Commit Graph

5808 Commits

Author SHA1 Message Date
Maxime Henrion
a7a00d0546 - Fix a bunch of casts to long which were truncating off_t's.
- Remove the comments which were justifying this by the fact
that we don't have %q in the kernel, this was probably right
back in time, but we now have %q, and we even have better to
print those types (%j).
2002-11-07 21:56:05 +00:00
Maxime Henrion
b65d1ba9dd - Use a better definition for MNAMELEN which doesn't require
to have one #ifdef per architecture.
- Change a space to a tab after a nearby #define.

Obtained from:	bde
2002-11-07 21:15:02 +00:00
Robert Watson
f8f750c53e Do a bit more work in the aio code to simulate the credential environment
of the original AIO request: save and restore the active thread credential
as well as using the file credential, since MAC (and some other bits of
the system) rely on the thread credential instead of/as well as the
file credential.  In brief: cache td->td_ucred when the AIO operation
is queued, temporarily set and restore the kernel thread credential,
and release the credential when done.  Similar to ktrace credential
management.

Reviewed by:	alc
Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-07 20:46:37 +00:00
Kelly Yancey
04ac9b97b5 Spotted a couple of places where the socket buffer's counters were being
manipulated directly (rather than using sballoc()/sbfree()); update them
to tweak the new sb_ctl field too.

Sponsored by:	NTT Multimedia Communications Labs
2002-11-05 18:52:25 +00:00
Kelly Yancey
247a32f22a Fix filt_soread() to properly flag a kevent when a 0-byte datagram is
received.

Verified by:	dougb, Manfred Antar <null@pozo.com>
Sponsored by:	NTT Multimedia Communications Labs
2002-11-05 18:48:46 +00:00
Robert Watson
0c93266b9c Correct merge-o: disable the right execve() variation if !MAC 2002-11-05 18:04:50 +00:00
Robert Watson
670cb89bf4 Bring in two sets of changes:
(1) Permit userland applications to request a change of label atomic
    with an execve() via mac_execve().  This is required for the
    SEBSD port of SELinux/FLASK.  Attempts to invoke this without
    MAC compiled in result in ENOSYS, as with all other MAC system
    calls.  Complexity, if desired, is present in policy modules,
    rather than the framework.

(2) Permit policies to have access to both the label of the vnode
    being executed as well as the interpreter if it's a shell
    script or related UNIX nonsense.  Because we can't hold both
    vnode locks at the same time, cache the interpreter label.
    SEBSD relies on this because it supports secure transitioning
    via shell script executables.  Other policies might want to
    take both labels into account during an integrity or
    confidentiality decision at execve()-time.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 17:51:56 +00:00
Robert Watson
051c41caf1 Regen. 2002-11-05 17:48:04 +00:00
Robert Watson
21bb9ea225 Flesh out the definition of __mac_execve(): per earlier discussion,
it's essentially execve() with an optional MAC label argument.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 17:47:08 +00:00
Robert Watson
4443e9ff4a Assert that appropriate vnodes are locked in mac_execve_will_transition().
Allow transitioning to be twiddled off using the process and fs enforcement
flags, although at some point this should probably be its own flag.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 15:11:33 +00:00
Robert Watson
ccafe7eb35 Hook up the mac_will_execve_transition() and mac_execve_transition()
entrypoints, #ifdef MAC.  The supporting logic already existed in
kern_mac.c, so no change there.  This permits MAC policies to cause
a process label change as the result of executing a binary --
typically, as a result of executing a specially labeled binary.

For example, the SEBSD port of SELinux/FLASK uses this functionality
to implement TE type transitions on processes using transitioning
binaries, in a manner similar to setuid.  Policies not implementing
a notion of transition (all the ones in the tree right now) require
no changes, since the old label data is copied to the new label
via mac_create_cred() even if a transition does occur.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 14:57:49 +00:00
Giorgos Keramidas
5f9ae8e026 Typo in comment: commmand -> command
Reviewed by:	jhb
2002-11-05 14:54:07 +00:00
Robert Watson
450ffb4427 Remove reference to struct execve_args from struct imgact, which
describes an image activation instance.  Instead, make use of the
existing fname structure entry, and introduce two new entries,
userspace_argv, and userspace_envv.  With the addition of
mac_execve(), this divorces the image structure from the specifics
of the execve() system call, removes a redundant pointer, etc.
No semantic change from current behavior, but it means that the
structure doesn't depend on syscalls.master-generated includes.

There seems to be some redundant initialization of imgact entries,
which I have maintained, but which could probably use some cleaning
up at some point.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-05 01:59:56 +00:00
Robert Watson
e5e820fd1f Permit MAC policies to instrument the access control decisions for
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 15:13:36 +00:00
Robert Watson
3da87a65c7 Remove mac_cache_fslabel_in_vnode sysctl -- with the new VFS/MAC
construction, labels are always cached.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-04 14:55:14 +00:00
Robert Watson
6201265be7 License clarification and wording changes: NAI has approved removal of
clause three, and NAI Labs now goes by the name Network Associates
Laboratories.
2002-11-04 01:42:39 +00:00
Robert Watson
4b8d5f2d97 Introduce mac_check_system_settime(), a MAC check allowing policies to
augment the system policy for changing the system time.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-03 02:39:42 +00:00
Robert Watson
01ce3b5661 Regen from yesterday's system call placeholder rename. 2002-11-02 23:54:36 +00:00
Alan Cox
151113a946 Catch up with the removal of the vm page buckets spin mutex. 2002-11-02 22:42:18 +00:00
Alan Cox
5ee0a409fc Revert the change in revision 1.77 of kern/uipc_socket2.c. It is causing
a panic because the socket's state isn't as expected by sofree().

Discussed with: dillon, fenner
2002-11-02 05:14:31 +00:00
Kelly Yancey
47baac87a6 Update the st_size reported via stat(2) to accurately reflect the amount
of data available to read for non-TCP sockets.

Reviewed by:	-net, -arch
Sponsored by:	NTT Multimedia Communications Labs
MFC after:	2 weeks
2002-11-01 21:31:13 +00:00
Kelly Yancey
e0f640e82d Track the number of non-data chararacters stored in socket buffers so that
the data value returned by kevent()'s EVFILT_READ filter on non-TCP
sockets accurately reflects the amount of data that can be read from the
sockets by applications.

PR:		30634
Reviewed by:	-net, -arch
Sponsored by:	NTT Multimedia Communications Labs
MFC after:	2 weeks
2002-11-01 21:27:59 +00:00
Robert Watson
6cedb451fb Rename __execve_mac() to __mac_execve() for increased consistency
with other MAC system calls.

Requested by:	various (phk, gordont, jake, ...)
2002-11-01 21:00:02 +00:00
Robert Watson
e686e5ae91 Add MAC checks for various kenv() operations: dump, get, set, unset,
permitting MAC policies to limit access to the kernel environment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-01 20:46:53 +00:00
Poul-Henning Kamp
1fb14a47a1 Introduce malloc_last_fail() which returns the number of seconds since
malloc(9) failed last time.  This is intended to help code adjust
memory usage to the current circumstances.

