Commit Graph

1093 Commits

Author SHA1 Message Date
rwatson
3246fbf45f In continuation of early fileop credential changes, modify fo_ioctl() to
accept an 'active_cred' argument reflecting the credential of the thread
initiating the ioctl operation.

- Change fo_ioctl() to accept active_cred; change consumers of the
  fo_ioctl() interface to generally pass active_cred from td->td_ucred.
- In fifofs, initialize filetmp.f_cred to ap->a_cred so that the
  invocations of soo_ioctl() are provided access to the calling f_cred.
  Pass ap->a_td->td_ucred as the active_cred, but note that this is
  required because we don't yet distinguish file_cred and active_cred
  in invoking VOP's.
- Update kqueue_ioctl() for its new argument.
- Update pipe_ioctl() for its new argument, pass active_cred rather
  than td_ucred to MAC for authorization.
- Update soo_ioctl() for its new argument.
- Update vn_ioctl() for its new argument, use active_cred rather than
  td->td_ucred to authorize VOP_IOCTL() and the associated VOP_GETATTR().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-17 02:36:16 +00:00
rwatson
2b82cd24f1 Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential.  Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential.  Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument.  This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.

Trickle this change down into fo_stat/poll() implementations:

- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
  MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
  than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
  to vn_stat().  Pass active_cred to MAC and fp->f_cred to VOP_POLL()
  to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
  and consumers so that this distinction is maintained at the VFS
  as well as 'struct file' layer.  Pass active_cred instead of
  td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.

- fifofs: modify the creation of a "filetemp" so that the file
  credential is properly initialized and can be used in the socket
  code if desired.  Pass ap->a_td->td_ucred as the active
  credential to soo_poll().  If we teach the vnop interface about
  the distinction between file and active credentials, we would use
  the active credential here.

Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained.  It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
trhodes
abb7e5b790 When a cluster entry for ``.'' is set to 0, msdosfs fails to handle it
correctly.

PR:		24393
Submitted by:	semenu
Approved by:	rwatson (mentor)
MFC after:	1 week
2002-08-16 05:13:42 +00:00
jake
3d029bfb13 Fixed 64bit big endian bugs relating to abuse of ioctl argument passing.
This makes truss work on sparc64.
2002-08-15 06:16:10 +00:00
scottl
849f861756 Clean up comments that are no longer relevant. 2002-08-15 03:50:06 +00:00
scottl
826866dc00 Factor out some ugle code that's shared by udf_readdir and udf_lookup.
Significantly de-obfuscate udf_lookup

Inspired By: tes@sgi.com
2002-08-15 00:43:43 +00:00
phk
e4f487f25e Introduce typedefs for the member functions of struct vfsops and employ
these in the main filesystems.  This does not change the resulting code
but makes the source a little bit more grepable.

Sponsored by:	DARPA and NAI Labs.
2002-08-13 10:05:50 +00:00
pb
bfe148fa25 Fix typo in vnode flags causing deadlock in msdosfs_fsync().
Reviewed by:	jeff
2002-08-05 21:07:30 +00:00
mike
fb6cd3904f Fix typo in the last revision.
Noticed by:	i386 tinderbox
2002-08-04 19:34:38 +00:00
scottl
e0f60db94f Simplify the handling of a fragmented file_id descriptor. Also
de-obfuscate the file_char flags.
2002-08-04 16:42:20 +00:00
jeff
02517b6731 - Replace v_flag with v_iflag and v_vflag
- v_vflag is protected by the vnode lock and is used when synchronization
   with VOP calls is needed.
 - v_iflag is protected by interlock and is used for dealing with vnode
   management issues.  These flags include X/O LOCK, FREE, DOOMED, etc.
 - All accesses to v_iflag and v_vflag have either been locked or marked with
   mp_fixme's.
 - Many ASSERT_VOP_LOCKED calls have been added where the locking was not
   clear.
 - Many functions in vfs_subr.c were restructured to provide for stronger
   locking.

Idea stolen from:	BSD/OS
2002-08-04 10:29:36 +00:00
scottl
0e245756af Calculate the correct physical block number for files that are
embedded into their file_entry descriptor.  This is more for
correctness, since these files cannot be bmap'ed/mmap'ed anyways.
Enforce this restriction.

Submitted by:	tes@sgi.com
2002-08-02 06:22:20 +00:00
scottl
f27f293d96 Check for deleted files in udf_lookup(), not just udf_readdir().
Submitted by:	tes@sgi.com
2002-08-02 06:19:43 +00:00
alc
69425db61b o Lock page queue accesses in nwfs and smbfs.
o Assert that the page queues lock is held in vm_page_deactivate().
2002-08-02 05:23:58 +00:00
rwatson
1fa5d0d927 Introduce support for Mandatory Access Control and extensible
kernel access control.

