on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
__mac_set_link, based on __mac_get_proc() except with a pid,
and __mac_get_file(), __mac_set_file() except that they do
not follow symlinks. First in a series of commits to flesh
out the user API.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
the ffs_copyonwrite routine to avoid a deadlock between the syncer
daemon trying to sync out a snapshot vnode and the bufdaemon
trying to write out a buffer containing the snapshot inode.
With any luck this will be the last snapshot race condition.
Sponsored by: DARPA & NAI Labs.
a full filesystem. Previously, if the allocation failed, we had to
fsync the file before rolling back any partial allocation of indirect
blocks. Most block allocation requests only need to allocate a single
data block and if that allocation fails, there is nothing to unroll.
So, before doing the fsync, we check to see if any rollback will
really be necessary. If none is necessary, then we simply return.
This update eliminates the flurry of disk activity that got triggered
whenever a filesystem would run out of space.
Sponsored by: DARPA & NAI Labs.
locks the mount point directory while waiting for vfs_busy to clear.
Meanwhile the unmount which holds the vfs_busy lock tried to lock
the mount point vnode. The fix is to observe that it is safe for the
unmount to remove the vnode from the mount point without locking it.
The lookup will wait for the unmount to complete, then recheck the
mount point when the vfs_busy lock clears.
Sponsored by: DARPA & NAI Labs.
that works in the new threaded kernel. It was commented out of
the disksort routine earlier this year for the reasons given in
kern/subr_disklabel.c (which is where this code used to reside
before it moved to kern/subr_disk.c):
----------------------------
revision 1.65
date: 2002/04/22 06:53:20; author: phk; state: Exp; lines: +5 -0
Comment out Kirks io-request priority hack until we can do this in a
civilized way which doesn't cause grief.
The problem is that it is not generally safe to cast a "struct bio
*" to a "struct buf *". Things like ccd, vinum, ata-raid and GEOM
constructs bio's which are not entrails of a struct buf.
Also, curthread may or may not have anything to do with the I/O request
at hand.
The correct solution can either be to tag struct bio's with a
priority derived from the requesting threads nice and have disksort
act on this field, this wouldn't address the "silly-seek syndrome"
where two equal processes bang the diskheads from one edge to the
other of the disk repeatedly.
Alternatively, and probably better: a sleep should be introduced
either at the time the I/O is requested or at the time it is completed
where we can be sure to sleep in the right thread.
The sleep also needs to be in constant timeunits, 1/hz can be practicaly
any sub-second size, at high HZ the current code practically doesn't
do anything.
----------------------------
As suggested in this comment, it is no longer located in the disk sort
routine, but rather now resides in spec_strategy where the disk operations
are being queued by the thread that is associated with the process that
is really requesting the I/O. At that point, the disk queues are not
visible, so the I/O for positively niced processes is always slowed
down whether or not there is other activity on the disk.
On the issue of scaling HZ, I believe that the current scheme is
better than using a fixed quantum of time. As machines and I/O
subsystems get faster, the resolution on the clock also rises.
So, ten years from now we will be slowing things down for shorter
periods of time, but the proportional effect on the system will
be about the same as it is today. So, I view this as a feature
rather than a drawback. Hence this patch sticks with using HZ.
Sponsored by: DARPA & NAI Labs.
Reviewed by: Poul-Henning Kamp <phk@critter.freebsd.dk>
Various cleanups, no functional changes:
- Fix a type in an entry point stub, socket checks accept
sockets, not vnodes.
- Trailing whitespace
- Entry point sort order
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
It is never used. I left it there from pre-KSE days as I didn't know
if I'd need it or not but now I know I don't.. It's functionality
is in TDI_IWAIT in the thread.
copy elements of one Biba or MLS label to another based on the flags
on the source label element. Use this instead of
mac_{biba,mls}_{single,range}() to simplify the existing code, as
well as support partial label updates (we don't update if none is
requested).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
a server process bound to a wildcard UDP socket to select the IP
address from which outgoing packets are sent on a per-datagram
basis. When combined with IP_RECVDSTADDR, such a server process can
guarantee to reply to an incoming request using the same source IP
address as the destination IP address of the request, without having
to open one socket per server IP address.
