Commit Graph

188 Commits

Author SHA1 Message Date
Robert Watson
91421ba234 o Move per-process jail pointer (p->pr_prison) to inside of the subject
credential structure, ucred (cr->cr_prison).
o Allow jail inheritence to be a function of credential inheritence.
o Abstract prison structure reference counting behind pr_hold() and
  pr_free(), invoked by the similarly named credential reference
  management functions, removing this code from per-ABI fork/exit code.
o Modify various jail() functions to use struct ucred arguments instead
  of struct proc arguments.
o Introduce jailed() function to determine if a credential is jailed,
  rather than directly checking pointers all over the place.
o Convert PRISON_CHECK() macro to prison_check() function.
o Move jail() function prototypes to jail.h.
o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the
  flag in the process flags field itself.
o Eliminate that "const" qualifier from suser/p_can/etc to reflect
  mutex use.

Notes:

o Some further cleanup of the linux/jail code is still required.
o It's now possible to consider resolving some of the process vs
  credential based permission checking confusion in the socket code.
o Mutex protection of struct prison is still not present, and is
  required to protect the reference count plus some fields in the
  structure.

Reviewed by:	freebsd-arch
Obtained from:	TrustedBSD Project
2001-02-21 06:39:57 +00:00
Bosko Milekic
9ed346bab0 Change and clean the mutex lock interface.
mtx_enter(lock, type) becomes:

mtx_lock(lock) for sleep locks (MTX_DEF-initialized locks)
mtx_lock_spin(lock) for spin locks (MTX_SPIN-initialized)

similarily, for releasing a lock, we now have:

mtx_unlock(lock) for MTX_DEF and mtx_unlock_spin(lock) for MTX_SPIN.
We change the caller interface for the two different types of locks
because the semantics are entirely different for each case, and this
makes it explicitly clear and, at the same time, it rids us of the
extra `type' argument.

The enter->lock and exit->unlock change has been made with the idea
that we're "locking data" and not "entering locked code" in mind.

Further, remove all additional "flags" previously passed to the
lock acquire/release routines with the exception of two:

MTX_QUIET and MTX_NOSWITCH

The functionality of these flags is preserved and they can be passed
to the lock/unlock routines by calling the corresponding wrappers:

mtx_{lock, unlock}_flags(lock, flag(s)) and
mtx_{lock, unlock}_spin_flags(lock, flag(s)) for MTX_DEF and MTX_SPIN
locks, respectively.

Re-inline some lock acq/rel code; in the sleep lock case, we only
inline the _obtain_lock()s in order to ensure that the inlined code
fits into a cache line. In the spin lock case, we inline recursion and
actually only perform a function call if we need to spin. This change
has been made with the idea that we generally tend to avoid spin locks
and that also the spin locks that we do have and are heavily used
(i.e. sched_lock) do recurse, and therefore in an effort to reduce
function call overhead for some architectures (such as alpha), we
inline recursion for this case.

Create a new malloc type for the witness code and retire from using
the M_DEV type. The new type is called M_WITNESS and is only declared
if WITNESS is enabled.

Begin cleaning up some machdep/mutex.h code - specifically updated the
"optimized" inlined code in alpha/mutex.h and wrote MTX_LOCK_SPIN
and MTX_UNLOCK_SPIN asm macros for the i386/mutex.h as we presently
need those.

Finally, caught up to the interface changes in all sys code.

Contributors: jake, jhb, jasone (in no particular order)
2001-02-09 06:11:45 +00:00
Poul-Henning Kamp
fc2ffbe604 Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
John Baldwin
b939335607 - Catch up to proc flag changes. 2001-01-24 11:20:05 +00:00
Poul-Henning Kamp
49851cc706 Use macro API to <sys/queue.h> 2000-12-31 10:24:19 +00:00
Jake Burkholder
98f03f9030 Protect proc.p_pptr and proc.p_children/p_sibling with the
proctree_lock.

linprocfs not locked pending response from informal maintainer.

Reviewed by:	jhb, -smp@
2000-12-23 19:43:10 +00:00
Robert Watson
f6a99e61c5 o Tighten restrictions on use of /proc/pid/ctl and move access checks
in ctl to using centralized p_can() inter-process access control
  interface.