A typical use could be:
	if (malloc_last_fail() < 60)
		reduce_cache_by_one();
2002-11-01 18:58:12 +00:00
Poul-Henning Kamp
38b0884cc3 Introduce a "time_uptime" global variable which holds the time since boot
in seconds.
2002-11-01 18:52:20 +00:00
David Xu
adac9400a7 KSE-enabled processes only. 2002-10-31 08:00:51 +00:00
Robert Watson
5c8dd34218 Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 18:48:51 +00:00
Robert Watson
b914de36c0 While 'mode_t' seemed like a good idea for the access mode argument for
MAC access() and open() checks, the argument actually has an int type
where it becomes available.  Switch to using 'int' for the mode argument
throughout the MAC Framework and policy modules.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-30 17:56:57 +00:00
David Xu
8db2431f61 Check NULL thread mailbox pointer. 2002-10-30 05:09:29 +00:00
David Xu
7b290dd008 Style fixes. 2002-10-30 03:01:28 +00:00
David Xu
37fcb8bcc8 Don't forget to set syscall result. 2002-10-30 02:39:10 +00:00
David Xu
34e80e027d Add an actual implementation of kse_thr_interrupt() 2002-10-30 02:28:41 +00:00
Robert Watson
9a1b076af2 Minor comment typo fix.
Submitted by:	Wayne Morrison <tewok@tislabs.com>
2002-10-29 20:51:44 +00:00
David Malone
6bd34a1e6f The syscall names are string constants, so make them consts. 2002-10-29 15:47:06 +00:00
Robert Watson
6151efaa54 Trim extraneous #else and #endif MAC comments per style(9). 2002-10-28 21:17:53 +00:00
Robert Watson
8b3a843438 An inappropriate ASSERT slipped in during the recent merge of the
reboot checking; remove.
2002-10-28 18:53:53 +00:00
David Xu
72465621ff Close a race window in kse_create(): signal delivered after SIGPENDING call
but before we call kse_link().
2002-10-28 07:37:06 +00:00
Ian Dowse
4e08ccb2ff Fix a case in kern_rename() where a vn_finished_write() call was
missed. This bug has been present since the vn_start_write() and
vn_finished_write() calls were first added in revision 1.159. When
the case is triggered, any attempts to create snapshots on the
filesystem will deadlock and also prevent further write activity
on that filesystem.
2002-10-27 23:23:51 +00:00
Garrett Wollman
c7047e5204 Change the way support for asynchronous I/O is indicated to applications
to conform to 1003.1-2001.  Make it possible for applications to actually
tell whether or not asynchronous I/O is supported.

Since FreeBSD's aio implementation works on all descriptor types, don't
call down into file or vnode ops when [f]pathconf() is asked about
_PC_ASYNC_IO; this avoids the need for every file and vnode op to know about
it.
2002-10-27 18:07:41 +00:00
Robert Watson
9e913ebd0a Centrally manage enforcement of {reboot,swapon,sysctl} using the
mac_enforce_system toggle, rather than several separate toggles.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 15:50:49 +00:00
Robert Watson
d3fc69ee6a Implement mac_check_system_sysctl(), a MAC Framework entry point to
permit MAC policies to augment the security protections on sysctl()
operations.  This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification.  Affects MAC kernels
only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:12:34 +00:00
Robert Watson
a2ecb9b790 Hook up mac_check_system_reboot(), a MAC Framework entry point that
permits MAC modules to augment system security decisions regarding
the reboot() system call, if MAC is compiled into the kernel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:03:29 +00:00
Robert Watson
03ce2c0c9b Merge from MAC tree: rename mac_check_vnode_swapon() to
mac_check_system_swapon(), to reflect the fact that the primary
object of this change is the running kernel as a whole, rather
than just the vnode.  We'll drop additional checks of this
class into the same check namespace, including reboot(),
sysctl(), et al.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 06:54:06 +00:00
Maxime Henrion
5b8ee62bc2 Fix a style nit. 2002-10-26 18:19:46 +00:00
Robert Watson
763bbd2f4f Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label
right from inception.  For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system.  With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance.  This
also corrects sematics for shared vnode locks, which were not
previously present in the system.  This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form.  With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception.  We'll introduce a work around for this shortly.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-26 14:38:24 +00:00
Julian Elischer
053effc60e iBack out david's last commit. the suspension code needs to be called
for non KSE processes too.
2002-10-26 04:44:17 +00:00
David Xu
3139ada54c Move suspension checking code from userret() into thread_userret(). 2002-10-26 02:56:51 +00:00
David Xu
56a6a23ea6 Backout revision 1.48. 2002-10-26 01:26:36 +00:00
Robert Watson
a67fe518a1 Comment describing the semantics of mac_late.
Trim trailing whitespace.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-25 20:45:27 +00:00
Maxime Henrion
4578a2e652 - Rename the DDB specific %z printf format to %y.
- Make DDB use %y instead of %z.
- Teach GCC about %y.
- Implement support for the C99 %z format modifier.

Approved by:	re@
Reviewed by:	peter
Tested on:	i386, sparc64
2002-10-25 19:41:32 +00:00
Peter Wemm
23eeeff7be Split 4.x and 5.x signal handling so that we can keep 4.x signal
handling clean and functional as 5.x evolves.  This allows some of the
nasty bandaids in the 5.x codepaths to be unwound.

Encapsulate 4.x signal handling under COMPAT_FREEBSD4 (there is an
anti-foot-shooting measure in place, 5.x folks need this for a while) and
finish encapsulating the older stuff under COMPAT_43.  Since the ancient
stuff is required on alpha (longjmp(3) passes a 'struct osigcontext *'
to the current sigreturn(2), instead of the 'ucontext_t *' that sigreturn
is supposed to take), add a compile time check to prevent foot shooting
there too.  Add uniform COMPAT_43 stubs for ia64/sparc64/powerpc.

Tested on: i386, alpha, ia64.  Compiled on sparc64 (a few days ago).
Approved by: re
2002-10-25 19:10:58 +00:00
Poul-Henning Kamp
df6b615a42 #include <geom/geom.h> to get proper prototypes. Contrary to my fears we
seem to have all the prerequisites already.

Call g_waitidle() as the first thing in vfs_mountroot() so that we have
it out of the way before we even decide if we should call .._ask() or
.._try().

Call the g_dev_print() function to provide better guidance for the
root-mount prompt.
2002-10-25 18:44:42 +00:00
David Xu
ddc4f28155 suspend thread only when it can be interrupted. 2002-10-25 13:12:36 +00:00
David Xu
0cf609706f let thread_schedule_upcall() handle idle kse. 2002-10-25 12:50:31 +00:00
Poul-Henning Kamp
fa669ab7b8 Disable the kernacc() check in mtx_validate() until such time that kernacc
does not require Giant.

This means that we may miss panics on a class of mutex programming bugs,
but only if running with a Chernobyl setting of debug-flags.

Spotted by:	Pete Carah <pete@ns.altadena.net>
2002-10-25 08:40:20 +00:00
Poul-Henning Kamp
0d6dc414b4 In vrele() we can actually have a VCHR with v_rdev == NULL if we
came from the bottom of addaliasu().  Don't panic.
2002-10-25 07:58:25 +00:00
Julian Elischer
de4723f6e8 fix style-o 2002-10-25 07:17:07 +00:00
Julian Elischer
9d10277721 More work on the interaction between suspending and sleeping threads.
Also clean up some code used with 'single-threading'.

