Commit Graph

109 Commits

Author SHA1 Message Date
Allan Jude
3491f5d422 Fix build error on gcc platforms
Approved by:	bapt (mentor)
2015-09-05 19:28:41 +00:00
Allan Jude
474b62b876 Introduce libxo to procstat(1)
Reviewed by:	rodrigc, bapt
Approved by:	marcel (mentor)
Relnotes:	yes
Sponsored by:	ScaleEngine Inc.
Differential Revision:	https://reviews.freebsd.org/D2446
2015-09-05 17:02:01 +00:00
Ed Schouten
bc1ace0b96 Decompose linkat()/renameat() rights to source and target.
To make it easier to understand how Capsicum interacts with linkat() and
renameat(), rename the rights to CAP_{LINK,RENAME}AT_{SOURCE,TARGET}.

This also addresses a shortcoming in Capsicum, where it isn't possible
to disable linking to files stored in a directory. Creating hardlinks
essentially makes it possible to access files with additional rights.

Reviewed by:	rwatson, wblock
Differential Revision:	https://reviews.freebsd.org/D3411
2015-08-27 15:16:41 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Allan Jude
04017fc7a4 Create links to the libprocstat man pages for all of the libprocstat functions so they can be looked up by name
Add a cross refrence to libprocstat in the procstat.1 man page

Differential Revision:	https://reviews.freebsd.org/D2578
Suggested by:	jmg
Reviewed by:	brueffer
Approved by:	wblock (mentor)
MFC after:	1 week
Sponsored by:	ScaleEngine Inc.
2015-05-21 03:32:44 +00:00
John Baldwin
179fa75e6e Reassign copyright statements on several files from Advanced
Computing Technologies LLC to Hudson River Trading LLC.

Approved by:	Hudson River Trading LLC (who owns ACT LLC)
MFC after:	1 week
2015-04-23 14:22:20 +00:00
Scott Long
a506f1dd7f Fix a typo and update the date in the man page.
Submitted by:	emax
Obtained from:	Netflix, Inc.
MFC after:	3 days
2015-03-11 08:08:54 +00:00
Scott Long
cee9136cc6 Implement basic cpuset reporting in procstat via the -S flag.
Obtained from:	Netflix, Inc.
MFC after:	3 days
2015-03-10 09:41:48 +00:00
Baptiste Daroussin
3e11bd9e2a Convert to usr.bin/ to LIBADD
Reduce overlinking
2014-11-25 14:29:10 +00:00
Simon J. Gerraty
ee7b0571c2 Merge head from 7/28 2014-08-19 06:50:54 +00:00
Robert Watson
587be2d8fe In "procstat -v" (VM), spell out 'FL' to 'FLAG' since there are two extra
columns available anyway.  Also left align as we tend to do for flags
fields, although you can't see that currently as the string fully fills
that available columns.

MFC after:	3 days
Sponsored by:	DARPA, AFRL
2014-07-20 20:11:34 +00:00
Robert Watson
9fa958082f Better align headers and data for 'procstat -f' with and without '-C'.
MFC after:	3 days
Sponsored by:	DARPA, AFRL
2014-07-19 15:09:53 +00:00
Xin LI
0196728184 Use correct length for buffer.
Submitted by:	Sascha Wildner <swildner dragonflybsd org>
MFC after:	2 weeks
2014-06-25 23:42:53 +00:00
John Baldwin
cb3530163a Add descriptions of the display formats for -e, -l, -r, and -x. Fix a few
typos in indent settings while here.
2014-05-17 16:12:50 +00:00
John Baldwin
27705da488 Use 'RESOURCE' instead of the more generic 'TYPE' for the resource name
column header when displaying resource usage.  This more closely matches
other procstat displays.
2014-05-17 16:11:06 +00:00
John Baldwin
81c3d3958a Correct some minor nits in the per-thread signal format description such
as missing posessives and misordering of fields.

MFC after:	1 week
2014-05-17 04:06:54 +00:00
John Baldwin
dc0aa0675b - Add support for dumping current resource usage for processes via a new -r
flag to procstat.
- Add an -H flag to request information about threads rather than processes
  when dumping statistics.  Currently it is only used for -r to display
  resource usage for individual threads instead of the entire process.

Reviewed by:	kib (older version without -H)
MFC after:	1 month
2014-05-17 03:54:51 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
3b8f084595 Merge head 2014-04-28 07:50:45 +00:00
Robert Watson
b881b8be1d Update most userspace consumers of capability.h to use capsicum.h instead.
auditdistd is not updated as I will make the change upstream and then do a
vendor import sometime in the next week or two.

MFC after:	3 weeks
2014-03-16 11:04:44 +00:00
John Baldwin
2db08c03f0 Expose OBJT_MGTDEVICE VM objects used for GEM/TTM with drm2 as an
explicit object type.