Reviewed by:	sef
2000-12-13 04:28:24 +00:00
Jake Burkholder
c0c2557090 - Change the allproc_lock to use a macro, ALLPROC_LOCK(how), instead
of explicit calls to lockmgr.  Also provides macros for the flags
  pased to specify shared, exclusive or release which map to the
  lockmgr flags.  This is so that the use of lockmgr can be easily
  replaced with optimized reader-writer locks.
- Add some locking that I missed the first time.
2000-12-13 00:17:05 +00:00
Dag-Erling Smørgrav
668891c57b Add a module version (so that linprocfs can properly depend on procfs) 2000-12-09 13:17:51 +00:00
John Baldwin
c3f52eedeb Protect p_stat with the sched_lock.
Reviewed by:	jake
2000-12-02 01:58:15 +00:00
Eivind Eklund
b8c8516a7f More paranoia against overflows 2000-11-08 21:53:05 +00:00
Eivind Eklund
ab3240e198 Fix overflow from jail hostname.
Bug found by:	Esa Etelavuori <eetelavu@cc.hut.fi>
2000-11-01 19:38:08 +00:00
Alfred Perlstein
e5b7b6b78e return correct type for process directory entries, DT_DIR not DT_REG 2000-10-05 23:19:51 +00:00
Dag-Erling Smørgrav
18203af447 Remove a comment that has been not only obsolete but patently wrong for the
last 31 revisions (almost three years).
2000-09-04 18:18:17 +00:00
Robert Watson
84a5637620 o Simplify if/then clause equating ESRCH with ENOENT when hiding a process
Submitted by:	des
2000-09-01 18:41:32 +00:00
Robert Watson
ca94dd37a3 o Make procfs use vaccess() for procfs_access() DAC and super-user checks,
rather than implementing its own {uid,gid,other} checks against vnode
  mode.  Similar change to linprocfs currently under review.

Obtained from:	TrustedBSD Project
2000-09-01 13:41:41 +00:00
Robert Watson
387d2c036b o Centralize inter-process access control, introducing:
int p_can(p1, p2, operation, privused)

  which allows specification of subject process, object process,
  inter-process operation, and an optional call-by-reference privused
  flag, allowing the caller to determine if privilege was required
  for the call to succeed.  This allows jail, kern.ps_showallprocs and
  regular credential-based interaction checks to occur in one block of
  code.  Possible operations are P_CAN_SEE, P_CAN_SCHED, P_CAN_KILL,
  and P_CAN_DEBUG.  p_can currently breaks out as a wrapper to a
  series of static function checks in kern_prot, which should not
  be invoked directly.

o Commented out capabilities entries are included for some checks.

o Update most inter-process authorization to make use of p_can() instead
  of manual checks, PRISON_CHECK(), P_TRESPASS(), and
  kern.ps_showallprocs.

o Modify suser{,_xxx} to use const arguments, as it no longer modifies
  process flags due to the disabling of ASU.

o Modify some checks/errors in procfs so that ENOENT is returned instead
  of ESRCH, further improving concealment of processes that should not
  be visible to other processes.  Also introduce new access checks to
  improve hiding of processes for procfs_lookup(), procfs_getattr(),
  procfs_readdir().  Correct a bug reported by bp concerning not
  handling the CREATE case in procfs_lookup().  Remove volatile flag in
  procfs that caused apparently spurious qualifier warnigns (approved by
  bde).

o Add comment noting that ktrace() has not been updated, as its access
  control checks are different from ptrace(), whereas they should
  probably be the same.  Further discussion should happen on this topic.

Reviewed by:	bde, green, phk, freebsd-security, others
Approved by:	bde
Obtained from:	TrustedBSD Project
2000-08-30 04:49:09 +00:00
Poul-Henning Kamp
39f70682ae Introduce vop_stdinactive() and make it the default if no vop_inactive
is declared.

Sort and prune a few vop_op[].
2000-08-18 10:01:02 +00:00
Poul-Henning Kamp
eb95c536ad Remove unneeded #include <sys/kernel.h> 2000-04-29 15:36:14 +00:00
Brian Feldman
b7db19017b Move procfs_fullpath() to vfs_cache.c, with a rename to textvp_fullpath().
There's no excuse to have code in synthetic filestores that allows direct
references to the textvp anymore.

