Commit Graph

67 Commits

Author SHA1 Message Date
Poul-Henning Kamp
d37ed5a03a Add a new "file" to procfs: "rlimit" which shows the resource limits for
the process.

PR:		11342
Submitted by:	Adrian Chadd adrian@freebsd.org
Reviewed by:	phk
1999-04-30 13:04:21 +00:00
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Peter Wemm
75ba77578f A partial implementation of the procfs cmdline pseudo-file. This
is enough to satisfy things like StarOffice.  This is a hack, but doing
it properly would be a LOT of work, and would require extensive grovelling
around in the user address space to find the argv[].

Obtained from: Mostly from Andrzej Bialecki <abial@nask.pl>.
1999-01-05 03:53:06 +00:00
Archie Cobbs
2127f26023 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
Bruce Evans
ac1e407b32 Fixed printf format errors. 1998-07-11 07:46:16 +00:00
Dmitrij Tejblum
6bfc1a02b1 Remove "not hungly" panics. Cookies now used by the linux and ibcs2
emulators. The emulators assume that filesystem may just ignore cookies, and
handle this case correctly. So we just ignore cookies.

Also sync *_readdir "prototypes" with reality.
1998-06-25 16:54:41 +00:00
Bruce Evans
a395dbb153 Avoid a 64-bit division in procfs_readdir(). Fixed related overflows.
Check args using the same expression as in fdesc and kernfs.  The check
was actually already correct, modulo overflow.  It could be tightened
up to either allow huge (aligned) offsets, treating them as EOF, or
disallow all offsets beyond EOF.

Didn't fix invalid address calculation &foo[i] where i may be out of
bounds.

Didn't fix shooting of foot using a private unportable dirent struct.
1998-06-14 12:53:39 +00:00
Peter Wemm
7a204420d3 Don't silently accept attempts to change flags where they are not
supported.
1998-06-10 06:34:57 +00:00
Tor Egge
afc6ea238f Disallow reading the current kernel stack. Only the user structure and
the current registers should be accessible.
Reviewed by:	David Greenman <dg@root.com>
1998-05-19 00:00:14 +00:00
Poul-Henning Kamp
a0502b19d4 Add two new functions, get{micro|nano}time.
They are atomic, but return in essence what is in the "time" variable.
gettime() is now a macro front for getmicrotime().

Various patches to use the two new functions instead of the various
hacks used in their absence.

Some puntuation and grammer patches from Bruce.

A couple of XXX comments.
1998-03-26 20:54:05 +00:00
Eivind Eklund
303b270b0a Staticize. 1998-02-09 06:11:36 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
John Dyson
95e5e988e0 Make our v_usecount vnode reference count work identically to the
original BSD code.  The association between the vnode and the vm_object
no longer includes reference counts.  The major difference is that
vm_object's are no longer freed gratuitiously from the vnode, and so
once an object is created for the vnode, it will last as long as the
vnode does.

When a vnode object reference count is incremented, then the underlying
vnode reference count is incremented also.  The two "objects" are now
more intimately related, and so the interactions are now much less
complex.

When vnodes are now normally placed onto the free queue with an object still
attached.  The rundown of the object happens at vnode rundown time, and
happens with exactly the same filesystem semantics of the original VFS
code.  There is absolutely no need for vnode_pager_uncache and other
travesties like that anymore.

A side-effect of these changes is that SMP locking should be much simpler,
the I/O copyin/copyout optimizations work, NFS should be more ponderable,
and further work on layered filesystems should be less frustrating, because
of the totally coherent management of the vnode objects and vnodes.