Reviewed by:	kib
MFC after:	1 week
2014-02-11 21:57:37 +00:00
Pawel Jakub Dawidek
ed5848c835 Replace CAP_POLL_EVENT and CAP_POST_EVENT capability rights (which I had
a very hard time to fully understand) with much more intuitive rights:

	CAP_EVENT - when set on descriptor, the descriptor can be monitored
		with syscalls like select(2), poll(2), kevent(2).

	CAP_KQUEUE_EVENT - When set on a kqueue descriptor, the kevent(2)
		syscall can be called on this kqueue to with the eventlist
		argument set to non-NULL value; in other words the given
		kqueue descriptor can be used to monitor other descriptors.
	CAP_KQUEUE_CHANGE - When set on a kqueue descriptor, the kevent(2)
		syscall can be called on this kqueue to with the changelist
		argument set to non-NULL value; in other words it allows to
		modify events monitored with the given kqueue descriptor.

Add alias CAP_KQUEUE, which allows for both CAP_KQUEUE_EVENT and
CAP_KQUEUE_CHANGE.

Add backward compatibility define CAP_POLL_EVENT which is equal to CAP_EVENT.

Sponsored by:	The FreeBSD Foundation
MFC after:	3 days
2013-11-15 19:55:35 +00:00
Mark Johnston
7aa2b6928f With r247602, the "c" flag is no longer printed as a file descriptor flag.
Reviewed by:	pjd
MFC after:	3 days
2013-10-28 00:20:30 +00:00
Konstantin Belousov
85a0ddfd0b Add a resource limit for the total number of kqueues available to the
user.  Kqueue now saves the ucred of the allocating thread, to
correctly decrement the counter on close.

Under some specific and not real-world use scenario for kqueue, it is
possible for the kqueues to consume memory proportional to the square
of the number of the filedescriptors available to the process.  Limit
allows administrator to prevent the abuse.

This is kernel-mode side of the change, with the user-mode enabling
commit following.

Reported and tested by:	pho
Discussed with:	jmg
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
2013-10-21 16:46:12 +00:00
Simon J. Gerraty
3caf0790a8 Merge head@256284 2013-10-13 02:35:19 +00:00
Simon J. Gerraty
34b33809b7 Updated dependencies 2013-10-13 00:24:00 +00:00
Bryan Drewery
643fe75c7a cap_new(2) and cap_getrights2) were replaced with cap_rights_limit(2)
and cap_rights_get(2) in r247602

Reviewed by:	pjd
Approved by:	gjb
Approved by:	re (rodrigc)
2013-09-19 10:56:36 +00:00
Simon J. Gerraty
d1d0158641 Merge from head 2013-09-05 20:18:59 +00:00
Pawel Jakub Dawidek
7008be5bd7 Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.

The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.

The structure definition looks like this:

	struct cap_rights {
		uint64_t	cr_rights[CAP_RIGHTS_VERSION + 2];
	};

The initial CAP_RIGHTS_VERSION is 0.

The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.

The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.

To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.

	#define	CAP_PDKILL	CAPRIGHT(1, 0x0000000000000800ULL)

We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:

	#define	CAP_LOOKUP	CAPRIGHT(0, 0x0000000000000400ULL)
	#define	CAP_FCHMOD	CAPRIGHT(0, 0x0000000000002000ULL)

	#define	CAP_FCHMODAT	(CAP_FCHMOD | CAP_LOOKUP)

There is new API to manage the new cap_rights_t structure:

	cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
	void cap_rights_set(cap_rights_t *rights, ...);
	void cap_rights_clear(cap_rights_t *rights, ...);
	bool cap_rights_is_set(const cap_rights_t *rights, ...);

	bool cap_rights_is_valid(const cap_rights_t *rights);
	void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
	void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
	bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);

Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:

	cap_rights_t rights;

	cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);

There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:

	#define	cap_rights_set(rights, ...)				\
		__cap_rights_set((rights), __VA_ARGS__, 0ULL)
	void __cap_rights_set(cap_rights_t *rights, ...);

Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:

	cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);

Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.

This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.

Sponsored by:	The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
Pawel Jakub Dawidek
f5ffdfc18b Make the "FD" column one character wider, so that "trace" can also align
properly.
2013-08-18 10:44:37 +00:00
Mikolaj Golub
948baa409b Make use of newly added libprocstat(3) ability to extract procstat
info from a process core file.

