Commit Graph

559 Commits

Author SHA1 Message Date
Robert Watson
387d2c036b o Centralize inter-process access control, introducing:
int p_can(p1, p2, operation, privused)

  which allows specification of subject process, object process,
  inter-process operation, and an optional call-by-reference privused
  flag, allowing the caller to determine if privilege was required
  for the call to succeed.  This allows jail, kern.ps_showallprocs and
  regular credential-based interaction checks to occur in one block of
  code.  Possible operations are P_CAN_SEE, P_CAN_SCHED, P_CAN_KILL,
  and P_CAN_DEBUG.  p_can currently breaks out as a wrapper to a
  series of static function checks in kern_prot, which should not
  be invoked directly.

o Commented out capabilities entries are included for some checks.

o Update most inter-process authorization to make use of p_can() instead
  of manual checks, PRISON_CHECK(), P_TRESPASS(), and
  kern.ps_showallprocs.

o Modify suser{,_xxx} to use const arguments, as it no longer modifies
  process flags due to the disabling of ASU.

o Modify some checks/errors in procfs so that ENOENT is returned instead
  of ESRCH, further improving concealment of processes that should not
  be visible to other processes.  Also introduce new access checks to
  improve hiding of processes for procfs_lookup(), procfs_getattr(),
  procfs_readdir().  Correct a bug reported by bp concerning not
  handling the CREATE case in procfs_lookup().  Remove volatile flag in
  procfs that caused apparently spurious qualifier warnigns (approved by
  bde).

o Add comment noting that ktrace() has not been updated, as its access
  control checks are different from ptrace(), whereas they should
  probably be the same.  Further discussion should happen on this topic.

Reviewed by:	bde, green, phk, freebsd-security, others
Approved by:	bde
Obtained from:	TrustedBSD Project
2000-08-30 04:49:09 +00:00
Robert Watson
012c643d3e o Restructure vaccess() so as to check for DAC permission to modify the
object before falling back on privilege.  Make vaccess() accept an
  additional optional argument, privused, to determine whether
  privilege was required for vaccess() to return 0.  Add commented
  out capability checks for reference.  Rename some variables to make
  it more clear which modes/uids/etc are associated with the object,
  and which with the access mode.
o Update file system use of vaccess() to pass NULL as the optional
  privused argument.  Once additional patches are applied, suser()
  will no longer set ASU, so privused will permit passing of
  privilege information up the stack to the caller.

Reviewed by:	bde, green, phk, -security, others
Obtained from:	TrustedBSD Project
2000-08-29 14:45:49 +00:00
Poul-Henning Kamp
a481b90b82 Fix panic when removing open device (found by bp@)
Implement subdirs.
 Build the full "devicename" for cloning functions.
 Fix panic when deleted device goes away.
 Collaps devfs_dir and devfs_dirent structures.
 Add proper cloning to the /dev/fd* "device-"driver.
 Fix a bug in make_dev_alias() handling which made aliases appear
  multiple times.
 Use devfs_clone to implement getdiskbyname()
 Make specfs maintain the stat(2) timestamps per dev_t
2000-08-24 15:36:55 +00:00
Poul-Henning Kamp
3f54a085a6 Remove all traces of Julians DEVFS (incl from kern/subr_diskslice.c)
Remove old DEVFS support fields from dev_t.

  Make uid, gid & mode members of dev_t and set them in make_dev().

  Use correct uid, gid & mode in make_dev in disk minilayer.

  Add support for registering alias names for a dev_t using the
  new function make_dev_alias().  These will show up as symlinks
  in DEVFS.

  Use makedev() rather than make_dev() for MFSs magic devices to prevent
  DEVFS from noticing this abuse.

  Add a field for DEVFS inode number in dev_t.

  Add new DEVFS in fs/devfs.

  Add devfs cloning to:
        disk minilayer (ie: ad(4), sd(4), cd(4) etc etc)
        md(4), tun(4), bpf(4), fd(4)

  If DEVFS add -d flag to /sbin/inits args to make it mount devfs.

  Add commented out DEVFS to GENERIC
2000-08-20 21:34:39 +00:00
Poul-Henning Kamp
e39c53eda5 Centralize the canonical vop_access user/group/other check in vaccess().
Discussed with: bde
2000-08-20 08:36:26 +00:00
Poul-Henning Kamp
39f70682ae Introduce vop_stdinactive() and make it the default if no vop_inactive
is declared.