Please be careful with your system while running this code, but I would
greatly appreciate feedback as soon a reasonably possible.
1998-01-06 05:26:17 +00:00
Sean Eric Fagan
dd30ff81d9 Use CHECKIO in procfs_ioctl() to ensure that any changes in UID/GID result
in the expected failure.
1998-01-06 01:37:12 +00:00
Bruce Evans
675ea6f083 Unspammed nested include of <vm/vm_zone.h>. 1997-12-27 02:56:39 +00:00
Sean Eric Fagan
d5f81602a7 Clear the p_stops field on change of user/group id, unless the correct
flag is set in the p_pfsflags field.  This, essentially, prevents an SUID
proram from hanging after being traced.  (E.g., "truss /usr/bin/rlogin" would
fail, but leave rlogin in a stopevent state.)  Yet another case where procctl
is (hopefully ;)) no longer needed in the general case.

Reviewed by:	bde (thanks bruce :))
1997-12-20 03:05:47 +00:00
Sean Eric Fagan
d7b7dcba41 Change the ioctls for procfs around a bit; in particular, whever possible,
change from

	ioctl(fd, PIOC<foo>, &i);

to

	ioctl(fd, PIOC<foo>, i);

This is going from the _IOW to _IO ioctl macro.  The kernel, procctl, and
truss must be in synch for it all to work (not doing so will get errors about
inappropriate ioctl's, fortunately).  Hopefully I didn't forget anything :).
1997-12-13 03:13:49 +00:00
Sean Eric Fagan
ba9d19e99b Fix a problem with procfs_exit() that resulted in missing some procfs
nodes; this also apparantly caused a panic in some circumstances.
Also, since procfs_exit() is getting rid of the nodes when a process
exits, don't bother checking for the process' existance in procfs_inactive().
1997-12-12 03:33:43 +00:00
Sean Eric Fagan
bfcfe2e1b1 A couple of fixes from bruce: first of all, psignal is a void (stupid
me; unfortunately, also makes it hard ot check for errors); second, I had
managed to forget a change to PIOCSFL (it should be _IOW, not _IOR) I had
in my local copy, and Bruce called me on it.

Submitted by:	bde
1997-12-08 22:09:39 +00:00
Sean Eric Fagan
d99616387e Clear the stop events and wakeup the process on teh last close of the
procfs/mem file.  While this doesn't prevent an unkillable process, it
means that a broken truss prorgam won't do it accidently now (well,
there's a small window of opportunity).  Note that this requires the
change to truss I am about to commit.
1997-12-07 04:01:03 +00:00
Sean Eric Fagan
2a024a2b05 Changes to allow event-based process monitoring and control. 1997-12-06 04:11:14 +00:00
Bruce Evans
1cd52ec333 Don't include <sys/lock.h> in headers when only `struct simplelock' is
required.  Fixed everything that depended on the pollution.
1997-12-05 19:55:52 +00:00
Poul-Henning Kamp
4a11ca4e29 Remove a bunch of variables which were unused both in GENERIC and LINT.
Found by:	-Wunused
1997-11-07 08:53:44 +00:00
Bruce Evans
521166c5b2 KNFize rev.1.31. 1997-10-27 15:39:01 +00:00
Bruce Evans
ef91bd5734 Removed unused #includes. The need for most of them went away with
recent changes (docluster* and vfs improvements).
1997-10-27 13:33:47 +00:00
Poul-Henning Kamp
dba3870c10 VFS interior redecoration.
Rename vn_default_error to vop_defaultop all over the place.
Move vn_bwrite from vfs_bio.c to vfs_default.c and call it vop_stdbwrite.
Use vop_null instead of nullop.
Move vop_nopoll from vfs_subr.c to vfs_default.c
Move vop_sharedlock from vfs_subr.c to vfs_default.c
Move vop_nolock from vfs_subr.c to vfs_default.c
Move vop_nounlock from vfs_subr.c to vfs_default.c
Move vop_noislocked from vfs_subr.c to vfs_default.c
Use vop_ebadf instead of *_ebadf.
Add vop_defaultop for getpages on master vnode in MFS.
1997-10-26 20:55:39 +00:00
Poul-Henning Kamp
e9565321ea VFS clean up "hekto commit"
1.  Add defaults for more VOPs
        VOP_LOCK        vop_nolock
        VOP_ISLOCKED    vop_noislocked
        VOP_UNLOCK      vop_nounlock
    and remove direct reference in filesystems.