Reviewed by:	davidxu
2002-10-25 07:11:12 +00:00
Kirk McKusick
9ab73fd11a Within ufs, the ffs_sync and ffs_fsync functions did not always
check for and/or report I/O errors. The result is that a VFS_SYNC
or VOP_FSYNC called with MNT_WAIT could loop infinitely on ufs in
the presence of a hard error writing a disk sector or in a filesystem
full condition. This patch ensures that I/O errors will always be
checked and returned.  This patch also ensures that every call to
VFS_SYNC or VOP_FSYNC with MNT_WAIT set checks for and takes
appropriate action when an error is returned.

Sponsored by:   DARPA & NAI Labs.
2002-10-25 00:20:37 +00:00
David Xu
4c40dcd4d7 fix typo. 2002-10-25 00:13:46 +00:00
Julian Elischer
1434d3fe6f Extract out KSE specific code from machine specific code
so that there is ony one copy of it. Fix that one copy
so that KSEs with no mailbox in a KSE program are not a cause
of page faults (this can legitmatly happen).

Submitted by:	(parts) davidxu
2002-10-24 23:09:48 +00:00
Poul-Henning Kamp
a2fb4feded Fix the spechash lock order reversal by keeping an updated sum
of v_usecount in the dev_t which vcount() can return without
locking any vnodes.

Seen by:	jhb
2002-10-24 19:38:56 +00:00
Poul-Henning Kamp
7c0c26b4c4 Make sure GEOM has stopped rattling the disks before we try to mount
the root filesystem, this may be implicated in the PC98 issue.
2002-10-24 19:26:08 +00:00
Poul-Henning Kamp
1f59664b68 Don't try to be cute and save a call/return by implementing a degenerate
vrele() inline.
2002-10-24 17:55:49 +00:00
David Xu
33862f40b0 respect TDF_SINTR, also for SINGLE_NO_EXIT threading mode, if a thread
was already suspended, do nothing.
2002-10-24 14:43:48 +00:00
David Xu
9991db0cb5 don't forget to remove kse from idle queue. 2002-10-24 09:16:46 +00:00
Julian Elischer
5c8329ed6c Move thread related code from kern_proc.c to kern_thread.c.
Add code to free KSEs and KSEGRPs on exit.
Sort KSE prototypes in proc.h.
Add the missing kse_exit() syscall.

ksetest now does not leak KSEs and KSEGRPS.

Submitted by:	(parts) davidxu
2002-10-24 08:46:34 +00:00
Dag-Erling Smørgrav
f2c1ea8152 Whitespace cleanup. 2002-10-23 10:26:54 +00:00
Alexander Kabaev
96725dd01a Handle binaries with arbitrary number PT_LOAD sections, not only
ones with one text and one data section.

The text and data rlimit checks still needs to be fixed to properly
accout for additional sections.

Reviewed by:	peter (slightly different patch version)
2002-10-23 01:57:39 +00:00
John Baldwin
12f65109c8 Don't dereference the 'x' pointer if it is NULL, instead skip the
assignment.  The netsmb code likes to call these functions with a NULL
x argument a lot.

Reported by:	Vallo Kallaste <kalts@estpak.ee>
2002-10-22 18:44:59 +00:00
Robert Drehmel
d08926b1f6 Change the `mutex_prof' structure to use three variables contained
in an anonymous structure as counters, instead of an array with
preprocessor-defined names for indices.  Remove the associated XXX-
comment.
2002-10-22 16:06:28 +00:00
Robert Watson
1cbfd977fd Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to
perform authorization checks during swapon() events; policies
might choose to enforce protections based on the credential
requesting the swap configuration, the target of the swap operation,
or other factors such as internal policy state.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 15:53:43 +00:00
Robert Watson
2789e47e2c Missed in previous merge: export sizeof(struct oldmac) rather than
sizeof(struct mac).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 15:33:33 +00:00
Robert Watson
f7b951a8e0 Support the new MAC user API in kernel: modify existing system calls
to use a modified notion of 'struct mac', and flesh out the new variation
system calls (almost identical to existing ones except that they permit
a pid to be specified for process label retrieval, and don't follow
symlinks).  This generalizes the label API so that the framework is
now almost entirely policy-agnostic.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:29:47 +00:00
Robert Watson
5cb559a5e0 Regen. 2002-10-22 14:23:52 +00:00
Robert Watson
aad1cdc852 Flesh out prototypes for __mac_get_pid, __mac_get_link, and
__mac_set_link, based on __mac_get_proc() except with a pid,
and __mac_get_file(), __mac_set_file() except that they do
not follow symlinks.  First in a series of commits to flesh
out the user API.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-22 14:22:24 +00:00
David Xu
81fd489272 detect idle kse correctly. 2002-10-22 02:27:19 +00:00
Kirk McKusick
9e4b381a54 This update removes a race between unmount and lookup. The lookup
locks the mount point directory while waiting for vfs_busy to clear.
Meanwhile the unmount which holds the vfs_busy lock tried to lock
the mount point vnode. The fix is to observe that it is safe for the
unmount to remove the vnode from the mount point without locking it.
The lookup will wait for the unmount to complete, then recheck the
mount point when the vfs_busy lock clears.

Sponsored by:	DARPA & NAI Labs.
2002-10-22 01:06:44 +00:00
Kirk McKusick
e03486d198 This checkin reimplements the io-request priority hack in a way
that works in the new threaded kernel. It was commented out of
the disksort routine earlier this year for the reasons given in
kern/subr_disklabel.c (which is where this code used to reside
before it moved to kern/subr_disk.c):

----------------------------
revision 1.65
date: 2002/04/22 06:53:20;  author: phk;  state: Exp;  lines: +5 -0
Comment out Kirks io-request priority hack until we can do this in a
civilized way which doesn't cause grief.

The problem is that it is not generally safe to cast a "struct bio
*" to a "struct buf *".  Things like ccd, vinum, ata-raid and GEOM
constructs bio's which are not entrails of a struct buf.

Also, curthread may or may not have anything to do with the I/O request
at hand.

The correct solution can either be to tag struct bio's with a
priority derived from the requesting threads nice and have disksort
act on this field, this wouldn't address the "silly-seek syndrome"
where two equal processes bang the diskheads from one edge to the
other of the disk repeatedly.

Alternatively, and probably better: a sleep should be introduced
either at the time the I/O is requested or at the time it is completed
where we can be sure to sleep in the right thread.

The sleep also needs to be in constant timeunits, 1/hz can be practicaly
any sub-second size, at high HZ the current code practically doesn't
do anything.
----------------------------

As suggested in this comment, it is no longer located in the disk sort
routine, but rather now resides in spec_strategy where the disk operations
are being queued by the thread that is associated with the process that
is really requesting the I/O. At that point, the disk queues are not
visible, so the I/O for positively niced processes is always slowed
down whether or not there is other activity on the disk.

On the issue of scaling HZ, I believe that the current scheme is
better than using a fixed quantum of time. As machines and I/O
subsystems get faster, the resolution on the clock also rises.
So, ten years from now we will be slowing things down for shorter
periods of time, but the proportional effect on the system will
be about the same as it is today. So, I view this as a feature
rather than a drawback. Hence this patch sticks with using HZ.

