULL) {
|
|
|
|
mtx_lock(sfp->sf_mtx);
|
2014-10-23 19:06:08 +00:00
|
|
|
if (sfp->sf_si != NULL)
|
|
|
|
TAILQ_REMOVE(&sfp->sf_si->si_tdlist, sfp, sf_threads);
|
2014-10-23 15:35:47 +00:00
|
|
|
mtx_unlock(sfp->sf_mtx);
|
|
|
|
}
|
2007-12-16 06:21:20 +00:00
|
|
|
uma_zfree(selfd_zone, sfp);
|
2002-03-14 01:32:30 +00:00
|
|
|
}
|
|
|
|
|
Fix a deficiency in the selinfo interface:
If a selinfo object is recorded (via selrecord()) and then it is
quickly destroyed, with the waiters missing the opportunity to awake,
at the next iteration they will find the selinfo object destroyed,
causing a PF#.
That happens because the selinfo interface has no way to drain the
waiters before to destroy the registered selinfo object. Also this
race is quite rare to get in practice, because it would require a
selrecord(), a poll request by another thread and a quick destruction
of the selrecord()'ed selinfo object.
Fix this by adding the seldrain() routine which should be called
before to destroy the selinfo objects (in order to avoid such case),
and fix the present cases where it might have already been called.
Sometimes, the context is safe enough to prevent this type of race,
like it happens in device drivers which installs selinfo objects on
poll callbacks. There, the destruction of the selinfo object happens
at driver detach time, when all the filedescriptors should be already
closed, thus there cannot be a race.
For this case, mfi(4) device driver can be set as an example, as it
implements a full correct logic for preventing this from happening.
Sponsored by: Sandvine Incorporated
Reported by: rstone
Tested by: pluknet
Reviewed by: jhb, kib
Approved by: re (bz)
MFC after: 3 weeks
2011-08-25 15:51:54 +00:00
|
|
|
/* Drain the waiters tied to all the selfd belonging the specified selinfo. */
|
|
|
|
void
|
|
|
|
seldrain(sip)
|
|
|
|
struct selinfo *sip;
|
|
|
|
{
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This feature is already provided by doselwakeup(), thus it is
|
|
|
|
* enough to go for it.
|
|
|
|
* Eventually, the context, should take care to avoid races
|
|
|
|
* between thread calling select()/poll() and file descriptor
|
|
|
|
* detaching, but, again, the races are just the same as
|
|
|
|
* selwakeup().
|
|
|
|
*/
|
|
|
|
doselwakeup(sip, -1);
|
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Record a select request.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
selrecord(selector, sip)
|
2001-09-12 08:38:13 +00:00
|
|
|
struct thread *selector;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct selinfo *sip;
|
|
|
|
{
|
2007-12-16 06:21:20 +00:00
|
|
|
struct selfd *sfp;
|
|
|
|
struct seltd *stp;
|
|
|
|
struct mtx *mtxp;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
stp = selector->td_sel;
|
|
|
|
/*
|
|
|
|
* Don't record when doing a rescan.
|
|
|
|
*/
|
|
|
|
if (stp->st_flags & SELTD_RESCAN)
|
|
|
|
return;
|
|
|
|
/*
|
|
|
|
* Grab one of the preallocated descriptors.
|
|
|
|
*/
|
|
|
|
sfp = NULL;
|
|
|
|
if ((sfp = stp->st_free1) != NULL)
|
|
|
|
stp->st_free1 = NULL;
|
|
|
|
else if ((sfp = stp->st_free2) != NULL)
|
|
|
|
stp->st_free2 = NULL;
|
|
|
|
else
|
|
|
|
panic("selrecord: No free selfd on selq");
|
2009-07-01 20:43:46 +00:00
|
|
|
mtxp = sip->si_mtx;
|
|
|
|
if (mtxp == NULL)
|
|
|
|
mtxp = mtx_pool_find(mtxpool_select, sip);
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Initialize the sfp and queue it in the thread.