Sort and prune a few vop_op[].
2000-08-18 10:01:02 +00:00
Sheldon Hearn
1b2fbe6ff9 Rename the loadable nullfs kernel module: null -> nullfs 2000-07-28 11:54:09 +00:00
Poul-Henning Kamp
f4bac0e6c6 Remove stale, unused and bogus root device hunting code. 2000-07-27 18:18:47 +00:00
Kirk McKusick
9b97113391 This patch corrects the first round of panics and hangs reported
with the new snapshot code.

Update addaliasu to correctly implement the semantics of the old
checkalias function. When a device vnode first comes into existence,
check to see if an anonymous vnode for the same device was created
at boot time by bdevvp(). If so, adopt the bdevvp vnode rather than
creating a new vnode for the device. This corrects a problem which
caused the kernel to panic when taking a snapshot of the root
filesystem.

Change the calling convention of vn_write_suspend_wait() to be the
same as vn_start_write().

Split out softdep_flushworklist() from softdep_flushfiles() so that
it can be used to clear the work queue when suspending filesystem
operations.

Access to buffers becomes recursive so that snapshots can recursively
traverse their indirect blocks using ffs_copyonwrite() when checking
for the need for copy on write when flushing one of their own indirect
blocks. This eliminates a deadlock between the syncer daemon and a
process taking a snapshot.

Ensure that softdep_process_worklist() can never block because of a
snapshot being taken. This eliminates a problem with buffer starvation.

Cleanup change in ffs_sync() which did not synchronously wait when
MNT_WAIT was specified. The result was an unclean filesystem panic
when doing forcible unmount with heavy filesystem I/O in progress.

Return a zero'ed block when reading a block that was not in use at
the time that a snapshot was taken. Normally, these blocks should
never be read. However, the readahead code will occationally read
them which can cause unexpected behavior.

Clean up the debugging code that ensures that no blocks be written
on a filesystem while it is suspended. Snapshots must explicitly
label the blocks that they are writing during the suspension so that
they do not cause a `write on suspended filesystem' panic.

Reorganize ffs_copyonwrite() to eliminate a deadlock and also to
prevent a race condition that would permit the same block to be
copied twice. This change eliminates an unexpected soft updates
inconsistency in fsck caused by the double allocation.

Use bqrelse rather than brelse for buffers that will be needed
soon again by the snapshot code. This improves snapshot performance.
2000-07-24 05:28:33 +00:00
Kirk McKusick
f2a2857bb3 Add snapshots to the fast filesystem. Most of the changes support
the gating of system calls that cause modifications to the underlying
filesystem. The gating can be enabled by any filesystem that needs
to consistently suspend operations by adding the vop_stdgetwritemount
to their set of vnops. Once gating is enabled, the function
vfs_write_suspend stops all new write operations to a filesystem,
allows any filesystem modifying system calls already in progress
to complete, then sync's the filesystem to disk and returns. The
function vfs_write_resume allows the suspended write operations to
begin again. Gating is not added by default for all filesystems as
for SMP systems it adds two extra locks to such critical kernel
paths as the write system call. Thus, gating should only be added
as needed.

Details on the use and current status of snapshots in FFS can be
found in /sys/ufs/ffs/README.snapshot so for brevity and timelyness
is not included here. Unless and until you create a snapshot file,
these changes should have no effect on your system (famous last words).
2000-07-11 22:07:57 +00:00
Poul-Henning Kamp
b7ffb34243 Pull the rug under block mode devices. they return ENXIO on open(2) now. 2000-07-03 13:48:37 +00:00
Chris Costello
726bd7bebf fdesc_getattr:
Don't fake any file types, just set vap->va_type to IFTOVT(stb.st_mode).
  If something does not report its mode, vap->va_type is set to VNON
  accordingly.
2000-06-28 19:18:25 +00:00
Alfred Perlstein
974c7068d7 by changing the logic here we can support dynamic additions of new
filetypes.

Reviewed by: green
2000-06-27 22:46:35 +00:00
Alfred Perlstein
70cb8de9ba if there are leading zeros fail the lookup
Pointed out by: Alexander Viro <viro@math.psu.edu>
2000-06-27 21:37:17 +00:00
Chris Costello
04e58856a6 Rename the VRXEC' macro used to clear read and exec bits to FDRX' so
as not to impede upon VFS namespace.
2000-06-20 20:34:11 +00:00
Poul-Henning Kamp
a2e7a027a7 Virtualizes & untangles the bioops operations vector.
Ref: Message-ID: <18317.961014572@critter.freebsd.dk> To: current@
2000-06-16 08:48:51 +00:00
Chris Costello
0b1574bd33 Remove unused include <sys/socketvar.h>. 2000-06-15 20:13:51 +00:00
Chris Costello
3b5ec07347 Replace vattr_null() with VATTR_NULL() and do not explicity set vattr
fields to VNOVAL afterwards.
2000-06-15 17:19:22 +00:00
Jonathan M. Bresler
caea99a368 before this commit, specfs reported disk partitions
using decimal major and minor numbers.  "ls -l" reports
	disk partitions using decimal major numbers and hex
	minor numbers.

	make specfs use decimal major numbers and hex minor numbers,
	just like "ls -l"
2000-06-12 10:20:18 +00:00
Chris Costello
f574046378 Instead of completely disallowing VOP_SETATTR, just do it where there is
an underlying vnode.