Teach devfs how to respond to pathconf() _POSIX_MAC_PRESENT queries,
allowing it to indicate to user processes that individual vnode labels
are available.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 03:12:40 +00:00
rwatson
6c6053d961 Hook up devfs_pathconf() for specfs devfs nodes, not just regular
devfs nodes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 22:27:57 +00:00
rwatson
a98ab91552 Introduce support for Mandatory Access Control and extensible
kernel access control.

Modify procfs so that (when mounted multilabel) it exports process MAC
labels as the vnode labels of procfs vnodes associated with processes.

Approved by:	des
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 02:03:21 +00:00
rwatson
3ce5d5484c Introduce support for Mandatory Access Control and extensible
kernel access control.

Modify pseudofs so that it can support synthetic file systems with
the multilabel flag set.  In particular, implement vop_refreshlabel()
as pn_refreshlabel().  Implement pfs_refreshlabel() to invoke this,
and have it fall back to the mount label if the file system does
not implement pn_refreshlabel() for the node.  Otherwise, permit
the file system to determine how the service is provided.

Approved by:	des
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 01:33:12 +00:00
rwatson
751f2d0c51 Introduce support for Mandatory Access Control and extensible
kernel access control.

Instrument devfs to support per-dirent MAC labels.  In particular,
invoke MAC framework when devfs directory entries are instantiated
due to make_dev() and related calls, and invoke the MAC framework
when vnodes are instantiated from these directory entries.  Implement
vop_setlabel() for devfs, which pushes the label update into the
devfs directory entry for semi-persistant store.  This permits the MAC
framework to assign labels to devices and directories as they are
instantiated, and export access control information via devfs vnodes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-31 15:45:16 +00:00
semenu
cbee25e47b Fix a problem with sendfile() syscall by always doing I/O via bread() in
ntfs_read(). This guarantee that requested cache pages will be valid if
UIO_NOCOPY specifed.

PR:		bin/34072, bin/36189
MFC after:	1 week
2002-07-31 00:42:57 +00:00
rwatson
25ab0054a1 Introduce support for Mandatory Access Control and extensible
kernel access control.

Label devfs directory entries, permitting labels to be maintained
on device nodes in devfs instances persistently despite vnode
recycling.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-07-30 23:12:37 +00:00
julian
6216c4b163 Create a new thread state to describe threads that would be ready to run
except for the fact tha they are presently swapped out. Also add a process
flag to indicate that the process has started the struggle to swap
back in. This will be  needed for the case where multiple threads
start the swapin action top a collision. Also add code to stop
a process fropm being swapped out if one of the threads in this
process is actually off running on another CPU.. that might hurt...

Submitted by:	Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
2002-07-29 18:33:32 +00:00
dd
cca47ca03d Correct misindentation of DRA_UID. 2002-07-28 06:57:57 +00:00
dd
a22e9df072 Unimplement panic(8) by making sure that we don't recurse into a
ruleset.  If we do, that means there's a ruleset loop (10 includes 20
include 30 includes 10), which will quickly cause a double fault due
to stack overflow (since "include" is implemented by recursion).
(Previously, we only checked that X didn't include X.)
2002-07-28 03:52:44 +00:00
jeff
282b74d90b - Explicitly state that specfs does not support locking by using
vop_no{lock,unlock,islocked}.  This should be the only vnode opv that does
   so.
2002-07-27 05:14:59 +00:00
alc
066f58464f o Lock page queue accesses by vm_page_activate() and vm_page_deactivate(). 2002-07-27 05:08:49 +00:00
dd
9498a983a9 Introduce the DEVFS "rule" subsystem. DEVFS rules permit the
administrator to define certain properties of new devfs nodes before
they become visible to the userland.  Both static (e.g., /dev/speaker)
and dynamic (e.g., /dev/bpf*, some removable devices) nodes are
supported.  Each DEVFS mount may have a different ruleset assigned to
it, permitting different policies to be implemented for things like
jails.

Approved by:	phk
2002-07-17 01:46:48 +00:00
markm
a2b56dc6ce Unbreak LINT; sort the includes so that functions are explicitly
declared. Remove duplicate includes.
2002-07-16 09:33:33 +00:00
jeff
0552450eef - Change all LK_SHARE locks to LK_EXCLUSIVE. Shared locks aren't quite safe
yet
 - Use vop_std{lock,unlock,islocked}.
2002-07-09 19:43:39 +00:00
jeff
ce302369fb Lock down pseudofs:
- Initialize lock structure in vncache_alloc
 - Return locked vnodes from vncache_alloc
 - Setup vnode op vectors to use default lock, unlock, and islocked
 - Implement simple locking scheme required for lookup
2002-07-08 01:50:14 +00:00
julian
aa2dc0a5d9 Part 1 of KSE-III
The ability to schedule multiple threads per process
(one one cpu) by making ALL system calls optionally asynchronous.
to come: ia64 and power-pc patches, patches for gdb, test program (in tools)

Reviewed by:	Almost everyone who counts
	(at various times, peter, jhb, matt, alfred, mini, bernd,
	and a cast of thousands)

	NOTE: this is still Beta code, and contains lots of debugging stuff.
	expect slight instability in signals..
2002-06-29 17:26:22 +00:00
mux
62289e8461 nmount'ify unionfs further by using separate options instead
of passing a flags mount options.  This removes the include of
sys/fs/unionfs/union.h in mount_unionfs as it should be.