|
|
|
|
*/
|
|
|
|
sfp->sf_si = sip;
|
|
|
|
sfp->sf_mtx = mtxp;
|
|
|
|
STAILQ_INSERT_TAIL(&stp->st_selq, sfp, sf_link);
|
2002-03-14 01:32:30 +00:00
|
|
|
/*
|
2007-12-16 06:21:20 +00:00
|
|
|
* Now that we've locked the sip, check for initialization.
|
2002-03-14 01:32:30 +00:00
|
|
|
*/
|
2007-12-16 06:21:20 +00:00
|
|
|
mtx_lock(mtxp);
|
|
|
|
if (sip->si_mtx == NULL) {
|
|
|
|
sip->si_mtx = mtxp;
|
|
|
|
TAILQ_INIT(&sip->si_tdlist);
|
2001-01-24 11:12:37 +00:00
|
|
|
}
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Add this thread to the list of selfds listening on this selinfo.
|
|
|
|
*/
|
|
|
|
TAILQ_INSERT_TAIL(&sip->si_tdlist, sfp, sf_threads);
|
|
|
|
mtx_unlock(sip->si_mtx);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
2003-11-09 09:17:26 +00:00
|
|
|
/* Wake up a selecting thread. */
|
|
|
|
void
|
|
|
|
selwakeup(sip)
|
|
|
|
struct selinfo *sip;
|
|
|
|
{
|
|
|
|
doselwakeup(sip, -1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Wake up a selecting thread, and set its priority. */
|
|
|
|
void
|
|
|
|
selwakeuppri(sip, pri)
|
|
|
|
struct selinfo *sip;
|
|
|
|
int pri;
|
|
|
|
{
|
|
|
|
doselwakeup(sip, pri);
|
|
|
|
}
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
* Do a wakeup when a selectable event occurs.
|
|
|
|
*/
|
2003-11-09 09:17:26 +00:00
|
|
|
static void
|
|
|
|
doselwakeup(sip, pri)
|
2002-03-14 01:32:30 +00:00
|
|
|
struct selinfo *sip;
|
2003-11-09 09:17:26 +00:00
|
|
|
int pri;
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2007-12-16 06:21:20 +00:00
|
|
|
struct selfd *sfp;
|
|
|
|
struct selfd *sfn;
|
|
|
|
struct seltd *stp;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
/* If it's not initialized there can't be any waiters. */
|
|
|
|
if (sip->si_mtx == NULL)
|
2002-03-14 01:32:30 +00:00
|
|
|
return;
|
2007-12-16 06:21:20 +00:00
|
|
|
/*
|
|
|
|
* Locking the selinfo locks all selfds associated with it.
|
|
|
|
*/
|
|
|
|
mtx_lock(sip->si_mtx);
|
|
|
|
TAILQ_FOREACH_SAFE(sfp, &sip->si_tdlist, sf_threads, sfn) {
|
|
|
|
/*
|
|
|
|
* Once we remove this sfp from the list and clear the
|
|
|
|
* sf_si seltdclear will know to ignore this si.
|
|
|
|
*/
|
|
|
|
TAILQ_REMOVE(&sip->si_tdlist, sfp, sf_threads);
|
|
|
|
sfp->sf_si = NULL;
|
|
|
|
stp = sfp->sf_td;
|
|
|
|
mtx_lock(&stp->st_mtx);
|
|
|
|
stp->st_flags |= SELTD_PENDING;
|
|
|
|
cv_broadcastpri(&stp->st_wait, pri);
|
|
|
|
mtx_unlock(&stp->st_mtx);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2007-12-16 06:21:20 +00:00
|
|
|
mtx_unlock(sip->si_mtx);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2001-05-14 05:26:48 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
static void
|
|
|
|
seltdinit(struct thread *td)
|
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
|
|
|
|
if ((stp = td->td_sel) != NULL)
|
|
|
|
goto out;
|
|
|
|
td->td_sel = stp = malloc(sizeof(*stp), M_SELECT, M_WAITOK|M_ZERO);
|
|
|
|
mtx_init(&stp->st_mtx, "sellck", NULL, MTX_DEF);
|
|
|
|
cv_init(&stp->st_wait, "select");
|
|
|
|
out:
|
|
|
|
stp->st_flags = 0;
|
|
|
|
STAILQ_INIT(&stp->st_selq);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2013-03-04 16:41:27 +00:00
|
|
|
seltdwait(struct thread *td, sbintime_t sbt, sbintime_t precision)
|
2007-12-16 06:21:20 +00:00
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
int error;
|
2001-05-14 05:26:48 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
stp = td->td_sel;
|
|
|
|
/*
|
|
|
|
* An event of interest may occur while we do not hold the seltd
|
|
|
|
* locked so check the pending flag before we sleep.
