privilege for threads and credentials. Unlike the existing suser(9)
interface, priv(9) exposes a named privilege identifier to the privilege
checking code, allowing more complex policies regarding the granting of
privilege to be expressed. Two interfaces are provided, replacing the
existing suser(9) interface:
suser(td) -> priv_check(td, priv)
suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags)
A comprehensive list of currently available kernel privileges may be
found in priv.h. New privileges are easily added as required, but the
comments on adding privileges found in priv.h and priv(9) should be read
before doing so.
The new privilege interface exposed sufficient information to the
privilege checking routine that it will now be possible for jail to
determine whether a particular privilege is granted in the check routine,
rather than relying on hints from the calling context via the
SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail
check function, prison_priv_check(), is exposed from kern_jail.c and used
by the privilege check routine to determine if the privilege is permitted
in jail. As a result, a centralized list of privileges permitted in jail
is now present in kern_jail.c.
The MAC Framework is now also able to instrument privilege checks, both
to deny privileges otherwise granted (mac_priv_check()), and to grant
privileges otherwise denied (mac_priv_grant()), permitting MAC Policy
modules to implement privilege models, as well as control a much broader
range of system behavior in order to constrain processes running with
root privilege.
The suser() and suser_cred() functions remain implemented, now in terms
of priv_check() and the PRIV_ROOT privilege, for use during the transition
and possibly continuing use by third party kernel modules that have not
been updated. The PRIV_DRIVER privilege exists to allow device drivers to
check privilege without adopting a more specific privilege identifier.
This change does not modify the actual security policy, rather, it
modifies the interface for privilege checks so changes to the security
policy become more feasible.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
pages existed only for the dynamic sysctl interfaces. There's probably
more complete and accurate content, better advice, etc, that could be added
here.
Per scottl's suggest, add a small piece of moralizing text regarding the
fact that sysctl names quickly get embedded in system configuration files,
libraries, third party applications, and even books, so renaming and
removing names after they've been published is a tricky issue.
MFC after: 1 month
It detects both: buffer underflows and buffer overflows bugs at runtime
(on free(9) and realloc(9)) and prints backtraces from where memory was
allocated and from where it was freed.
Tested by: kris
specially crafted module. There are several handrolled sollutions to this
problem in the tree already which will be replaced with this. They include
iwi(4), ipw(4), ispfw(4) and digi(4).
No objection from: arch
MFC after: 2 weeks
X-MFC after: some drivers have been converted
function in years.
- Change the 'ident' paramters to 'wchan' to match <sys/systm.h>.
- Use 'otherwise' in place of 'else' in one place so that this reads like
English rather than C.
- Document the new msleep_spin() function.
- Add history notes for msleep() and msleep_spin().
USB device drivers use to talk to USB devices. This is probably
still a bit rough and it does not yet include the functions specific
to HID, ethernet, hubs, host controller drivers, task threads or
debugging.
- Remove references to cpu_critical_*() as they no longer exist.
- Explain that any preemptions that occur during a critical section are
deferred until the current thread exits the section.
- Remove a bogus example usage of a critical section.
- Note that one can interlock critical sections with spin mutexes in
certain situations.
MFC after: 3 days
- Add arm and ppc to the list of archs not supporting operations on 64-bit
integers.
- Update the sample code for acquiring a mutex to be more recent and to
take into account the recent atomic_foo_ptr() changes.
MFC after: 1 week
implementation. I took the NetBSD man page, and hacked it to, I hope,
to reflect the preliminary version of the bus space that Justin Gibbs
committed as part of the CAM integration in FreeBSD 3.0.
This isn't perfect, but it is better than we have now (which is, ahem,
nothing). Please coordinate changes to the file through me through
the 6.0 release.
Approved by: re (blanket for this one file)
callout is first initialised, using a new function callout_init_mtx().
The callout system will acquire this mutex before calling the callout
function and release it on return.
In addition, the callout system uses the mutex to avoid most of the
complications and race conditions inherent in asynchronous timer
facilities, so mutex-protected callouts have much simpler semantics.
As long as the mutex is held when invoking callout_stop() or
callout_reset(), then these functions will guarantee that the callout
will be stopped, even if softclock() had already begun to process
the callout.