Discussed on: -net
Approved by: re
to send datagrams from an unconnected socket, we used to first block
input, then connect the socket to the sendmsg/sendto destination,
send the datagram, and finally disconnect the socket and unblock
input.
We now use in_pcbconnect_setup() to check if a connect() would have
succeeded, but we never record the connection in the PCB (local
anonymous port allocation is still recorded, though). The result
from in_pcbconnect_setup() authorises the sending of the datagram
and selects the local address and port to use, so we just construct
the header and call ip_output().
Discussed on: -net
Approved by: re
revert to checking the name to determine if our root device is a ramdisk,
md(4) specifically to determine if we should attempt the root-mount RW
Sponsored by: DARPA & NAI Labs.
policies remains the same: subjects and objects are labeled for
integrity or sensitivity, and a dominance operator determines whether
or not subject/object accesses are permitted to limit inappropriate
information flow. Compartments are a non-hierarchal component to
the label, so add a bitfield to the label element for each, and a
set check as part of the dominance operator. This permits the
implementation of "need to know" elements of MLS.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
range on them, leaving process credentials as the only kernel
objects with label ranges in the Biba and MLS policies. We
weren't using the range in any access control decisions, so this
lets us garbage collect effectively unused code.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
collapse the two cases more cleanly: rather than wrapping an access
check around open, simply provide the open implementation for the
access vector entry. No functional change.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
we just break out some of the tests better. Minor change in that
we now better support incremental update of labels.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
in_pcbconnect() called in_pcbconnect_setup(). This version performs
all of the functions of in_pcbconnect() except for the final
committing of changes to the PCB. In the case of an EADDRINUSE error
it can also provide to the caller the PCB of the duplicate connection,
avoiding an extra in_pcblookup_hash() lookup in tcp_connect().
This change will allow the "temporary connect" hack in udp_output()
to be removed and is part of the preparation for adding the
IP_SENDSRCADDR control message.
Discussed on: -net
Approved by: re
and save/restore during a context switch.
The USER_SR could be overwritten when the current thread was switched
out with a faulting copyin/copyout.
Approved by: Benno
instead of the default biba/high, mls/low, making it easier to use
ptys with these policies. This isn't the final solution, but does
help.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
pointer to a dumperinfo instead of di. A brainfart, surely. This
bug went unnoticed for all this time because the pointer is only
used by buf_write() when it can write a completely filled buffer
to the dump device. This depends on the number of memory chunks
that needs to be dumped. This has apparently been low enough that
it has never happened up until this point.
contents. The code was subtracting two unsigned ints, stored the
result in a log and expected it to be the same as of a signed
subtraction; this does only work on platforms where int and long
have the same size (due to overflows).
Instead, cast to long before the subtraction; the numbers are
guaranteed to be small enough so that there will be no overflows
because of that.
Remove the never completed _IP_VHL version, it has not caught on
anywhere and it would make us incompatible with other BSD netstacks
to retain this version.
Add a CTASSERT protecting sizeof(struct ip) == 20.
Don't let the size of struct ipq depend on the IPDIVERT option.
This is a functional no-op commit.
Approved by: re
creation by GCC-2.6.3. Casting pointers to unsigned char
to volatile pointers to unsigned char seemed to produce
better results on the ia32 architecture with old versions
of GCC.
The current FreeBSD system compiler GCC-3.2.1 emits
better sign extension code for non-volatile variables:
volatile char c;
int i = c;
is compiled to:
...
movb -1(%ebp), %al
movbsl %al, %eax
movl %eax, -8(%ebp)
...
char c;
int i = c;
is compiled to:
...
movbsl -1(%ebp), %eax
movl %eax, -8(%ebp)
...