Sponsored by:	DARPA & NAI Labs.
Reviewed by:	Poul-Henning Kamp <phk@critter.freebsd.dk>
2002-10-22 00:59:49 +00:00
Poul-Henning Kamp
c177d125bf GEOM does not (and shall not) propagate flags like D_MEMDISK, so we will
revert to checking the name to determine if our root device is a ramdisk,
md(4) specifically to determine if we should attempt the root-mount RW

Sponsored by:	DARPA & NAI Labs.
2002-10-21 20:09:59 +00:00
Dag-Erling Smørgrav
6d0369001a Reduce the overhead of the mutex statistics gathering code, try to produce
shorter lines in the report, and clean up some minor style issues.
2002-10-21 18:48:28 +00:00
Olivier Houchard
e3bf3aea25 One #include <sys/sysctl.h> should be enough.
Approved by:	mux (mentor)
2002-10-21 18:40:40 +00:00
Brooks Davis
29e1b85f97 Use if_printf(ifp, "blah") instead of
printf("%s%d: blah", ifp->if_name, ifp->if_xname).
2002-10-21 02:51:56 +00:00
Thomas Moestl
5775150869 Fix the calculations of the length of the unread message buffer
contents. The code was subtracting two unsigned ints, stored the
result in a log and expected it to be the same as of a signed
subtraction; this does only work on platforms where int and long
have the same size (due to overflows).
Instead, cast to long before the subtraction; the numbers are
guaranteed to be small enough so that there will be no overflows
because of that.
2002-10-20 23:13:05 +00:00
Poul-Henning Kamp
962414a120 We have memset() and memcpy() in the kernel now, so we don't need to
#define them to bzero and bcopy.

Spotted by:	FlexeLint
2002-10-20 22:33:42 +00:00
Julian Elischer
2f030624b1 Add an actual implementation of kse_wakeup()
Submitted by:	Davidxu
2002-10-20 21:08:47 +00:00
Thomas Moestl
e381d2455b Add kernel dump support, based on the ia64 version (which was committed
as sparc64/sparc64/dump_machdep.c a while back).
Other than ia64 (which uses ELF), sparc64 uses a homegrown format for
the dumps (headers are required because the physical address and size of
the tsb must be noted, and because physical memory may be discontiguous);
ELF would not offer any advantages here.

Reviewed by:	jake
2002-10-20 17:03:15 +00:00
Poul-Henning Kamp
ab33958276 #unifdef the code for checking blessed lock collisions until we need it.
Spotted by:	DARPA & NAI Labs.
2002-10-20 08:48:39 +00:00
Robert Watson
a13c67da35 If MAC_MAX_POLICIES isn't defined, don't try to define it, just let the
compile fail.  MAC_MAX_POLICIES should always be defined, or we have
bigger problems at hand.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-20 03:41:09 +00:00
Peter Wemm
8556393bb2 Stake a claim on 418 (__xstat), 419 (__xfstat), 420 (__xlstat) 2002-10-19 22:25:31 +00:00
Peter Wemm
c8447553b5 Grab 416/417 real estate before I get burned while testing again.
This is for the not-quite-ready signal/fpu abi stuff.  It may not see
the light of day, but I'm certainly not going to be able to validate it
when getting shot in the foot due to syscall number conflicts.
2002-10-19 22:09:23 +00:00
Robert Watson
b614dd131a Add a new 'NOMACCHECK' flag to namei() NDINIT flags, which permits the
caller to indicate that MAC checks are not required for the lookup.
Similar to IO_NOMACCHECK for vn_rdwr(), this indicates that the caller
has already performed all required protections and that this is an
internally generated operation.  This will be used by the NFS server
code, as we don't currently enforce MAC protections against requests
delivered via NFS.

While here, add NOCROSSMOUNT to PARAMASK; apparently this was used at
one point for name lookup flag checking, but isn't any longer or it
would have triggered from the NFS server code passing it to indicate
that mountpoints shouldn't be crossed in lookups.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 21:25:51 +00:00
Robert Watson
3ab93f0958 Regen from addition of execve_mac placeholder. 2002-10-19 21:15:10 +00:00
Robert Watson
bc5245d94c Add a placeholder for the execve_mac() system call, similar to SELinux's
execve_secure() system call, which permits a process to pass in a label
for a label change during exec.  This permits SELinux to change the
label for the resulting exec without a race following a manual label
change on the process.  Because this interface uses our general purpose
MAC label abstraction, we call it execve_mac(), and wrap our port of
SELinux's execve_secure() around it with appropriate sid mappings.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 21:06:57 +00:00
Robert Watson
89c61753a0 Drop in the MAC check for file creation as part of open().
Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 20:56:44 +00:00
Robert Watson
9aeffb2b28 Make sure to clear the 'registered' flag for MAC policies when they
unregister.  Under some obscure (perhaps demented) circumstances,
this can result in a panic if a policy is unregistered, and then someone
foolishly unregisters it again.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 20:30:12 +00:00
Robert Watson
7587203c2f Hook up most of the MAC entry points relating to file/directory/node
creation, deletion, and rename.  There are one or two other stray
cases I'll catch in follow-up commits (such as unix domain socket
creation); this permits MAC policy modules to limit the ability to
perform these operations based on existing UNIX credential / vnode
attributes, extended attributes, and security labels.  In the rename
case using MAC, we now have to lock the from directory and file
vnodes for the MAC check, but this is done only in the MAC case,
and the locks are immediately released so that the remainder of the
rename implementation remains the same.  Because the create check
takes a vattr to know object type information, we now initialize
additional fields in the VATTR passed to VOP_SYMLINK() in the MAC
case.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-19 20:25:57 +00:00
Marcel Moolenaar
1aeb23cdfa Add two hooks to signal module load and module unload to MD code.
The primary reason for this is to allow MD code to process machine
specific attributes, segments or sections in the ELF file and
update machine specific state accordingly. An immediate use of this
is in the ia64 port where unwind information is updated to allow
debugging and tracing in/across modules. Note that this commit
does not add the functionality to the ia64 port. See revision 1.9
of ia64/ia64/elf_machdep.c.

Validated on: alpha, i386, ia64
2002-10-19 19:16:03 +00:00
Marcel Moolenaar
c143d6c24a Reduce code duplication by moving the common actions in
link_elf_init(), link_elf_link_preload_finish() and
link_elf_load_file() to link_elf_link_common_finish().
Since link_elf_init() did initializations as a side-effect
of doing the common actions, keep the initialization in
that function. Consequently, link_elf_add_gdb() is now also
called to insert the very first link_map() (ie the kernel).
2002-10-19 18:59:33 +00:00
Marcel Moolenaar
1720979bc5 Non-functional change in preparation of the next commit:
Move link_elf_add_gdb(), link_elf_delete_gdb() and link_elf_error()
near the top of the file. The *_gdb() functions are moved inside
the #ifdef DDB already present there.
2002-10-19 18:43:37 +00:00
Marcel Moolenaar
f5b07e11ad In link_elf_load_file(), when SPARSE_MAPPING is defined and we
cannot allocate ef->object, we freed ef before bailing out with
an error. This is wrong because ef=lf and when we have an error
and lf is non-NULL (which holds if we try to alloc ef->object),
we free lf and thus ef as part of the bailing-out.
2002-10-19 05:01:54 +00:00
Alfred Perlstein
871de19fab Don't leak memory in semop(2). (Fix a bug I introduced in rev 1.55.)
Detective work by: jake
2002-10-19 02:07:35 +00:00
John Baldwin
6222047300 Do not lock the process when calling fdfree() (this would have recursed on
a non-recursive lock, the proc lock, before) since we don't need it to
change p_fd.
2002-10-18 17:45:41 +00:00
John Baldwin
6d345e2a45 fdfree() clears p_fd for us, no need to do it again. 2002-10-18 17:44:39 +00:00
John Baldwin
4562d72638 Don't lock the proc lock to clear p_fd. p_fd isn't protected by the proc
lock.
2002-10-18 17:42:28 +00:00
Kirk McKusick
3a096f6c09 Have lockinit() initialize the debugging fields of a lock
when DEBUG_LOCKS is defined.