So now one can run procstat(1) on a process core e.g. to get a list of
files opened by a process when it crashed:

root@lisa:/ # procstat -f /root/vi.core
  PID COMM               FD T V FLAGS     REF  OFFSET PRO NAME
  658 vi               text v r r--------   -       - -   /usr/bin/vi
  658 vi               ctty v c rw-------   -       - -   /dev/pts/0
  658 vi                cwd v d r--------   -       - -   /root
  658 vi               root v d r--------   -       - -   /
  658 vi                  0 v c rw-------  11    3208 -   /dev/pts/0
  658 vi                  1 v c rw-------  11    3208 -   /dev/pts/0
  658 vi                  2 v c rw-------  11    3208 -   /dev/pts/0
  658 vi                  3 v r r----n-l-   1       0 -   /tmp/vi.0AYKz3Lps7
  658 vi                  4 v r rw-------   1       0 -   /var/tmp/vi.recover/vi.GaGYsz
  658 vi                  5 v r rw-------   1       0 -   -

PR:		kern/173723
Suggested by:	jhb
MFC after:	1 month
2013-04-20 08:22:09 +00:00
Mikolaj Golub
d86fa0c72c Use procstat_getkstack(3) for retrieving process kernel stacks
instead of direct sysctl calls.

MFC after:	1 month
2013-04-20 08:19:06 +00:00
Mikolaj Golub
61e1b7c67b Use libprocstat(3) to retrieve ELF auxiliary vector.
MFC after:	1 month
2013-04-20 08:15:43 +00:00
Mikolaj Golub
729e63c34b Use libprocstat(3) to retrieve process command line arguments and
environment variables.

MFC after:	1 month
2013-04-20 08:08:29 +00:00
Mikolaj Golub
66e2f9998b Use libprocstat(3) when retrieving binary information for a process.
MFC after:	1 month
2013-04-20 08:05:04 +00:00
Mikolaj Golub
21b4f75a2c Use procstat_getrlimit(3) for retrieving rlimit information instead of
direct sysctl calls.

MFC after:	1 month
2013-04-20 08:01:00 +00:00
Mikolaj Golub
90a15eb9cb Use procstat_getumask(3) for retrieving umaks information instead of
direct sysctl.

MFC after:	1 month
2013-04-20 07:58:20 +00:00
Mikolaj Golub
e40d6078cd Use procstat_getgroups(3) for retrieving groups information instead of
direct sysctl.

MFC after:	1 month
2013-04-20 07:55:31 +00:00
Mikolaj Golub
eee7107cfb Use more generic procstat_getvmmap(3) for retrieving VM layout of a process.
MFC after:	1 month
2013-04-20 07:52:23 +00:00
Mikolaj Golub
efade1503b Use procstat_getprocs(3) for retrieving thread information instead of
direct sysctl calls.

MFC after:	1 month
2013-04-20 07:50:59 +00:00
Simon J. Gerraty
69e6d7b75e sync from head 2013-04-12 20:48:55 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Pawel Jakub Dawidek
7493f24ee6 - Implement two new system calls:
int bindat(int fd, int s, const struct sockaddr *addr, socklen_t addrlen);
	int connectat(int fd, int s, const struct sockaddr *name, socklen_t namelen);

  which allow to bind and connect respectively to a UNIX domain socket with a
  path relative to the directory associated with the given file descriptor 'fd'.

- Add manual pages for the new syscalls.

- Make the new syscalls available for processes in capability mode sandbox.

- Add capability rights CAP_BINDAT and CAP_CONNECTAT that has to be present on
  the directory descriptor for the syscalls to work.

- Update audit(4) to support those two new syscalls and to handle path
  in sockaddr_un structure relative to the given directory descriptor.

- Update procstat(1) to recognize the new capability rights.

- Document the new capability rights in cap_rights_limit(2).

Sponsored by:	The FreeBSD Foundation
Discussed with:	rwatson, jilles, kib, des
2013-03-02 21:11:30 +00:00
Pawel Jakub Dawidek
2609222ab4 Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
  has set of its own capability rights.

- The cap_new(2) system call is left, but it is no longer documented and
  should not be used in new code.

- The new syscall cap_rights_limit(2) should be used instead of
  cap_new(2), which limits capability rights of the given descriptor
  without creating a new one.

- The cap_getrights(2) syscall is renamed to cap_rights_get(2).

- If CAP_IOCTL capability right is present we can further reduce allowed
  ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
  ioctls can be retrived with cap_ioctls_get(2) syscall.

- If CAP_FCNTL capability right is present we can further reduce fcntls
  that can be used with the new cap_fcntls_limit(2) syscall and retrive
  them with cap_fcntls_get(2).

- To support ioctl and fcntl white-listing the filedesc structure was
  heavly modified.

- The audit subsystem, kdump and procstat tools were updated to
  recognize new syscalls.

- Capability rights were revised and eventhough I tried hard to provide
  backward API and ABI compatibility there are some incompatible changes
  that are described in detail below:

	CAP_CREATE old behaviour:
	- Allow for openat(2)+O_CREAT.
	- Allow for linkat(2).
	- Allow for symlinkat(2).
	CAP_CREATE new behaviour:
	- Allow for openat(2)+O_CREAT.