The same holds for zero-extension of dereferenced pointers
to volatile unsigned char.
When compiled on alpha or sparc64, the code produced for the
two examples above does not differ.
labeling checks and operations as with other network interfaces.
Eventually, if it proves desirable, we might want to offer special
casing of this or other tunnel interfaces where we have an existing
label of interest, rather than treating it as though it's an
entirely fresh mbuf in the incoming/outgoing encapsulation directions.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
transmission checks; when it is received, label the packet appropriately.
Although we don't have a local FDDI setup to test this with, the
labeling and checks are identical to other interface classes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
appropriate interface transmission checks and delivery labeling. While
we don't have a local ATM configuration, this code is almost identical
to all other interface classes.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
_POSIX_MAC_PRESENT based on available mount flags, if the services are
available.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
called in_pcbbind_setup() that does everything except commit the
changes to the PCB. There should be no functional change here, but
in_pcbbind_setup() will be used by the soon-to-appear IP_SENDSRCADDR
control message implementation to check or allocate the source
address and port.
Discussed on: -net
Approved by: re
mutex-friendly vm_page_sleep_if_busy().
- Introduce page queue locking in pmap_page_lookup() and
pmap_release_free_page().
- Simplify the invalidation of the pmap's ptphint in
pmap_release_free_page(). (MFi386 pmap.c revision 1.362.)
don't take the detour over the I/O path to discover them using getattr(),
we can just pick them out directly.
Do note though, that for now they are only valid after the first open
of the underlying disk device due compatibility with the old disk_create()
API. This will change in the future so they will always be valid.
Sponsored by: DARPA & NAI Labs.
as sparc64/sparc64/dump_machdep.c a while back).
Other than ia64 (which uses ELF), sparc64 uses a homegrown format for
the dumps (headers are required because the physical address and size of
the tsb must be noted, and because physical memory may be discontiguous);
ELF would not offer any advantages here.
Reviewed by: jake
for defining vectors. As a result, each vector will be a global
function with unwind directives to notify the unwinder that we're
in an interrupt handler. In the debugger this will show up something
like:
Debugger(0xe000000000a211d8, 0xe000000000748960) at Debugger+0x31
panic(0xe000000000a36858, 0xe0000000021d32d0, 0xe000000000ae42e8, ...
trap(0x14, 0x100000, 0xe0000000021d32d0, 0x0, 0xa0000000002095f0, ...
ivt_Data_TLB(0x14, 0x100000, 0xe0000000021d32d0) at ivt_Data_TLB+0x1f0
compile fail. MAC_MAX_POLICIES should always be defined, or we have
bigger problems at hand.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
This is for the not-quite-ready signal/fpu abi stuff. It may not see
the light of day, but I'm certainly not going to be able to validate it
when getting shot in the foot due to syscall number conflicts.
caller to indicate that MAC checks are not required for the lookup.
Similar to IO_NOMACCHECK for vn_rdwr(), this indicates that the caller
has already performed all required protections and that this is an
internally generated operation. This will be used by the NFS server
code, as we don't currently enforce MAC protections against requests
delivered via NFS.
While here, add NOCROSSMOUNT to PARAMASK; apparently this was used at
one point for name lookup flag checking, but isn't any longer or it
would have triggered from the NFS server code passing it to indicate
that mountpoints shouldn't be crossed in lookups.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
execve_secure() system call, which permits a process to pass in a label
for a label change during exec. This permits SELinux to change the
label for the resulting exec without a race following a manual label
change on the process. Because this interface uses our general purpose
MAC label abstraction, we call it execve_mac(), and wrap our port of
SELinux's execve_secure() around it with appropriate sid mappings.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
unregister. Under some obscure (perhaps demented) circumstances,
this can result in a panic if a policy is unregistered, and then someone
foolishly unregisters it again.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
creation, deletion, and rename. There are one or two other stray
cases I'll catch in follow-up commits (such as unix domain socket
creation); this permits MAC policy modules to limit the ability to
perform these operations based on existing UNIX credential / vnode
attributes, extended attributes, and security labels. In the rename
case using MAC, we now have to lock the from directory and file
vnodes for the MAC check, but this is done only in the MAC case,
and the locks are immediately released so that the remainder of the
rename implementation remains the same. Because the create check
takes a vattr to know object type information, we now initialize
additional fields in the VATTR passed to VOP_SYMLINK() in the MAC
case.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
by using the linker hooks. Since these hooks are called for the
kernel as well, we don't need to deal with that with a special
SYSINIT. The initialization implicitly performed on the first
update of the unwind information is made explicit with a SYSINIT.