Sponsored by:	DARPA & NAI Labs.
2002-10-18 01:34:10 +00:00
Kirk McKusick
bc7bdd50c1 When the number of dirty buffers rises too high, the buf_daemon runs
to help clean up. After selecting a potential buffer to write, this
patch has it acquire a lock on the vnode that owns the buffer before
trying to write it. The vnode lock is necessary to avoid a race with
some other process holding the vnode locked and trying to flush its
dirty buffers. In particular, if the vnode in question is a snapshot
file, then the race can lead to a deadlock. To avoid slowing down the
buf_daemon, it does a non-blocking lock request when trying to lock
the vnode. If it fails to get the lock it skips over the buffer and
continues down its queue looking for buffers to flush.

Sponsored by:	DARPA & NAI Labs.
2002-10-18 01:29:59 +00:00
Maxim Sobolev
2e307eb8c9 Separate fiels reported by disk_err() with spaces, so that output doesn't
look cryptic.

MFC after:	1 week
2002-10-17 23:48:29 +00:00
Robert Drehmel
bb8992b32c Instead of (sizeof(source_buffer) - 1) bytes, copy at most
(sizeof(destination_buffer) - 1) bytes into the destination buffer.
This was not harmful because they currently both provide space for
(MAXCOMLEN + 1) bytes.
2002-10-17 21:02:02 +00:00
Robert Drehmel
e80fb43467 Use strlcpy() instead of strncpy() to copy NUL terminated strings
for safety and consistency.
2002-10-17 20:03:38 +00:00
Sam Leffler
3b132a615f fix kldload error return when a module is rejected because it's statically
linked in the kernel.  When this condition is detected deep in the linker
internals the EEXIST error code that's returned is stomped on and instead
an ENOEXEC code is returned.  This makes apps like sysinstall bitch.
2002-10-17 17:28:57 +00:00
Robert Drehmel
55c8556834 - Allocate only enough space for a temporary buffer to hold
the path including the terminating NUL character from
   `struct sockaddr_un' rather than SOCK_MAXADDRLEN bytes.
 - Use strlcpy() instead of strncpy() to copy strings.
2002-10-17 15:52:42 +00:00
Bosko Milekic
a91db09ec0 Fix a fairly subtle bug in mbuf_init() where the reference counter
contiguous space was being allocated from the clust_map
instead of the mbuf_map as the comments indicated.  This resulted in
some address space wastage in mbuf_map.

Submitted by: Rohit Jalan <rohjal@yahoo.co.in>
2002-10-16 19:59:08 +00:00
John Baldwin
5c0cc63c40 Add a missing PROC_UNLOCK in ptrace() for the PT_IO case.
PR:		kern/44065
Submitted by:	Mark Kettenis <kettenis@chello.nl>
2002-10-16 16:28:33 +00:00
John Baldwin
bf3e55aa2c Many style and whitespace fixes.
Submitted by:	bde (mostly)
2002-10-16 15:45:37 +00:00
John Baldwin
18d9bd8f65 Sort includes a bit.
Submitted by:	bde
2002-10-16 15:14:31 +00:00
Poul-Henning Kamp
c3053131ca Be consistent about funtions being static.
Spotted by:	FlexeLint
2002-10-16 10:42:13 +00:00
Sam Leffler
5d84645305 Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
  ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
  use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
  inpcb parameter to ip_output and ip6_output to allow the IPsec code to
  locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version

Reviewed by:	julian, luigi (silent), -arch, -net, darren
Approved by:	julian, silence from everyone else
Obtained from:	openbsd (mostly)
MFC after:	1 month
2002-10-16 01:54:46 +00:00
Poul-Henning Kamp
7c61d7858c Plug a memory-leak.
"I think you're right" by:	jake
2002-10-15 18:58:38 +00:00
Poul-Henning Kamp
9736c8f03a Use ; not , as statement separator in PDEBUG() macro.
Ignoring a NULL dev in device_set_ivars() sounds wrong, KASSERT it to
non-NULL instead.

Do the same for device_get_ivars() for reasons of symmetry, though
it probably would have yielded a panic anyway, this gives more precise
diagnostics.

Absentmindedly nodded OK to by:	jhb
2002-10-15 18:56:13 +00:00
John Baldwin
7fd1f2b8bc Argh. Put back setting of P_ADVLOCK for the F_WRLCK case that was
accidentally lost in the previous revision.

Submitted by:	bde
Pointy hat to:	jhb
2002-10-15 18:10:13 +00:00
Marcel Moolenaar
47f750125b Fix kernel module loading on ia64. Cross-module function calls
were improperly relocated due to faulty logic in lookup_fdesc()
in elf_machdep.c. The symbol index (symidx) was bogusly used for
load modules other than the one the relocation applied to. This
resulted in bogus bindings and consequently runtime failures.

The fix is to use the symbol index only for the module being
relocated and to use the symbol name for look-ups in the
modules in the dependent list. As such, we need a function to
return the symbol name given the linker file and symbol index.
2002-10-15 05:40:07 +00:00
Peter Wemm
803cc8aa8f Restore pointer that was removed in 1.128. This wasn't a merge-o. 2002-10-15 01:36:45 +00:00
John Baldwin
c65440644e - Add a new global mutex 'ppeers_lock' to protect the p_peers list of
processes forked with RFTHREAD.
- Use a goto to a label for common code when exiting from fork1() in case
  of an error.
- Move the RFTHREAD linkage setup code later in fork since the ppeers_lock
  cannot be locked while holding a proc lock.  Handle the race of a task
  leader exiting and killing its peers while a peer is forking a new child.
  In that case, go ahead and let the peer process proceed normally as the
  parent is about to kill it.  However, the task leader may have already
  gone to sleep to wait for the peers to die, so the new child process may
  not receive a SIGKILL from the task leader.  Rather than try to destruct
  the new child process, just go ahead and send it a SIGKILL directly and
  add it to the p_peers list.  This ensures that the task leader will wait
  until both the peer process doing the fork() and the new child process
  have received their KILL signals and exited.

Discussed with:	truckman (earlier versions)
2002-10-15 00:14:32 +00:00
John Baldwin
60a6965a88 Remove the leaderp variable and just access p_leader directly. The
p_leader field is not protected by the proc lock but is only set during
fork1() by the parent process and never changes.
2002-10-15 00:03:40 +00:00
Alfred Perlstein
8ced1eb281 Remove a KASSERT I added in 1.73 to catch uninitialized pipes.
It must be removed because it is done without the pipe being locked
via pipelock() and therefore is vulnerable to races with pipespace()
erroneously triggering it by temporarily zero'ing out the structure
backing the pipe.