|
|
|
|
*/
|
|
|
|
mtx_lock(&stp->st_mtx);
|
|
|
|
/*
|
|
|
|
* Any further calls to selrecord will be a rescan.
|
|
|
|
*/
|
|
|
|
stp->st_flags |= SELTD_RESCAN;
|
|
|
|
if (stp->st_flags & SELTD_PENDING) {
|
|
|
|
mtx_unlock(&stp->st_mtx);
|
|
|
|
return (0);
|
|
|
|
}
|
2013-03-04 16:41:27 +00:00
|
|
|
if (sbt == 0)
|
|
|
|
error = EWOULDBLOCK;
|
|
|
|
else if (sbt != -1)
|
|
|
|
error = cv_timedwait_sig_sbt(&stp->st_wait, &stp->st_mtx,
|
|
|
|
sbt, precision, C_ABSOLUTE);
|
2007-12-16 06:21:20 +00:00
|
|
|
else
|
|
|
|
error = cv_wait_sig(&stp->st_wait, &stp->st_mtx);
|
|
|
|
mtx_unlock(&stp->st_mtx);
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
seltdfini(struct thread *td)
|
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
|
|
|
|
stp = td->td_sel;
|
|
|
|
if (stp == NULL)
|
|
|
|
return;
|
|
|
|
if (stp->st_free1)
|
|
|
|
uma_zfree(selfd_zone, stp->st_free1);
|
|
|
|
if (stp->st_free2)
|
|
|
|
uma_zfree(selfd_zone, stp->st_free2);
|
|
|
|
td->td_sel = NULL;
|
|
|
|
free(stp, M_SELECT);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Remove the references to the thread from all of the objects we were
|
|
|
|
* polling.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
seltdclear(struct thread *td)
|
|
|
|
{
|
|
|
|
struct seltd *stp;
|
|
|
|
struct selfd *sfp;
|
|
|
|
struct selfd *sfn;
|
|
|
|
|
|
|
|
stp = td->td_sel;
|
|
|
|
STAILQ_FOREACH_SAFE(sfp, &stp->st_selq, sf_link, sfn)
|
|
|
|
selfdfree(stp, sfp);
|
|
|
|
stp->st_flags = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void selectinit(void *);
|
|
|
|
SYSINIT(select, SI_SUB_SYSCALLS, SI_ORDER_ANY, selectinit, NULL);
|
2001-05-14 05:26:48 +00:00
|
|
|
static void
|
2007-12-16 06:21:20 +00:00
|
|
|
selectinit(void *dummy __unused)
|
2001-05-14 05:26:48 +00:00
|
|
|
{
|
2009-07-01 20:43:46 +00:00
|
|
|
|
2007-12-16 06:21:20 +00:00
|
|
|
selfd_zone = uma_zcreate("selfd", sizeof(struct selfd), NULL, NULL,
|
|
|
|
NULL, NULL, UMA_ALIGN_PTR, 0);
|
2009-07-01 20:43:46 +00:00
|
|
|
mtxpool_select = mtx_pool_create("select mtxpool", 128, MTX_DEF);
|
2001-05-14 05:26:48 +00:00
|
|
|
}
|