Reviewed by:	phk
2002-06-15 22:48:14 +00:00
mux
a9b7ee8dc7 Convert UDF to nmount.
Reviewed by:	scottl
2002-06-15 22:40:13 +00:00
semenu
50d99cdfec Fix a race during null node creation between relookuping the hash and
adding vnode to hash. The fix is to use atomic hash-lookup-and-add-if-
not-found operation. The odd thing is that this race can't happen
actually because the lowervp vnode is locked exclusively now during the
whole process of null node creation. This must be thought as a step
toward shared lookups.

Also remove vp->v_mount checks when looking for a match in the hash,
as this is the vestige.

Also add comments and cosmetic changes.
2002-06-13 21:49:09 +00:00
semenu
b350b26afc Change null_hashlock into null_hashmtx, because there is no need for
lockmgr and this helps to vget() vnode from hash without a race.

Reviewed by:	bp
MFC after:	2 weeks
2002-06-13 20:18:50 +00:00
semenu
7e3005a305 Fix the "error" path (when dropping not fully initialized vnode).
Also move hash operations out of null_vnops.c and explicitly initialize
v_lock in null_node_alloc (to set wmesg).

Reviewed by:	bp
MFC after:	2 weeks
2002-06-13 18:25:06 +00:00
semenu
7baa028f37 Fix wrong locking in null_inactive and null_reclaim. This makes nullfs
relatively working back.

Reviewed by:	mckusick, bp
2002-06-13 17:30:40 +00:00
des
69c9b29c29 Gratuitous whitespace cleanup. 2002-06-06 16:59:24 +00:00
semenu
c7fb877f7f Make devfs to give honour to PDIRUNLOCK flag.
Reviewed by:	jeff
MFC after:	1 week
2002-06-01 09:17:43 +00:00
tanimura
e6fa9b9e92 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
mux
5c06c9fc88 Convert unionfs to nmount. 2002-05-24 00:44:44 +00:00
mux
52bc2e2b22 Fix comments. 2002-05-24 00:16:13 +00:00
mux
ae75686d45 Convert nullfs to nmount. 2002-05-23 23:07:27 +00:00
bde
8310ab84a1 Quick fix for non-unique inode numbers for hard links. We use the
byte offset of the directory entry for the inode number for all types
of files except directories, although this breaks hard links for
non-directories even if it doesn't cause overflow.  Just ignore this
broken inode number for stat() and readdir() and return a less broken
one (the block offset of the file), so that applications normally can't
see the brokenness.

This leaves at least the following brokenness:
- extra inodes, vnodes and caching for hard links.
- various overflow bugs.  cd9660 supports 64-bit block numbers, but we
  silently ignore the top 32 bits in isonum_733() and then drop another
  10 bits for our broken inode numbers.  We may also have sign extension
  bugs from storing 32-bit extents in ints and longs even if ints are
  32-bits.  These bugs affect DVDs.  mkisofs apparently limits them
  by writing directory entries first.

Inode numbers were broken mainly in 4.4BSD-Lite2.  FreeBSD-1.1.5 seems
to have a correct implementation modulo the overflow bugs.  We need
to look up directory entries from inodes for symlinks only.  FreeBSD-1.1.5
use separate fields (iso_parent_extent, iso_parent) to point to the
directory entry.  4.4BSD-Lite doesn't have these, and abuses i_ino to
point to the directory entry.  Correct pointers are impossible for
hard links, but symlinks can't be hard links.
2002-05-22 08:50:18 +00:00
semenu
df03dac700 Fix null_lock() not unlocking vp->v_interlock if LK_THISLAYER.
Reviewed by:	bp@FreeBSD.org
MFC after:	1 week
2002-05-21 18:07:33 +00:00
tanimura
6ecf0c65a7 Lock the writer socket across sorwakeup(fip->fi_writesock).
Spotted by:	peter
2002-05-21 02:37:56 +00:00
tanimura
92d8381dd5 Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
jhb
b6d6774e76 Change p_can{debug,see,sched,signal}()'s first argument to be a thread
pointer instead of a proc pointer and require the process pointed to
by the second argument to be locked.  We now use the thread ucred reference
for the credential checks in p_can*() as a result.  p_canfoo() should now
no longer need Giant.
2002-05-19 00:14:50 +00:00
phk
a1998ff821 Remove a check of blocknumbers/offsets which will be pointless with
64 bit daddr_t.

Sponsored by: DARPA & NAI Labs.
2002-05-18 09:32:56 +00:00
trhodes
28d42899b7 More s/file system/filesystem/g 2002-05-16 21:28:32 +00:00