Existing Giant-locked callouts will automatically pick up the new
race-free semantics. This should close a number of race conditions
in the USB code and probably other areas of the kernel too.
There should be no change in behaviour for "MP-safe" callouts; these
still need to use the techniques mentioned in timeout(9) to avoid
race conditions.
man page after Orla, so the mistakes are probably mine. Leave a
note on the door welcoming the mdoc police.
Submitted by: Orla McGann <orly@cnri.dit.ie>
Of particular interest here is the ieee80211_radiotap(9) man page.
TODO: Flesh out ieee80211_node.9, ieee80211_proto.9.
Submitted by: bms (with help from Darron Broad)
- Sort MAN and MLINKS in "dictionary" order ignoring case.
- For multi-value MAN and multi-pair MLINKS, put each value/pair
on its own line, for easier sorting and so that further diffs
are easier to see.
The manual page contains enough information to get someone started
with ALQ.
MLINKS have been added appropriately.
Approved by: jeff, des
Reviewed by: des, jeff, sam, brooks, rwatson, mtm
APIs permit disk device drivers to register and deregister storage devices
for use by storage device consumers. No doubt this API will change
more as time flies by, but this should be helpful to the creators of
new storage device drivers.
Reviewed by: phk
large to huge amounts of small or medium sized receive buffers. The problem
with these situations is that they eat up the available DMA address space
very quickly when using mbufs or even mbuf clusters. Additionally this
facility provides a direct mapping between 32-bit integers and these buffers.
This is needed for devices originally designed for 32-bit systems. Ususally
the virtual address of the buffer is used as a handle to find the buffer as
soon as it is returned by the card. This does not work for 64-bit machines
and hence this mapping is needed.
It currently supports the PMC Sierra Lite, Ultra and 622 chips and
the IDT 77105. The driver handles media options and state in a consistent
manner for ATM drivers. The next commit to the midway driver will make
it use utopia.
separate man page. Document new device_is_attached there and remove that
new man page too.
Connect device_get_name to build, and install a link for
device_get_nameunit.
strangely nobody noticed this yet...
o Biba: A data integrity policy
o BSD Extended: Support for the firewall-like access controls (ugidfw(8))
o MLS: Multi-level security, a confidentiality policy
(These files originally lived in src/share/man/man9)
Approved by: re (blanket)
Sponsored by: DARPA, Network Associates Labs
Obtained from: TrustedBSD Project
associated with the TrustedBSD MAC Framework, as well as some credits
to developers and contributors.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
MAKEDEV: Add MAKEDEV glue for the ti(4) device nodes.
ti.4: Update the ti(4) man page to include information on the
TI_JUMBO_HDRSPLIT and TI_PRIVATE_JUMBOS kernel options,
and also include information about the new character
device interface and the associated ioctls.
man9/Makefile: Add jumbo.9 and zero_copy.9 man pages and associated
links.
jumbo.9: New man page describing the jumbo buffer allocator
interface and operation.
zero_copy.9: New man page describing the general characteristics of
the zero copy send and receive code, and what an
application author should do to take advantage of the
zero copy functionality.
NOTES: Add entries for ZERO_COPY_SOCKETS, TI_PRIVATE_JUMBOS,
TI_JUMBO_HDRSPLIT, MSIZE, and MCLSHIFT.
conf/files: Add uipc_jumbo.c and uipc_cow.c.
conf/options: Add the 5 options mentioned above.
kern_subr.c: Receive side zero copy implementation. This takes
"disposable" pages attached to an mbuf, gives them to
a user process, and then recycles the user's page.
This is only active when ZERO_COPY_SOCKETS is turned on
and the kern.ipc.zero_copy.receive sysctl variable is
set to 1.
uipc_cow.c: Send side zero copy functions. Takes a page written
by the user and maps it copy on write and assigns it
kernel virtual address space. Removes copy on write
mapping once the buffer has been freed by the network
stack.
uipc_jumbo.c: Jumbo disposable page allocator code. This allocates
(optionally) disposable pages for network drivers that
want to give the user the option of doing zero copy
receive.
uipc_socket.c: Add kern.ipc.zero_copy.{send,receive} sysctls that are
enabled if ZERO_COPY_SOCKETS is turned on.