Suggested by:	bde
2000-06-06 00:35:39 +00:00
Chris Costello
c1e15e06bb Update the comment for fdesc_setattr to reflect that we no longer
actually setattr() on underlying vnodes.
2000-06-02 07:08:18 +00:00
Chris Costello
908a81d424 - Do not allow VOP_SETATTR to modify underlying vnodes at all. This caused
problems when fetch(1) was passed `-o -'.  The rationale of this change
  is that applications attempting to change underlying vnodes for /dev/fd
  nodes are improperly written and the use of this interface should not
  ever have been encouraged.  Proper alternatives are fchmod, fchown and
  others.

  PR:		18952

- Remove stale, unused fdescnode->fd_link structure member.
2000-06-02 07:02:45 +00:00
Jake Burkholder
e39756439c Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
Jake Burkholder
740a1973a6 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
Chris Costello
38edb6a32f Adapt fdesc to be mounted on /dev/fd and remove fd, stdin, stdout and
stderr nodes.  More specific items of this patch:
  o Removed support for symbolic links, and the need for
    fdesc_readlink().
  o Put all the code from fdesc_attr() into fdesc_getattr() and removed
    fdesc_attr().  This also made it easier to properly give all nodes
    unique inode numbers.
  o The removal of all non-fd nodes allowed the removal of the fdesc_read(),
    fdesc_write(), and fdesc_ioctl() nodes, since we no longer have nodes
    that get special handling.
  o Correct the component name validity-checking in fdesc_lookup().  It
    previously detected the end of the string by checking for a terminating
    NUL, now it uses cnp->cn_namelen.
  o Handle kqueue files as FIFOs.  This is probably the closest file type
    to represent this type of file there is, and it is unfortunately not
    very representative of a kqueue.  Creation time is not supported by
    kqueue, so ctime, mtime and atime are all set to the current time when
    getattr() was called.
  o Also set st_[mca]time to the current time since there's no data in
    socket structures that can be used to fill this in (FIFOs).
  o Simplify fdesc_readdir() since it only has to report the numbered
    fd nodes.  Add `.' and `..' directory links as well.
  o Remove read bits from directories as they tend to confuse programs
    like tar(1).

Reviewed by:	phk
Discussed with:	bde (earlier on, not quite review)
2000-05-11 22:10:51 +00:00
Poul-Henning Kamp
192c06ea1b Change the "bdev-whiner" to whine when open is attempted and extend
the deadline a month.
2000-05-09 18:53:57 +00:00
Poul-Henning Kamp
9626b608de Separate the struct bio related stuff out of <sys/buf.h> into
<sys/bio.h>.

<sys/bio.h> is now a prerequisite for <sys/buf.h> but it shall
not be made a nested include according to bdes teachings on the
subject of nested includes.

Diskdrivers and similar stuff below specfs::strategy() should no
longer need to include <sys/buf.> unless they need caching of data.

Still a few bogus uses of struct buf to track down.

Repocopy by:    peter
2000-05-05 09:59:14 +00:00
Peter Wemm
365c5db0a7 Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
Poul-Henning Kamp
2c9b67a8df Remove unneeded #include <vm/vm_zone.h>
Generated by:	src/tools/tools/kerninclude
2000-04-30 18:52:11 +00:00
Poul-Henning Kamp
eb95c536ad Remove unneeded #include <sys/kernel.h> 2000-04-29 15:36:14 +00:00
Brian Feldman
b7db19017b Move procfs_fullpath() to vfs_cache.c, with a rename to textvp_fullpath().
There's no excuse to have code in synthetic filestores that allows direct
references to the textvp anymore.