It looks as if this assertion is not needed because all manipulation
of the data changed by pipespace() _is_ protected by pipelock().

Reported by: kris, mckusick
2002-10-14 21:15:04 +00:00
Julian Elischer
24c5baae53 Did you ever notice how stupid bugs show up much clearer
when you see them in a commit message?
2002-10-14 20:43:02 +00:00
Julian Elischer
1f955e2d48 Tidy up the scheduler's code for changing the priority of a thread.
Logically pretty much a NOP.
2002-10-14 20:34:31 +00:00
Kirk McKusick
a6b9f47b31 When scanning the freelist looking for candidate vnodes to recycle,
be sure to exit the loop with vp == NULL if no candidates are found.
Formerly, this bug would cause the last vnode inspected to be used,
even if it was not available. The result was a panic "vn_finished_write:
neg cnt".

Sponsored by:	DARPA & NAI Labs.
2002-10-14 19:54:39 +00:00
Kirk McKusick
e04a020067 Unconditionally reset vp->v_vnlock back to the default in the
vclean() function (e.g., vp->v_vnlock = &vp->v_lock) rather
than requiring filesystems that use alternate locks to do so
in their vop_reclaim functions. This change is a further cleanup
of the vop_stdlock interface.

Submitted by:	Poul-Henning Kamp <phk@critter.freebsd.dk>
Sponsored by:	DARPA & NAI Labs.
2002-10-14 19:44:51 +00:00
Poul-Henning Kamp
64b023f4bd Populate more fields of the disklabel for PC98.
Submitted by:	Kawanobe Koh <kawanobe@st.rim.or.jp>
2002-10-14 14:22:29 +00:00
Kirk McKusick
a5b65058d5 Regularize the vop_stdlock'ing protocol across all the filesystems
that use it. Specifically, vop_stdlock uses the lock pointed to by
vp->v_vnlock. By default, getnewvnode sets up vp->v_vnlock to
reference vp->v_lock. Filesystems that wish to use the default
do not need to allocate a lock at the front of their node structure
(as some still did) or do a lockinit. They can simply start using
vn_lock/VOP_UNLOCK. Filesystems that wish to manage their own locks,
but still use the vop_stdlock functions (such as nullfs) can simply
replace vp->v_vnlock with a pointer to the lock that they wish to
have used for the vnode. Such filesystems are responsible for
setting the vp->v_vnlock back to the default in their vop_reclaim
routine (e.g., vp->v_vnlock = &vp->v_lock).

In theory, this set of changes cleans up the existing filesystem
lock interface and should have no function change to the existing
locking scheme.

Sponsored by:	DARPA & NAI Labs.
2002-10-14 03:20:36 +00:00
Alan Cox
4d752b01b4 Eliminate the unnecessary clearing of flag bits that are already clear
in lio_listio(2).
2002-10-14 01:21:37 +00:00
Mike Barcroft
eeea998c3c Update a sysctl to use _POSIX_VERSION from <sys/unistd.h>, instead of
the kernel option _KPOSIX_VERSION.
2002-10-13 14:26:29 +00:00
Mike Barcroft
9e020cdab9 Include <sys/_posix.h> directly instead of depending on <sys/proc.h>
to include <sys/signal.h> to include <sys/_posix.h>.
2002-10-13 11:54:16 +00:00
Alfred Perlstein
1e31f88689 whitespace fixes. 2002-10-12 22:26:41 +00:00
Jeff Roberson
b43179fbe8 - Create a new scheduler api that is defined in sys/sched.h
- Begin moving scheduler specific functionality into sched_4bsd.c
 - Replace direct manipulation of scheduler data with hooks provided by the
   new api.
 - Remove KSE specific state modifications and single runq assumptions from
   kern_switch.c

Reviewed by:	-arch
2002-10-12 05:32:24 +00:00
Peter Wemm
d2575b9651 Register the machine check private state spinlock on ia64. 2002-10-12 00:33:36 +00:00
John Baldwin
e1b1aa3bc2 - Move the 'done1' label down below the unlock of the proc lock and move
the locking of the proc lock after the goto to done1 to avoid locking
  the lock in an error case just so we can turn around and unlock it.
- Move the exec_setregs() stuff out from under the proc lock and after
  the p_args stuff.  This allows exec_setregs() to be able to sleep or
  write things out to userland, etc. which ia64 does.

Tested by:	peter
2002-10-11 21:04:01 +00:00
John Baldwin
8559443093 Fix %z to always print values as signed like it is supposed to.
Reviewed by:	bde
Tested on:	i386 in ddb
2002-10-11 17:54:55 +00:00
Mike Barcroft
2b7f24d210 Change iov_base's type from char *' to the standard void *'. All
uses of iov_base which assume its type is `char *' (in order to do
pointer arithmetic) have been updated to cast iov_base to `char *'.
2002-10-11 14:58:34 +00:00
Poul-Henning Kamp
2e07db0b0a Remove an unused variable. 2002-10-11 10:36:22 +00:00
Kirk McKusick
192e439ed4 When considering a vnode for reuse in getnewvnode, we call
vcanrecycle to check a free vnode's availability. If it is
available, vcanrecycle returns an error code of zero and the
vnode in question locked. The getnewvnode routine then used
to call vn_start_write with the V_NOWAIT flag. If the filesystem
was suspended while taking a snapshot, the vn_start_write would
fail but getnewvnode would fail to unlock the vnode, instead
leaving it locked on the freelist. The result would be that the
vnode would be locked forever and would eventually hang the
system with a race to the root when it was attempted to recycle
it. This fix moves the vn_start_write check into vcanrecycle
where it will properly unlock the vnode if it is unavailable
for recycling due to filesystem suspension.

Sponsored by:	DARPA & NAI Labs.
2002-10-11 01:04:14 +00:00
Robert Watson
2dba710ddb Incremental style improvements: more consistently avoid assignments
in conditionals; remove some excess vertical whitespace; remove a
bug in the return handling of the delete_vp() case for MAC.

Spotted by:	bde
2002-10-10 13:59:58 +00:00
Robert Watson
16c26e60ef Regen from syntax fix to syscalls.master.
PR:
Submitted by:
Reviewed by:
Approved by:
Obtained from:
MFC after:
2002-10-10 04:08:11 +00:00
Robert Watson
3c4aba09e3 Fix what looks like a merge-o from a conflict in the last commit to
syscalls.master.
2002-10-10 04:02:49 +00:00
Robert Watson
b101411be1 Explore new heights in alphabetization for _file and _fd variations on
the extended attribute system calls.
2002-10-10 00:32:08 +00:00
Peter Wemm
0d66d36f44 Add a pointer to the alternate syscall tables on 64 bit platforms. 2002-10-09 22:04:09 +00:00
Robert Watson
6f90723cad Implement extattr_{delete,get,set}_link() system calls: extended attribute
operations that do not follow links.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-09 21:48:22 +00:00
Robert Watson
233d463548 Regen. 2002-10-09 21:47:29 +00:00
Robert Watson
8b10835c35 Flesh out the extattr_{delete,get,set}_link() system calls: variations
on the _file() theme that do not follow symlinks.  Sync to MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-09 21:47:04 +00:00
John Baldwin
5715307f74 - Move p_cpulimit to struct proc from struct plimit and protect it with
sched_lock.  This means that we no longer access p_limit in mi_switch()
  and the p_limit pointer can be protected by the proc lock.
- Remove PRS_ZOMBIE check from CPU limit test in mi_switch().  PRS_ZOMBIE
  processes don't call mi_switch(), and even if they did there is no longer
  the danger of p_limit being NULL (which is what the original zombie check
  was added for).
- When we bump the current processes soft CPU limit in ast(), just bump the
  private p_cpulimit instead of the shared rlimit.  This fixes an XXX for
  some value of fix.  There is still a (probably benign) bug in that this
  code doesn't check that the new soft limit exceeds the hard limit.