Feature requested by:	msmith
Feature agreed to by:	warner
Move requested by:	phk
Move agreed to by:	bde
2000-04-26 11:57:45 +00:00
Brian Feldman
28749c79c8 Quiet an unused variable warning by commenting out a variable declaration
that goes with a commented out statement.
2000-04-22 17:58:40 +00:00
Brian Feldman
bb529be712 There's no reason to make "file" 0500 rather than 0555. 2000-04-22 04:01:54 +00:00
Brian Feldman
081d7b00c7 Welcome back our old friend from procfs, "file"! 2000-04-22 03:44:41 +00:00
Peter Wemm
c447342094 Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot).  This is consistant with the other
BSD's who made this change quite some time ago.  More commits to come.
1999-12-29 05:07:58 +00:00
Peter Wemm
e0f9d2869a Fix typo "," vs ";"
PR:		15696
Submitted by:	Takashi Okumura <taka@cs.pitt.edu>
1999-12-27 16:03:38 +00:00
Eivind Eklund
a6b174a83b Include vm/vm_extern.h to get at prototypes 1999-12-20 18:26:58 +00:00
Robert Watson
91f37dcba1 Second pass commit to introduce new ACL and Extended Attribute system
calls, vnops, vfsops, both in /kern, and to individual file systems that
require a vfsop_ array entry.

Reviewed by:	eivind
1999-12-19 06:08:07 +00:00
Eivind Eklund
762e6b856c Introduce NDFREE (and remove VOP_ABORTOP) 1999-12-15 23:02:35 +00:00
Peter Wemm
99b30c79b0 Don't simulate a pseudo address-space beyond VM_MAXUSER_ADDRESS that
maps onto the upages.  We used to use this extensively, particularly
for ps and gdb.  Both of these have been "fixed".  ps gets the p_stats
via eproc along with all the other stats, and gdb uses the regs, fpregs
etc files.

Once apon a time the UPAGES were mapped here, but that changed back
in January '96.  This essentially kills my revisions 1.16 and 1.17.
The 2-page "hole" above the stack can be reclaimed now.
1999-12-11 10:21:34 +00:00
Poul-Henning Kamp
5ecdb702b0 Remove unused #includes.
Obtained from:	http://bogon.freebsd.dk/include
1999-12-08 08:59:40 +00:00
Poul-Henning Kamp
a8704f8999 Add a sysctl to control if argv is disclosed to the world:
kern.ps_argsopen
It defaults to 1 which means that all users can see all argvs in ps(1).

Reviewed by:	Warner
1999-11-26 08:27:16 +00:00
Poul-Henning Kamp
a9e0361b4a Introduce the new function
p_trespass(struct proc *p1, struct proc *p2)
which returns zero or an errno depending on the legality of p1 trespassing
on p2.

Replace kern_sig.c:CANSIGNAL() with call to p_trespass() and one
extra signal related check.

Replace procfs.h:CHECKIO() macros with calls to p_trespass().

Only show command lines to process which can trespass on the target
process.
1999-11-21 19:03:20 +00:00
Poul-Henning Kamp
da654d9070 s/p_cred->pc_ucred/p_ucred/g 1999-11-21 12:38:21 +00:00
Sean Eric Fagan
13baacebcb A process should be able to examine itself. 1999-11-20 18:22:14 +00:00
Poul-Henning Kamp
6153cb2048 Make proc/*/cmdline use the cached argv if available.
Submitted by:   Paul Saab <paul@mu.org>
Reviewed by:    phk
1999-11-17 21:35:07 +00:00
Poul-Henning Kamp
3cf5d0fd07 The function `procfs_getattr()' in procfs doesn't set the value of
vap->va_fsid, so we cannot get valid information about procfs.

Submitted by:   SAWADA Mizuki miz@pa.aix.or.jp
Reviewed by:    phk
PR:     1654
1999-11-17 21:33:25 +00:00
Alan Cox
b561683329 Passing "0" or "FALSE" as the fourth argument to vm_fault is wrong. It
should be "VM_FAULT_NORMAL".
1999-11-09 01:44:28 +00:00
Sean Eric Fagan
75bd443641 Explain why Warner is right, and I am wrong, in the removing of the
file object.  Also explain some possible directions to re-implement it --
I'm not sure it should be, given the minimal application use.  (Other
than having the debugger automatically access the symbols for a process,
the main use I'd found was with some minor accounting ability, but _that_
depends on it being in the filesystem space; an ioctl access method would
be useless in that case.)

This is a code-less change; only a comment has been added.
1999-11-08 05:13:54 +00:00
Sean Eric Fagan
900e2da760 Make an incredibly stupid change because Warner threatened to do it and
continue doing it despite objections by me (the principal author).