We now don't need the _ia64_unwind_{start|end} symbols.
The primary reason for this is to allow MD code to process machine
specific attributes, segments or sections in the ELF file and
update machine specific state accordingly. An immediate use of this
is in the ia64 port where unwind information is updated to allow
debugging and tracing in/across modules. Note that this commit
does not add the functionality to the ia64 port. See revision 1.9
of ia64/ia64/elf_machdep.c.
Validated on: alpha, i386, ia64
link_elf_init(), link_elf_link_preload_finish() and
link_elf_load_file() to link_elf_link_common_finish().
Since link_elf_init() did initializations as a side-effect
of doing the common actions, keep the initialization in
that function. Consequently, link_elf_add_gdb() is now also
called to insert the very first link_map() (ie the kernel).
Move link_elf_add_gdb(), link_elf_delete_gdb() and link_elf_error()
near the top of the file. The *_gdb() functions are moved inside
the #ifdef DDB already present there.
on-write (COW) mechanism. (This mechanism is used by the zero-copy
TCP/IP implementation.)
- Extend the scope of the page queues lock in vm_fault()
to cover vm_page_cowfault().
- Modify vm_page_cowfault() to release the page queues lock
if it sleeps.
This is an encryption module designed for to secure denial of access
to the contents of "cold disks" with or without destruction activation.
Major features:
* Based on AES, MD5 and ARC4 algorithms.
* Four cryptographic barriers:
1) Pass-phrase encrypts the master key.
2) Pass-phrase + Lock data locates master key.
3) 128 bit key derived from 2048 bit master key protects sector key.
3) 128 bit random single-use sector keys protect data payload.
* Up to four different changeable pass-phrases.
* Blackening feature for provable destruction of master key material.
* Isotropic disk contents offers no information about sector contents.
* Configurable destination sector range allows steganographic deployment.
This commit adds the kernel part, separate commits will follow for the
userland utility and documentation.
This software was developed for the FreeBSD Project by Poul-Henning Kamp and
NAI Labs, the Security Research Division of Network Associates, Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
research program.
Many thanks to Robert Watson, CBOSS Principal Investigator for making this
possible.
Sponsored by: DARPA & NAI Labs.
ACL configuration changes, this shouldn't result in different code paths
for file systems not explicitly configured for ACLs by the system
administrator. For UFS1, administrators must still recompile their
kernel to add support for extended attributes; for UFS2, it's sufficient
to enable ACLs using tunefs or at mount-time (tunefs preferred for
reliability reasons). UFS2, for a variety of reasons, including
performance and reliability, is the preferred file system for use with
ACLs.
Approved by: re
without -Werror, we do "make WERROR=", which doesn't need this
variable.
- Use ${.IMPSRC} instead of $< in ${NORMAL_M} for consistency with
the rest of the file.
- Add ${WERROR} for the ${NORMAL_M} case.
Tested on: i386, sparc64
cannot allocate ef->object, we freed ef before bailing out with
an error. This is wrong because ef=lf and when we have an error
and lf is non-NULL (which holds if we try to alloc ef->object),
we free lf and thus ef as part of the bailing-out.
of a file in chunks that are less then the filesystem block size, if the
data is not already cached the system will perform a read-before-write.