Inspired by:	bde (2)
2002-10-09 17:17:24 +00:00
Julian Elischer
48bfcddd94 Round out the facilty for a 'bound' thread to loan out its KSE
in specific situations. The owner thread must be blocked, and the
borrower can not proceed back to user space with the borrowed KSE.
The borrower will return the KSE on the next context switch where
teh owner wants it back. This removes a lot of possible
race conditions and deadlocks. It is consceivable that the
borrower should inherit the priority of the owner too.
that's another discussion and would be simple to do.

Also, as part of this, the "preallocatd spare thread" is attached to the
thread doing a syscall rather than the KSE. This removes the need to lock
the scheduler when we want to access it, as it's now "at hand".

DDB now shows a lot mor info for threaded proceses though it may need
some optimisation to squeeze it all back into 80 chars again.
(possible JKH project)

Upcalls are now "bound" threads, but "KSE Lending" now means that
other completing syscalls can be completed using that KSE before the upcall
finally makes it back to the UTS. (getting threads OUT OF THE KERNEL is
one of the highest priorities in the KSE system.) The upcall when it happens
will present all the completed syscalls to the KSE for selection.
2002-10-09 02:33:36 +00:00
Warner Losh
0b294f891d Introducing /dev/devctl. This device reports events in the
configuration device hierarchy.  Device arrival, departure and not
matched are presently reported.  This will be the basis for devd, which
I still need to polish a little more before I commit it.  If you don't
use /dev/devctl, it will be a noop.
2002-10-07 23:17:44 +00:00
Warner Losh
c17fdbe3a9 Two minor bugfixes:
o Allow the bus_debug variable to be set via the bus.debug tunable.
o Return pnpinfo and location info via the devinfo interface to userland.
  devinfo(8) needs to be updated to print it.
2002-10-07 23:15:40 +00:00
Ian Dowse
197b023b1b Add back a fdrop() call at the end of kern_open() that got lost in
revision 1.218. This bug caused a "struct file" reference to be
leaked if VOP_ADVLOCK(), vn_start_write(), or mac_check_vnode_write()
failed during the open operation.

PR:		kern/43739
Reported by:	Arne Woerner <woerner@mediabase-gmbh.de>
2002-10-07 20:49:22 +00:00
Warner Losh
0a1d3ef9b8 Add wrappers around the newly created bus_child_pnpinfo_str and
bus_child_location_str.
2002-10-07 07:08:00 +00:00
Warner Losh
d71dec96bf Minor string handling cleanup that I've had in my tree for a while:
Don't use snprintf where strlcpy() will do the job.
Also, a NUL is '\0' not 0 in our style (C doesn't care), so spell it like.
Remove useless {} and () in the general area of this change.
2002-10-07 06:50:35 +00:00
Warner Losh
da7b83f9ea Don't need to NUL terminate after snprintf 2002-10-07 06:26:17 +00:00
Warner Losh
3d9841b4eb Add two interfaces to allow for busses to report the pnpinfo for
devices as well as their location on the bus.
2002-10-07 05:06:38 +00:00
Alfred Perlstein
c814aa3fdb disable debug output by default. 2002-10-07 04:13:21 +00:00
Robert Watson
b371c939ce Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-06 14:39:15 +00:00
Robert Watson
e183f80e54 Sync from MAC tree: break out the single mmap entry point into
seperate entry points for each occasion:

mac_check_vnode_mmap()		Check at initial mapping
mac_check_vnode_mprotect()	Check at mapping protection change
mac_check_vnode_mmap_downgrade()	Determine if a mapping downgrade
					should take place following
					subject relabel.

Implement mmap() and mprotect() entry points for labeled vnode
policies.  These entry points are currently not hooked up to the
VM system in the base tree.  These changes improve the consistency
of the access control interface and offer more flexibility regarding
limiting access to vnode mmaping.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-06 02:46:26 +00:00
Robert Watson
83985c267e Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 21:23:47 +00:00
Robert Watson
b497ca81d6 Make sure that the accounting credential is saved along with the vp
when accounting is suspended--otherwise when accounting is restored,
we may incorrectly assume the credential is valid.

Panics experienced by:	juli
2002-10-05 20:05:23 +00:00
Robert Watson
74e62b1b75 Integrate a devfs/MAC fix from the MAC tree: avoid a race condition during
devfs VOP symlink creation by introducing a new entry point to determine
the label of the devfs_dirent prior to allocation of a vnode for the
symlink.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:40:10 +00:00
Robert Watson
0a69419678 Merge support for mac_check_vnode_link(), a MAC framework/policy entry
point that instruments the creation of hard links.  Policy implementations
to follow.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 18:11:36 +00:00
Robert Watson
56c1541237 While the MAC API has supported the ability to handle M_NOWAIT passed
to mbuf label initialization, that functionality was never merged to
the main tree.  Go ahead and merge that functionality now.  Note that
this requires policy modules to accept the case where the label
element may be destroyed even if init has not succeeded on it (in
the event that policy failed the init).  This will shortly also
apply to sockets.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 17:44:49 +00:00
Robert Watson
87807196f8 Rearrange object and label init/destroy functions to match the
order used in mac_policy.h and elsewhere.  Sort order is basically
"by operation category", then "alphabetically by object". Sync to
MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 17:38:45 +00:00
Robert Watson
a931e345a9 Sync to MAC tree: use 'flag' instead of 'how' for mac_init_mbuf();
remove a slightly less than useful comment.
2002-10-05 17:18:43 +00:00
Brian Feldman
dab3d85fd7 Don't allow dev_stdclone(9) to accept minors larger than the system is
able to handle (0xffffff).
2002-10-05 17:10:28 +00:00
Robert Watson
69bbb5b1c7 Another big diff, little functional change: move label internalization,
externalization, and cred label life cycle events to entirely above
devfs and vnode events.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:57:16 +00:00
Robert Watson
08bcdc586e Move all object label init/destroy routines to the head of the
entry points to better match the entry point ordering in mac_policy.h.
Big diff, no functional change; merge from the MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:54:59 +00:00
Robert Watson
ea599aa018 Synch from TrustedBSD MAC tree:
- If a policy isn't registered when a policy module unloads, silently
  succeed.

- Hold the policy list lock across more of the validity tests to avoid
  races.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:46:03 +00:00
Poul-Henning Kamp
3bd6561289 NB: This commit does *NOT* make GEOM the default in FreeBSD
NB: But it will enable it in all kernels not having options "NO_GEOM"

Put the GEOM related options into the intended order.