2.  Rename the nfsv2 vnop tables to improve sorting order.
1997-10-16 22:01:05 +00:00
Poul-Henning Kamp
987f569678 Another VFS cleanup "kilo commit"
1.  Remove VOP_UPDATE, it is (also) an UFS/{FFS,LFS,EXT2FS,MFS}
    intereface function, and now lives in the ufsmount structure.

2.  Remove VOP_SEEK, it was unused.

3.  Add mode default vops:

    VOP_ADVLOCK          vop_einval
    VOP_CLOSE            vop_null
    VOP_FSYNC            vop_null
    VOP_IOCTL            vop_enotty
    VOP_MMAP             vop_einval
    VOP_OPEN             vop_null
    VOP_PATHCONF         vop_einval
    VOP_READLINK         vop_einval
    VOP_REALLOCBLKS      vop_eopnotsupp

    And remove identical functionality from filesystems

4.   Add vop_stdpathconf, which returns the canonical stuff.  Use
     it in the filesystems.  (XXX: It's probably wrong that specfs
     and fifofs sets this vop, shouldn't it come from the "host"
     filesystem, for instance ufs or cd9660 ?)

5.   Try to make system wide VOP functions have vop_* names.

6.   Initialize the um_* vectors in LFS.

(Recompile your LKMS!!!)
1997-10-16 20:32:40 +00:00
Poul-Henning Kamp
cec0f20ce7 VFS mega cleanup commit (x/N)
1.  Add new file "sys/kern/vfs_default.c" where default actions for
    VOPs go. Implement proper defaults for ABORTOP, BWRITE, LEASE,
    POLL, REVOKE and STRATEGY.  Various stuff spread over the entire
    tree belongs here.

2.  Change VOP_BLKATOFF to a normal function in cd9660.

3.  Kill VOP_BLKATOFF, VOP_TRUNCATE, VOP_VFREE, VOP_VALLOC.  These
    are private interface functions between UFS and the underlying
    storage manager layer (FFS/LFS/MFS/EXT2FS).  The functions now
    live in struct ufsmount instead.

4.  Remove a kludge of VOP_ functions in all filesystems, that did
    nothing but obscure the simplicity and break the expandability.
    If a filesystem doesn't implement VOP_FOO, it shouldn't have an
    entry for it in its vnops table.  The system will try to DTRT
    if it is not implemented.  There are still some cruft left, but
    the bulk of it is done.

5.  Fix another VCALL in vfs_cache.c (thanks Bruce!)
1997-10-16 10:50:27 +00:00
Poul-Henning Kamp
6a525123aa Hmm, realign the vnops into two columns. 1997-10-15 10:05:29 +00:00
Poul-Henning Kamp
539ef70c2d Stylistic overhaul of vnops tables.
1. Remove comment stating the blatantly obvious.
        2. Align in two columns.
        3. Sort all but the default element alphabetically.
        4. Remove XXX comments pointing out entries not needed.
1997-10-15 09:22:02 +00:00
John Dyson
99448ed11d Change the M_NAMEI allocations to use the zone allocator. This change
plus the previous changes to use the zone allocator decrease the useage
of malloc by half.  The Zone allocator will be upgradeable to be able
to use per CPU-pools, and has more intelligent usage of SPLs.  Additionally,
it has reasonable stats gathering capabilities, while making most calls
inline.
1997-09-21 04:24:27 +00:00
Peter Wemm
a6aeade2c4 Convert select -> poll.
Delete 'always succeed' select/poll handlers, replaced with generic call.
Flag missing vnode op table entries.
1997-09-14 02:58:12 +00:00
Sean Eric Fagan
49356a1f4a Fix procfs security hole -- check permissions on meaningful I/Os (namely,
reading/writing of mem and regs).  Also have to check for the requesting
process being group KMEM -- this is a bit of a hack, but ps et al need it.