The problem is that it does this on a block-by-block basis, breaking up the
I/Os and making clustering impossible for the writes. Programs such
as INN using cyclic file buffers suffer greatly. This problem is only going
to get worse as we use larger and larger filesystem block sizes.
The solution is to extend the sequential heuristic so UFS[2] can perform
a far larger read and readahead when dealing with this case.
(note: maximum disk write bandwidth is 27MB/sec thru filesystem)
(note: filesystem blocksize in test is 8K (1K frag))
dd if=/dev/zero of=test.dat bs=1k count=2m conv=notrunc
Before: (note half of these are reads)
tty da0 da1 acd0 cpu
tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id
0 76 14.21 598 8.30 0.00 0 0.00 0.00 0 0.00 0 0 7 1 92
0 76 14.09 813 11.19 0.00 0 0.00 0.00 0 0.00 0 0 9 5 86
0 76 14.28 821 11.45 0.00 0 0.00 0.00 0 0.00 0 0 8 1 91
After: (note half of these are reads)
tty da0 da1 acd0 cpu
tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id
0 76 63.62 434 26.99 0.00 0 0.00 0.00 0 0.00 0 0 18 1 80
0 76 63.58 424 26.30 0.00 0 0.00 0.00 0 0.00 0 0 17 2 82
0 76 63.82 438 27.32 0.00 0 0.00 0.00 0 0.00 1 0 19 2 79
Reviewed by: mckusick
Approved by: re
X-MFC after: immediately (was heavily tested in -stable for 4 months)
* Change atapi-cd ioctls to use the same units.
* Change burncd, cdcontrol to convert CDROM speed to KB/sec before
calling the ioctl. Add a "max" speed option for their command lines.
This change does not break ABI but does change the units passed through
the ioctl so 3rd party software that uses cdrio.h will have to convert
(most likely by multiplying CDROM speed by 177 to get KB/s).
PR: kern/36845
Submitted by: Philipp Mergenthaler <p@i609a.hadiko.de> (CAM ioctls)
Reviewed by: sos, ken
MFC after: 1 month
In the 'found' case for ext2_lookup() the underlying bp's data was
being accessed after the bp had been releaed. A simple move of the
brelse() solves the problem.
The PR reports that this caused panics running the GDB testsuite unless
NO_GEOM is configured.
PR: 44060
Reported by: Mark Kettenis <kettenis@chello.nl>
MFC after: 3 days
changes for "LSILogic"
(2) enabled non-disk support through CAM interface
(3) HA_INQ (a) enabled tagged queuing (b) disable reset during
driver loading (b) renamed BSDi string to LSI
(4) disabled detecting disk devices during SCSI INQUIRY
(5) changed dcdb single element sglist to send one entire buffer chunk
(6) nsgelem not set in sglist
(7) ap_data_transfer_length not set for dcdb
(8) changed "struct thread" to "d_thread_t" for compatibliity { xxx_open,
xxx_close, xxx_ioctl }
(9) miscellaneous compatiblity fixes
(10) bug fix for 0x0409/0x1000 card
(11) added compiling amr_cam.c in sys/conf/files
(12) added compiling amr_cam.c in sys/modules/amr/Makefile
Reviewed by:ps
MFC after:1 week
1 week
is required to use EAs with UFS2, and that UFS2 is recommend for EA use
for a variety of reasons.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
note that UFS2 doesn't require explicit extended attribute configuration,
and is recommends for this and other reasons if you plan to use ACLs.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
be no major change in performance from this change at this time but this
will allow other work to progress: Giant lock removal around VM system
in favor of per-object mutexes, ranged fsyncs, more optimal COMMIT rpc's for
NFS, partial filesystem syncs by the syncer, more optimal object flushing,
etc. Note that the buffer cache is already using a similar splay tree
mechanism.
Note that a good chunk of the old hash table code is still in the tree.