Feature requested by:	msmith
Feature agreed to by:	warner
Move requested by:	phk
Move agreed to by:	bde
2000-04-26 11:57:45 +00:00
Brian Feldman
28749c79c8 Quiet an unused variable warning by commenting out a variable declaration
that goes with a commented out statement.
2000-04-22 17:58:40 +00:00
Brian Feldman
bb529be712 There's no reason to make "file" 0500 rather than 0555. 2000-04-22 04:01:54 +00:00
Brian Feldman
081d7b00c7 Welcome back our old friend from procfs, "file"! 2000-04-22 03:44:41 +00:00
Mike Smith
387d034f45 Remove the linprocfs bits from their old location, as they've moved now. 2000-04-20 03:56:10 +00:00
Poul-Henning Kamp
3389ae9350 Remove ~25 unneeded #include <sys/conf.h>
Remove ~60 unneeded #include <sys/malloc.h>
2000-04-19 14:58:28 +00:00
Poul-Henning Kamp
ed6aff7387 Remove unneeded <sys/buf.h> includes.
Due to some interesting cpp tricks in lockmgr, the LINT kernel shrinks
by 924 bytes.
2000-04-18 15:15:39 +00:00
Jonathan Lemon
cb679c385e Introduce kqueue() and kevent(), a kernel event notification facility. 2000-04-16 18:53:38 +00:00
Poul-Henning Kamp
8177437d85 Complete the bio/buf divorce for all code below devfs::strategy
Exceptions:
        Vinum untouched.  This means that it cannot be compiled.
        Greg Lehey is on the case.

        CCD not converted yet, casts to struct buf (still safe)

        atapi-cd casts to struct buf to examine B_PHYS
2000-04-15 05:54:02 +00:00
Poul-Henning Kamp
c244d2de43 Move B_ERROR flag to b_ioflags and call it BIO_ERROR.
(Much of this done by script)

Move B_ORDERED flag to b_ioflags and call it BIO_ORDERED.

Move b_pblkno and b_iodone_chain to struct bio while we transition, they
will be obsoleted once bio structs chain/stack.

Add bio_queue field for struct bio aware disksort.

Address a lot of stylistic issues brought up by bde.
2000-04-02 15:24:56 +00:00
Dag-Erling Smørgrav
c2c0fac9c9 Attempt to provide real values for meminfo. 2000-03-25 19:41:18 +00:00
Dag-Erling Smørgrav
8deca17b79 Linux /proc filesystem.
Submitted by:	pb
2000-03-25 13:23:02 +00:00
Poul-Henning Kamp
b99c307a21 Rename the existing BUF_STRATEGY() to DEV_STRATEGY()
substitute BUF_WRITE(foo) for VOP_BWRITE(foo->b_vp, foo)

substitute BUF_STRATEGY(foo) for VOP_STRATEGY(foo->b_vp, foo)

This patch is machine generated except for the ccd.c and buf.h parts.
2000-03-20 11:29:10 +00:00
Poul-Henning Kamp
21144e3bf1 Remove B_READ, B_WRITE and B_FREEBUF and replace them with a new
field in struct buf: b_iocmd.  The b_iocmd is enforced to have
exactly one bit set.

B_WRITE was bogusly defined as zero giving rise to obvious coding
mistakes.

Also eliminate the redundant struct buf flag B_CALL, it can just
as efficiently be done by comparing b_iodone to NULL.

Should you get a panic or drop into the debugger, complaining about
"b_iocmd", don't continue.  It is likely to write on your disk
where it should have been reading.

This change is a step in the direction towards a stackable BIO capability.

A lot of this patch were machine generated (Thanks to style(9) compliance!)

Vinum users:  Greg has not had time to test this yet, be careful.
2000-03-20 10:44:49 +00:00
Poul-Henning Kamp
db5f635acc Eliminate the undocumented, experimental, non-delivering and highly
dangerous MAX_PERF option.
2000-03-16 08:51:55 +00:00
Robert Watson
8f0738756c Fix bde'isms in acl/extattr syscall interface, renaming syscalls to
prettier (?) names, adding some const's around here, et al.

Reviewed by:	bde
2000-01-19 06:07:34 +00:00
Poul-Henning Kamp
ba4ad1fcea Give vn_isdisk() a second argument where it can return a suitable errno.
Suggested by:	bde
2000-01-10 12:04:27 +00:00
Peter Wemm
c447342094 Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot).  This is consistant with the other
BSD's who made this change quite some time ago.  More commits to come.
1999-12-29 05:07:58 +00:00
Peter Wemm
e0f9d2869a Fix typo "," vs ";"
PR:		15696
Submitted by:	Takashi Okumura <taka@cs.pitt.edu>
1999-12-27 16:03:38 +00:00
Chris Costello
1b900f573c Fix a typo that was doing something kind of silly, and that is initializing
the creation time for files to the uninitialized value:

	vap->va_ctime = vap->va_ctime;

Changed to what was intended, assigning it to the modification time (thus
making all three values of access time, modification time and creation time
the same thing).

Reviewed by:	grog
1999-12-21 06:29:00 +00:00