Note that this doesn't fix the real problem -- the real problem is generally
bad setup by ignorant users, and education is the right way to fix it.

So while this doesn't actually solve the prolem mentioned in the complaint
(since it's still possible to do it via other methods, although they mostly
involve a bit more complicity), and there are better methods to do this,
nobody was willing or able to provide me with a real world example that
couldn't be worked around using the existing permissions and group
mechanism.  And therefore, security by removing features is the method of
the day.

I only had three applications that used it, in any event.  One of them would
have made debugging easier, but I still haven't finished it, and won't
now, so it doesn't really matter.
1999-11-07 07:52:02 +00:00
Poul-Henning Kamp
923502ff91 useracc() the prequel:
Merge the contents (less some trivial bordering the silly comments)
of <vm/vm_prot.h> and <vm/vm_inherit.h> into <vm/vm.h>.  This puts
the #defines for the vm_inherit_t and vm_prot_t types next to their
typedefs.

This paves the road for the commit to follow shortly: change
useracc() to use VM_PROT_{READ|WRITE} rather than B_{READ|WRITE}
as argument.
1999-10-29 18:09:36 +00:00
Marcel Moolenaar
2c42a14602 sigset_t change (part 2 of 5)
-----------------------------

The core of the signalling code has been rewritten to operate
on the new sigset_t. No methodological changes have been made.
Most references to a sigset_t object are through macros (see
signalvar.h) to create a level of abstraction and to provide
a basis for further improvements.

The NSIG constant has not been changed to reflect the maximum
number of signals possible. The reason is that it breaks
programs (especially shells) which assume that all signals
have a non-null name in sys_signame. See src/bin/sh/trap.c
for an example. Instead _SIG_MAXSIG has been introduced to
hold the maximum signal possible with the new sigset_t.

struct sigprop has been moved from signalvar.h to kern_sig.c
because a) it is only used there, and b) access must be done
though function sigprop(). The latter because the table doesn't
holds properties for all signals, but only for the first NSIG
signals.

signal.h has been reorganized to make reading easier and to
add the new and/or modified structures. The "old" structures
are moved to signalvar.h to prevent namespace polution.

Especially the coda filesystem suffers from the change, because
it contained lines like (p->p_sigmask == SIGIO), which is easy
to do for integral types, but not for compound types.

NOTE: kdump (and port linux_kdump) must be recompiled.

Thanks to Garrett Wollman and Daniel Eischen for pressing the
importance of changing sigreturn as well.
1999-09-29 15:03:48 +00:00
Alfred Perlstein
c24fda81c9 Seperate the export check in VFS_FHTOVP, exports are now checked via
VFS_CHECKEXP.

Add fh(open|stat|stafs) syscalls to allow userland to query filesystems
based on (network) filehandle.

Obtained from:	NetBSD
1999-09-11 00:46:08 +00:00
Alfred Perlstein
5a5fccc8e7 All unimplemented VFS ops now have entries in kern/vfs_default.c that return
reasonable defaults.

This avoids confusing and ugly casting to eopnotsupp or making dummy functions.
Bogus casting of filesystem sysctls to eopnotsupp() have been removed.

This should make *_vfsops.c more readable and reduce bloat.

Reviewed by:	msmith, eivind
Approved by:	phk
Tested by:	Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>
1999-09-07 22:42:38 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
Marcel Moolenaar
63a9927353 Let processes retrieve their argv through procfs. Revert to the original
behaviour in all other cases.

Submitted by: Andrew Gordon <arg@arg1.demon.co.uk>
1999-08-19 19:41:08 +00:00
Bruce Evans
dd26feb90b Fixed printf format errors (%qu -> %llu; the arg was already unsigned long
long to hide problems on alphas).
1999-08-08 13:43:51 +00:00
Poul-Henning Kamp
46dcdb370e Allow jailed proccesses to open non-process vnodes like the root of the fs. 1999-07-09 21:31:44 +00:00
Peter Wemm
ebce412ca2 Use %q rather than rolling a custom routine. 1999-07-09 17:56:59 +00:00
Jonathan Lemon
d6c4f01106 Support for i386 hardware breakpoints.
Submitted by:	Brian Dean <brdean@unx.sas.com>
1999-07-09 04:18:32 +00:00
Jonathan Lemon
ab001a72be Implement support for hardware debug registers on the i386.
Submitted by:	Brian Dean <brdean@unx.sas.com>
1999-07-09 04:16:00 +00:00