Alan or I will remove it prior to the release if the new code does not
introduce unsolvable bugs, else we can revert more easily.
Submitted by: alc (this is Alan's code)
Approved by: re
Requested by: Most developers
Apologies to: Most developers, with special note to <ken@kdm.org>
Collabroation in the future with: Kenneth D. Merry <ken@kdm.org>
into memory. This brings us in line with the other architectures and
more easily allows us to do machine dependent processing on the ELF
file (such as scanning for unwind information).
to help clean up. After selecting a potential buffer to write, this
patch has it acquire a lock on the vnode that owns the buffer before
trying to write it. The vnode lock is necessary to avoid a race with
some other process holding the vnode locked and trying to flush its
dirty buffers. In particular, if the vnode in question is a snapshot
file, then the race can lead to a deadlock. To avoid slowing down the
buf_daemon, it does a non-blocking lock request when trying to lock
the vnode. If it fails to get the lock it skips over the buffer and
continues down its queue looking for buffers to flush.
Sponsored by: DARPA & NAI Labs.
(sizeof(destination_buffer) - 1) bytes into the destination buffer.
This was not harmful because they currently both provide space for
(MAXCOMLEN + 1) bytes.
bits that might be set in the firmware tte data field, and set the soft
flag TD_EXEC to mark the page executable. Failing to do the latter would
cause fatal instruction faults in the prom in certain situations.
Reviewed by: jake
linked in the kernel. When this condition is detected deep in the linker
internals the EEXIST error code that's returned is stomped on and instead
an ENOEXEC code is returned. This makes apps like sysinstall bitch.
the path including the terminating NUL character from
`struct sockaddr_un' rather than SOCK_MAXADDRLEN bytes.
- Use strlcpy() instead of strncpy() to copy strings.
2. Update a comment. We now restore much more than RTC updates and
interrupts.
3. Order change. Stop interrupts by writing to RTC_STATUSB,
restore rate bits for the interrupts by writing to RTC_STATUSA,
then enable interrupts again.
This seems to be done perfectly backwards in startrtclock().
Otherwise, the idea for this change was obtained from
startrtclock().
4. Don't stop the clock (RTCB_HALT). We only program some control bits
and don't want to stop the clock.
5. (Not really related.) Add caveats to the comment about timer_restore().
The update is non-atomic since locking is not done.
On locking:
6. rtcin() and writertc() are locked() adequately by splhigh() in RELENG_4,
but this locking is null in -current.
7. Doing things in the correct order in (3) combined with (6) is probably
enough locking for rtcrestore() in RELENG_4. In -current, the
writertc()'s race with rtcintr() unless the BIOS disables RTC interrupts.
Submitted by: bde (including commit message)
MFC after: 1 week
needed to be quoted (to get a C string literal), not the value itself.
Fixed the value of SC_CUT_SEPCHARS. Setting this value would have had no
effect even if it were used, since the value was the same as the default.
The above bugs had no effect except to set bad examples, since test
coverage of SC_CUT_SEPCHARS is broken by enabling a negative option.
Removed (unquoted) double quotes for all options. They were all bogus
since they had no effect except to make non-strings look like strings.
Most of the non-strings were expressions. The value of INIT_PATH is
a non-string since it is stringified later (unlike SC_CUT_SEPCHARS).
Fixed parenthesization errors inside bogus quotes (parenthesize values
if they have more than one token in them but don't parenthesize single
tokens).
contiguous space was being allocated from the clust_map
instead of the mbuf_map as the comments indicated. This resulted in
some address space wastage in mbuf_map.
Submitted by: Rohit Jalan <rohjal@yahoo.co.in>
- set IFF_UP on SIOCSIFADDR. be consistent with others.
- set if_addrlen explicitly (just in case)
- multi destination mode is long gone.
- missing break statement
- add gif_set_tunnel(), so that we can set tunnel address from within the
kernel at ease.