	Added CAP_LINKAT:
	- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
	- Allow to be target for renameat(2).

	Added CAP_SYMLINKAT:
	- Allow for symlinkat(2).

	Removed CAP_DELETE. Old behaviour:
	- Allow for unlinkat(2) when removing non-directory object.
	- Allow to be source for renameat(2).

	Removed CAP_RMDIR. Old behaviour:
	- Allow for unlinkat(2) when removing directory.

	Added CAP_RENAMEAT:
	- Required for source directory for the renameat(2) syscall.

	Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
	- Allow for unlinkat(2) on any object.
	- Required if target of renameat(2) exists and will be removed by this
	  call.

	Removed CAP_MAPEXEC.

	CAP_MMAP old behaviour:
	- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
	  PROT_WRITE.
	CAP_MMAP new behaviour:
	- Allow for mmap(2)+PROT_NONE.

	Added CAP_MMAP_R:
	- Allow for mmap(PROT_READ).
	Added CAP_MMAP_W:
	- Allow for mmap(PROT_WRITE).
	Added CAP_MMAP_X:
	- Allow for mmap(PROT_EXEC).
	Added CAP_MMAP_RW:
	- Allow for mmap(PROT_READ | PROT_WRITE).
	Added CAP_MMAP_RX:
	- Allow for mmap(PROT_READ | PROT_EXEC).
	Added CAP_MMAP_WX:
	- Allow for mmap(PROT_WRITE | PROT_EXEC).
	Added CAP_MMAP_RWX:
	- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).

	Renamed CAP_MKDIR to CAP_MKDIRAT.
	Renamed CAP_MKFIFO to CAP_MKFIFOAT.
	Renamed CAP_MKNODE to CAP_MKNODEAT.

	CAP_READ old behaviour:
	- Allow pread(2).
	- Disallow read(2), readv(2) (if there is no CAP_SEEK).
	CAP_READ new behaviour:
	- Allow read(2), readv(2).
	- Disallow pread(2) (CAP_SEEK was also required).

	CAP_WRITE old behaviour:
	- Allow pwrite(2).
	- Disallow write(2), writev(2) (if there is no CAP_SEEK).
	CAP_WRITE new behaviour:
	- Allow write(2), writev(2).
	- Disallow pwrite(2) (CAP_SEEK was also required).

	Added convinient defines:

	#define	CAP_PREAD		(CAP_SEEK | CAP_READ)
	#define	CAP_PWRITE		(CAP_SEEK | CAP_WRITE)
	#define	CAP_MMAP_R		(CAP_MMAP | CAP_SEEK | CAP_READ)
	#define	CAP_MMAP_W		(CAP_MMAP | CAP_SEEK | CAP_WRITE)
	#define	CAP_MMAP_X		(CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
	#define	CAP_MMAP_RW		(CAP_MMAP_R | CAP_MMAP_W)
	#define	CAP_MMAP_RX		(CAP_MMAP_R | CAP_MMAP_X)
	#define	CAP_MMAP_WX		(CAP_MMAP_W | CAP_MMAP_X)
	#define	CAP_MMAP_RWX		(CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
	#define	CAP_RECV		CAP_READ
	#define	CAP_SEND		CAP_WRITE

	#define	CAP_SOCK_CLIENT \
		(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
		 CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
	#define	CAP_SOCK_SERVER \
		(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
		 CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
		 CAP_SETSOCKOPT | CAP_SHUTDOWN)

	Added defines for backward API compatibility:

	#define	CAP_MAPEXEC		CAP_MMAP_X
	#define	CAP_DELETE		CAP_UNLINKAT
	#define	CAP_MKDIR		CAP_MKDIRAT
	#define	CAP_RMDIR		CAP_UNLINKAT
	#define	CAP_MKFIFO		CAP_MKFIFOAT
	#define	CAP_MKNOD		CAP_MKNODAT
	#define	CAP_SOCK_ALL		(CAP_SOCK_CLIENT | CAP_SOCK_SERVER)

Sponsored by:	The FreeBSD Foundation
Reviewed by:	Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with:	rwatson, benl, jonathan
ABI compatibility discussed with:	kib
2013-03-02 00:53:12 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00
Pawel Jakub Dawidek
6a9f247c85 Capability rights for process management via process descriptors do exist
already, so uncomment them.

Sponsored by:	The FreeBSD Foundation
2013-02-11 00:10:35 +00:00
Pawel Jakub Dawidek
42f997ba53 Add CAP_MKNOD right.
Sponsored by:	The FreeBSD Foundation
2013-02-10 23:51:26 +00:00