Add zero copy send support to sosend() -- pages get
mapped into the kernel instead of getting copied if
they meet size and alignment restrictions.
uipc_syscalls.c:Un-staticize some of the sf* functions so that they
can be used elsewhere. (uipc_cow.c)
if_media.c: In the SIOCGIFMEDIA ioctl in ifmedia_ioctl(), avoid
calling malloc() with M_WAITOK. Return an error if
the M_NOWAIT malloc fails.
The ti(4) driver and the wi(4) driver, at least, call
this with a mutex held. This causes witness warnings
for 'ifconfig -a' with a wi(4) or ti(4) board in the
system. (I've only verified for ti(4)).
ip_output.c: Fragment large datagrams so that each segment contains
a multiple of PAGE_SIZE amount of data plus headers.
This allows the receiver to potentially do page
flipping on receives.
if_ti.c: Add zero copy receive support to the ti(4) driver. If
TI_PRIVATE_JUMBOS is not defined, it now uses the
jumbo(9) buffer allocator for jumbo receive buffers.
Add a new character device interface for the ti(4)
driver for the new debugging interface. This allows
(a patched version of) gdb to talk to the Tigon board
and debug the firmware. There are also a few additional
debugging ioctls available through this interface.
Add header splitting support to the ti(4) driver.
Tweak some of the default interrupt coalescing
parameters to more useful defaults.
Add hooks for supporting transmit flow control, but
leave it turned off with a comment describing why it
is turned off.
if_tireg.h: Change the firmware rev to 12.4.11, since we're really
at 12.4.11 plus fixes from 12.4.13.
Add defines needed for debugging.
Remove the ti_stats structure, it is now defined in
sys/tiio.h.
ti_fw.h: 12.4.11 firmware.
ti_fw2.h: 12.4.11 firmware, plus selected fixes from 12.4.13,
and my header splitting patches. Revision 12.4.13
doesn't handle 10/100 negotiation properly. (This
firmware is the same as what was in the tree previously,
with the addition of header splitting support.)
sys/jumbo.h: Jumbo buffer allocator interface.
sys/mbuf.h: Add a new external mbuf type, EXT_DISPOSABLE, to
indicate that the payload buffer can be thrown away /
flipped to a userland process.
socketvar.h: Add prototype for socow_setup.
tiio.h: ioctl interface to the character portion of the ti(4)
driver, plus associated structure/type definitions.
uio.h: Change prototype for uiomoveco() so that we'll know
whether the source page is disposable.
ufs_readwrite.c:Update for new prototype of uiomoveco().
vm_fault.c: In vm_fault(), check to see whether we need to do a page
based copy on write fault.
vm_object.c: Add a new function, vm_object_allocate_wait(). This
does the same thing that vm_object allocate does, except
that it gives the caller the opportunity to specify whether
it should wait on the uma_zalloc() of the object structre.
This allows vm objects to be allocated while holding a
mutex. (Without generating WITNESS warnings.)
vm_object_allocate() is implemented as a call to
vm_object_allocate_wait() with the malloc flag set to
M_WAITOK.
vm_object.h: Add prototype for vm_object_allocate_wait().
vm_page.c: Add page-based copy on write setup, clear and fault
routines.
vm_page.h: Add page based COW function prototypes and variable in
the vm_page structure.
Many thanks to Drew Gallatin, who wrote the zero copy send and receive
code, and to all the other folks who have tested and reviewed this code
over the years.
some content and layout changes were made.
lock.9 had existed before but was never added to Makefile, so it was
never installed. That is why the duplicate files were created in the
first place.
Reviewed by: ru, alfred
Specifically, document the crshared() function and
fix the prototype and description of the crcopy()
function.
PR: docs/32275
Submitted by: Chad David <davidc@acns.ab.ca>
Reviewed by: jhb
- bus_generic_map_intr.9. This has been undead for more than 3 years
following the changes in rev.1.4 of sys/bus.h.
- CONDSPLASSERT.9, SPLASSERT.9. These have been undead since SMPng.
They were even less useful than most section 9 man pages -- the
interfaces described in them have never been used in the FreeBSD
source tree.