- encap_attach/detach dynamically on ioctls
- move encap_attach() to dedicated function in in*_gif.c
Obtained from: KAME
MFC after: 3 weeks
recognized compat properties. This should make the psycho driver attach
properly on SPARCengine Ultra AX machines.
Switch to a table-driven logic to recognize the ID's, since their number
is now large enough to justify this.
These changes are analogous to those made in NetBSD r.1.35, but
implemented a bit differently.
In that case use proc0's pid to return the thread ID.
- For 4-stable, use the generic swi taskqueue for ACPI events rather than
implementing our own.
Sponsored by: The Weather Channel
supposed to be checked by the firewall rules twice. However, because the
various ipsec handlers never call ip_input(), this never happens anyway.
This fixes the situation where a gif tunnel is encrypted with IPsec. In
such a case, after IPsec processing, the unencrypted contents from the
GIF tunnel are fed back to the ipintrq and subsequently handeld by
ip_input(). Yet, since there still is IPSec history attached, the
packets coming out from the gif device are never fed into the filtering
code.
This fix was sent to Itojun, and he pointed towartds
http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
This patch actually implements what is stated there (specifically:
Packet came from tunnel devices (gif(4) and ipip(4)) will still
go through ipf(4). You may need to identify these packets by
using interface name directive in ipf.conf(5).
Reviewed by: rwatson
MFC after: 3 weeks
configuration stuff as well as conditional code in the IPv4 and IPv6
areas. Everything is conditional on FAST_IPSEC which is mutually
exclusive with IPSEC (KAME IPsec implmentation).
As noted previously, don't use FAST_IPSEC with INET6 at the moment.
Reviewed by: KAME, rwatson
Approved by: silence
Supported by: Vernier Networks
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd. A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated. Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).
Note that this implementation is enabled with a FAST_IPSEC option. With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.
FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.
This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments). This software
does NOT currently support IPv6. In fact do not configure FAST_IPSEC and
INET6 in the same system.
Obtained from: KAME + openbsd
Supported by: Vernier Networks
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month
a common lock. This change avoids a deadlock between snapshots when
separate requests cause them to deadlock checking each other for a
need to copy blocks that are close enough together that they fall
into the same indirect block. Although I had anticipated a slowdown
from contention for the single lock, my filesystem benchmarks show
no measurable change in throughput on a uniprocessor system with
three active snapshots. I conjecture that this result is because
every copy-on-write fault must check all the active snapshots, so
the process was inherently serial already. This change removes the
last of the deadlocks of which I am aware in snapshots.
Sponsored by: DARPA & NAI Labs.
of KBDIO_DEBUG which may be defined in the kernel config (as it is in NOTES).
This kind of bug is a _really_ horribly thing as we end up with one bit
of code thinking a particular structure is 136 bytes and another that it
is only 112 bytes.
Ideally all places would remember to #include the right "opt_foo.h" file,
but I think in practice file containing the variable sized struct should
#include it explicitly as a precaution.
Detected by: FlexeLint
to be administratively disabled as needed on UFS/UFS2 file systems. This
also has the effect of preventing the slightly more expensive ACL code
from running on non-ACL file systems, avoiding storage allocation for
ACLs that may be read from disk. MNT_ACLS may be set at mount-time
using mount -o acls, or implicitly by setting the FS_ACLS flag using
tunefs. On UFS1, you may also have to configure ACL store.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
automatically set MNT_MULTILABEL in the mount flags.
If FS_ACLS is set in a UFS or UFS2 superblock, automatically
set MNT_ACLS in the mount flags.
If either of these flags is set, but the appropriate kernel option
to support the features associated with the flag isn't available,
then print a warning at mount-time.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Ignoring a NULL dev in device_set_ivars() sounds wrong, KASSERT it to
non-NULL instead.
Do the same for device_get_ivars() for reasons of symmetry, though
it probably would have yielded a panic anyway, this gives more precise
diagnostics.