Add "options NO_GEOM" to all kernel configs apart from NOTES.

In some order of controlled fashion, the NO_GEOM options will be
removed, architecture by architecture in the coming days.

There are currently three known issues which may force people to
need the NO_GEOM option:

boot0cfg/fdisk:
        Tries to update the MBR while it is being used to control
        slices.  GEOM does not allow this as a direct operation.

SCSI floppy drives:
        Appearantly the scsi-da driver return "EBUSY" if no media
        is inserted.  This is wrong, it should return ENXIO.

PC98:
        It is unclear if GEOM correctly recognizes all variants of
        PC98 disklabels.  (Help Wanted!  I have neither docs nor HW)

These issues are all being worked.

Sponsored by:	DARPA & NAI Labs.
2002-10-05 16:35:33 +00:00
Robert Watson
226b96fb6d Cosmetic line wrap synchronization. 2002-10-05 16:33:46 +00:00
Robert Watson
b2f0927ad6 Push the debugging obect label counters into security.mac.debug.counters
rather than directly under security.mac.debug.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 16:30:53 +00:00
Robert Watson
96adb90996 Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
  entry points to mpo_init_foo_label(label) and
  mpo_destroy_foo_label(label).  This will permit the use of the same
  entry points for holding temporary type-specific label during
  internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
  mpo_{init,destroy}_mount() into seperate entry points for socket
  main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
  all entry points, implement these entry points using common
  implementations for Biba, MLS, and Test, reducing the number of
  almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-05 15:10:00 +00:00
Maxim Sobolev
790a8088d0 Fix problem introduced in rev.1.406, which can cause already unlocked
mutex being unlocked again causing system panic.
2002-10-05 12:56:10 +00:00
Brian Somers
52ae0b7fb5 If dsgetlabel() returns a label with a size of zero in diskdumpconf(),
treat it as an invalid partition.

This fixes a bug where ``dumpon <device>'' will configure the dump
device at a random offset on the disk if <device> isn't a valid
partition.

Reviewed by: phk
2002-10-05 11:24:21 +00:00
Juli Mallett
0d29446006 Put an easy-to-miss assignment into the proper place. It was stray in the
middle of a block of code, with no clear assignment.  While here, move one
nearby assignment out of declaration.
2002-10-05 04:49:46 +00:00
Juli Mallett
ecafb24b41 Remove bogus duplicate assignment of local variables. 2002-10-05 04:35:59 +00:00
Poul-Henning Kamp
c5f9218b48 Add the new function "sbuf_done()" which returns non-zero if the sbuf is
finished.

This allows sbufs to be used for request/response scenarioes without
needing additional communication flags.

Sponsored by:	DARPA & NAI Labs.
2002-10-04 09:58:17 +00:00
Peter Wemm
c281972e61 Add some unspeakable hackery to the tree under #ifdef __ia64__ to work
around limitations in the ia64 kernel stack handling code.  Basically
preallocate a bunch of threads (and hence kstacks) while contigmalloc()
still works, and never free them back to the general memory pool.  After
the system has been running for a while, contigmalloc() eventually fails
at a critical momemt and panics the system.
2002-10-04 01:31:39 +00:00
Don Lewis
cb81d3ca4d hashinit() calls MALLOC(), so release the filedesc lock in knote_attach()
before calling hashinit() and relock afterwards, taking care to see that
we don't lose a race.
2002-10-03 06:03:26 +00:00
Juli Mallett
a723033a4d XXX Add a check for p->p_limit being NULL before dereferencing it. This is
totally bogus but will hide the occurances of access of 0xbc(NULL) which
people have run into lately.  This is not a proper fix, just a bandaid, until
the cause of this happening is tracked down and fixed.

Reviewed by:	rwatson
2002-10-03 04:09:00 +00:00
Don Lewis
91e97a8266 In an SMP environment post-Giant it is no longer safe to blindly
dereference the struct sigio pointer without any locking.  Change
fgetown() to take a reference to the pointer instead of a copy of the
pointer and call SIGIO_LOCK() before copying the pointer and
dereferencing it.

Reviewed by:	rwatson
2002-10-03 02:13:00 +00:00
David Xu
5da2b58aeb set ke_bound to NULL when kse owner thread becomes runnable.
Reviewed by: julian (mentor)
2002-10-03 01:22:05 +00:00
Julian Elischer
4162f2fe92 Whitespace fix only 2002-10-02 23:12:01 +00:00
John Baldwin
551cf4e150 Rename the mutex thread and process states to use a more generic 'LOCK'
name instead.  (e.g., SLOCK instead of SMTX, TD_ON_LOCK() instead of
TD_ON_MUTEX())  Eventually a turnstile abstraction will be added that
will be shared with mutexes and other types of locks.  SLOCK/TDI_LOCK will
be used internally by the turnstile code and will not be specific to
mutexes.  Making the change now ensures that turnstiles can be dropped
in at a later date without affecting the ABI of userland applications.
2002-10-02 20:31:47 +00:00
Juli Mallett
289e1e23d1 Access td->td_kse inside sched_lock.
Submitted by:	julian
2002-10-02 18:25:09 +00:00
Archie Cobbs
36a8dac10d Let kse_wakeup() take a KSE mailbox pointer argument.
Reviewed by:	julian
2002-10-02 16:48:16 +00:00
Juli Mallett
bc7b9f1dba De-obfuscate local use of members of 'struct thread', for which we have
local variables, and group assignment.
2002-10-02 16:39:39 +00:00
Poul-Henning Kamp
c56c20f13d Absorb <sys/bus_private.h> into kern/subr_bus.c to prevent misunderstandings.
Suggested by:	bde
Approved by:	dfr
2002-10-02 09:34:29 +00:00
Poul-Henning Kamp
8c5d013757 Fix mis-indentation.
Spotted by:	FlexeLint
2002-10-02 09:09:25 +00:00
Scott Long
316ec49abd Some kernel threads try to do significant work, and the default KSTACK_PAGES
doesn't give them enough stack to do much before blowing away the pcb.
This adds MI and MD code to allow the allocation of an alternate kstack
who's size can be speficied when calling kthread_create.  Passing the
value 0 prevents the alternate kstack from being created.  Note that the
ia64 MD code is missing for now, and PowerPC was only partially written
due to the pmap.c being incomplete there.
Though this patch does not modify anything to make use of the alternate
kstack, acpi and usb are good candidates.

Reviewed by:	jake, peter, jhb
2002-10-02 07:44:29 +00:00
Robert Watson
92dbb82a47 Add a new MAC entry point, mac_thread_userret(td), which permits policy
modules to perform MAC-related events when a thread returns to user
space.  This is required for policies that have floating process labels,
as it's not always possible to acquire the process lock at arbitrary
points in the stack during system call processing; process labels might
represent traditional authentication data, process history information,
or other data.

LOMAC will use this entry point to perform the process label update
prior to the thread returning to userspace, when plugged into the MAC
framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-02 02:42:38 +00:00
Juli Mallett
1d9c56964d Back our kernel support for reliable signal queues.
Requested by:	rwatson, phk, and many others
2002-10-01 17:15:53 +00:00
John Baldwin
feb2449610 Minor style nits in a comment. 2002-10-01 15:49:32 +00:00