Reviewed by:	davidg
1997-08-12 04:34:30 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Bruce Evans
a3d13e5054 Fixed procfs's locking vops. They were missed in the Lite2 merge,
partly because the #define's for them were moved to a different
file.  At least the null VOP_LOCK() no longer works, since vclean()
expects VOP_LOCK( ..., LK_DRAIN | LK_INTERLOCK, ...) to clear the
interlock.  This probably only matters when simple_lock() is not
null, i.e., when there are multiple CPUs or SIMPLELOCK_DEBUG is
defined.
1997-02-24 16:44:11 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Mike Pritchard
724ab19569 Add function prototypes for most of the new Lite2 functions.
Also made a few of the miscfs routines static to be
consistent.  Some modules simply required some additional
#includes to remove -Wall warnings.
1997-02-12 06:52:51 +00:00
John Dyson
996c772f58 This is the kernel Lite/2 commit. There are some requisite userland
changes, so don't expect to be able to run the kernel as-is (very well)
without the appropriate Lite/2 userland changes.

The system boots and can mount UFS filesystems.

Untested: ext2fs, msdosfs, NFS
Known problems: Incorrect Berkeley ID strings in some files.
		Mount_std mounts will not work until the getfsent
		library routine is changed.

Reviewed by:	various people
Submitted by:	Jeffery Hsu <hsu@freebsd.org>
1997-02-10 02:22:35 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Bruce Evans
b71fec07db Eliminated nested include of <sys/unistd.h> in <sys/file.h> in the kernel.
Include it directly in the few places where it is used.

Reduced some #includes of <sys/file.h> to #includes of <sys/fcntl.h> or
nothing.
1996-09-03 14:25:27 +00:00
John Dyson
6ead3edd9c Clean-up the new VM map procfs code, and also add support for executable
format file "etype".  It contains a description of the binary type for
a process.
1996-06-18 05:16:00 +00:00
John Dyson
9353aadd89 Add a feature to procfs to allow display of the process address map
with multiple entries as follows:

	start address, end address, resident pages in range, private pages
		in range, RW/RO, COW or not, (vnode/device/swap/default).
1996-06-17 22:43:36 +00:00
Jeffrey Hsu
5a18c60a63 For Lite2: proc LIST changes.
Reviewed by:	davidg & bde
1996-03-11 06:13:09 +00:00
Peter Wemm
0cc7521383 Major fixes for procfs..
Implement a "variable" directory structure. Files that do not make
sense for the given process do not "appear" and cannot be opened.
For example, "system" processes do not have "file", "regs" or "fpregs",
because they do not have a user area.

"attempt" to fill in the user area of a given process when it is being
accessed via /proc/pid/mem (the user struct is just after
VM_MAXUSER_ADDRESS in the process address space.)

Dont do IO to the U area while it's swapped, hold it in place if possible.

Lock off access to the "ctl" file if it's done a setuid like the other
pseudo-files in there.
1996-01-24 18:41:41 +00:00
Bruce Evans
fcf985ad5d Moved declarations for static functions to the correct place (not in a
header).

Removed stupid comments.
1995-11-16 11:39:11 +00:00
Bruce Evans
f57e65478d Introduced a type `vop_t' for vnode operation functions and used
it 1138 times (:-() in casts and a few more times in declarations.
This change is null for the i386.

The type has to be `typedef int vop_t(void *)' and not `typedef
int vop_t()' because `gcc -Wstrict-prototypes' warns about the
latter.  Since vnode op functions are called with args of different
(struct pointer) types, neither of these function types is any use
for type checking of the arg, so it would be preferable not to use
the complete function type, especially since using the complete
type requires adding 1138 casts to avoid compiler warnings and
another 40+ casts to reverse the function pointer conversions before
calling the functions.
1995-11-09 08:17:23 +00:00