Absentmindedly nodded OK to by: jhb
were improperly relocated due to faulty logic in lookup_fdesc()
in elf_machdep.c. The symbol index (symidx) was bogusly used for
load modules other than the one the relocation applied to. This
resulted in bogus bindings and consequently runtime failures.
The fix is to use the symbol index only for the module being
relocated and to use the symbol name for look-ups in the
modules in the dependent list. As such, we need a function to
return the symbol name given the linker file and symbol index.
processes forked with RFTHREAD.
- Use a goto to a label for common code when exiting from fork1() in case
of an error.
- Move the RFTHREAD linkage setup code later in fork since the ppeers_lock
cannot be locked while holding a proc lock. Handle the race of a task
leader exiting and killing its peers while a peer is forking a new child.
In that case, go ahead and let the peer process proceed normally as the
parent is about to kill it. However, the task leader may have already
gone to sleep to wait for the peers to die, so the new child process may
not receive a SIGKILL from the task leader. Rather than try to destruct
the new child process, just go ahead and send it a SIGKILL directly and
add it to the p_peers list. This ensures that the task leader will wait
until both the peer process doing the fork() and the new child process
have received their KILL signals and exited.
Discussed with: truckman (earlier versions)
homerolling our own version.
- Rename the enum for memsize from ISA_IVAR_MSIZE to ISA_IVAR_MEMSIZE
since using 'MSIZE' in the macro invocation of ISA_ACCESSOR() conflicts
with the 'MSIZE' kernel option. The accessor function is still
isa_get_msize().
or fifo in UFS2, the normal ufs_strategy routine needs to be used
rather than the spec_strategy or fifo_strategy routine. Thus the
ffsext_strategy routine is interposed in the ffs_vnops vectors for
special devices and fifo's to pick off this special case. Otherwise
it simply falls through to the usual spec_strategy or fifo_strategy
routine.
Submitted by: Robert Watson <rwatson@FreeBSD.org>
Sponsored by: DARPA & NAI Labs.
It must be removed because it is done without the pipe being locked
via pipelock() and therefore is vulnerable to races with pipespace()
erroneously triggering it by temporarily zero'ing out the structure
backing the pipe.
It looks as if this assertion is not needed because all manipulation
of the data changed by pipespace() _is_ protected by pipelock().
Reported by: kris, mckusick
if failures occur, make sure that we release both the default ACL
and access ACL storage during new object creation.
Spotted by: phk and his pet flexelint
Sponsored by: DARPA, Network Associates Laboratories
be sure to exit the loop with vp == NULL if no candidates are found.
Formerly, this bug would cause the last vnode inspected to be used,
even if it was not available. The result was a panic "vn_finished_write:
neg cnt".
Sponsored by: DARPA & NAI Labs.
vclean() function (e.g., vp->v_vnlock = &vp->v_lock) rather
than requiring filesystems that use alternate locks to do so
in their vop_reclaim functions. This change is a further cleanup
of the vop_stdlock interface.
Submitted by: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sponsored by: DARPA & NAI Labs.
This is most beneficial for vmware client os installs.
Reviewed by: jmallet, iedowse, tlambert2@mindspring.com
MFC After: never, -STABLE does not currently use this instruction
used by UFS to administratively enable support for extended ACLs.
While I'm here, remove MNT_MULTILABEL from the list of file system
flags we permit to be updated after the initial mount.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
FS_ACLS Administrative enable/disable of extended ACL support
FS_MULTILABEL Administrative flag to indicate to the MAC Framework
that objects in the file system are individually
labeled using extended attributes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Reviewed by: (in principal) mckusick, phk
constants in scope, C90 does not; so, add namespace visibility
conditionals to SIG*.
2) Define the extended __sighandler_t type only in BSD namespace.
3) Don't forward declare a struct for a prototype in <signal.h>.
4) Move location of SIG_* constants.
5) Move a forward declare into the correct namespace conditional.
Requested by: bde (1)
Submitted by: bde (2 thru 5)
