Commit Graph

109 Commits

Author SHA1 Message Date
Don Lewis
47934cef8f Split the mlock() kernel code into two parts, mlock(), which unpacks
the syscall arguments and does the suser() permission check, and
kern_mlock(), which does the resource limit checking and calls
vm_map_wire().  Split munlock() in a similar way.

Enable the RLIMIT_MEMLOCK checking code in kern_mlock().

Replace calls to vslock() and vsunlock() in the sysctl code with
calls to kern_mlock() and kern_munlock() so that the sysctl code
will obey the wired memory limits.

Nuke the vslock() and vsunlock() implementations, which are no
longer used.

Add a member to struct sysctl_req to track the amount of memory
that is wired to handle the request.

Modify sysctl_wire_old_buffer() to return an error if its call to
kern_mlock() fails.  Only wire the minimum of the length specified
in the sysctl request and the length specified in its argument list.
It is recommended that sysctl handlers that use sysctl_wire_old_buffer()
should specify reasonable estimates for the amount of data they
want to return so that only the minimum amount of memory is wired
no matter what length has been specified by the request.

Modify the callers of sysctl_wire_old_buffer() to look for the
error return.

Modify sysctl_old_user to obey the wired buffer length and clean up
its implementation.

Reviewed by:	bms
2004-02-26 00:27:04 +00:00
Max Khon
b15572e3fc Avoid NULL pointer dereferencing in modlist_lookup2().
PR:		56570
Submitted by:	Thomas Wintergerst <Thomas.Wintergerst@nord-com.net>
2003-09-23 14:42:38 +00:00
Poul-Henning Kamp
7c89f162bc Add fdidx argument to vn_open() and vn_open_cred() and pass -1 throughout. 2003-07-27 17:04:56 +00:00
David E. O'Brien
677b542ea2 Use __FBSDID(). 2003-06-11 00:56:59 +00:00
Ruslan Ermilov
6de61153e8 FreeBSD 5.0 has stopped shipping /modules 2.5 years ago. Catch
up with this further by excluding /modules from the (default)
kern.module_path.
2003-03-03 22:53:35 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Jake Burkholder
7251b4bf93 Resolve relative relocations in klds before trying to parse the module's
metadata.  This fixes module dependency resolution by the kernel linker on
sparc64, where the relocations for the metadata are different than on other
architectures; the relative offset is in the addend of an Elf_Rela record
instead of the original value of the location being patched.
Also fix printf formats in debug code.

Submitted by:	Hartmut Brandt <brandt@fokus.gmd.de>
PR:		46732
Tested on:	alpha (obrien), i386, sparc64
2003-01-21 02:42:44 +00:00
Alfred Perlstein
f97182acf8 unwrap lines made short enough by SCARGS removal 2002-12-14 08:18:06 +00:00
Alfred Perlstein
d1e405c5ce SCARGS removal take II. 2002-12-14 01:56:26 +00:00
Alfred Perlstein
bc9e75d7ca Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
Alfred Perlstein
0bbe7292e1 Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
Robert Watson
a3df768b04 Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations.  This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-19 22:12:42 +00:00
Sam Leffler
3b132a615f fix kldload error return when a module is rejected because it's statically
linked in the kernel.  When this condition is detected deep in the linker
internals the EEXIST error code that's returned is stomped on and instead
an ENOEXEC code is returned.  This makes apps like sysinstall bitch.
2002-10-17 17:28:57 +00:00
Poul-Henning Kamp
7c61d7858c Plug a memory-leak.
"I think you're right" by:	jake
2002-10-15 18:58:38 +00:00
Robert Watson
9ca435893b In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:

- Change fo_read() and fo_write() to accept "active_cred" instead of
  "cred", and change the semantics of consumers of fo_read() and
  fo_write() to pass the active credential of the thread requesting
  an operation rather than the cached file cred.  The cached file
  cred is still available in fo_read() and fo_write() consumers
  via fp->f_cred.  These changes largely in sys_generic.c.

For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:

- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
  pipe_read/write() now authorize MAC using active_cred rather
  than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
  VOP_READ/WRITE() with fp->f_cred

Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred.  Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not.  If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.

Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.

These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.

Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
Maxime Henrion
f2b17113cf Make the consumers of the linker_load_file() function use
linker_load_module() instead.

This fixes a bug where the kernel was unable to properly locate and
load a kernel module in vfs_mount() (and probably in the netgraph
code as well since it was using the same function).  This is because
the linker_load_file() does not properly search the module path.

Problem found by:	peter
Reviewed by:		peter
Thanks to:		peter
2002-08-02 20:56:07 +00:00
Don Lewis
dcbe050b29 Pre-wire the output buffer so that sysctl_kern_function_list() doesn't
block in SYSCTL_OUT() while holding a lock.
2002-07-22 08:28:09 +00:00
Jeff Roberson
31965a72c9 - Delay unlocking a vnode in linker_hints_lookup until we're actually done
with it.
 - Remove a now stale comment about improper vnode locking.
2002-07-07 22:35:47 +00:00
Andrew R. Reiter
2eb7b21b00 - Remove the lock(9) protecting the kernel linker system.
- Added a mutex, kld_mtx, to protect the kernel_linker system.  Note that
  while ``classes'' is global (to that file), it is only read only after
  SI_SUB_KLD, SI_ORDER_ANY.
- Add a SYSINIT to flip a flag that disallows class registration after
  SI_SUB_KLD, SI_ORDER_ANY.

Idea for ``classes'' read only by:	jake
Reviewed by:	jake
2002-06-19 21:25:59 +00:00
Brian Somers
b94c4e9a93 Test if rootvnode is NULL rather than if rootdev is NODEV when determining
if there's a filesystem present.

rootdev can be NODEV in the NFS-mounted root scenario.

Discussed with: Harti Brandt <brandt@fokus.gmd.de>, iedowse
2002-04-26 09:52:54 +00:00
Brian Somers
f1e4a6e941 In linker_load_module(), check that rootdev != NODEV before calling
linker_search_module().

Without this, modules loaded from loader.conf that then try to load
in additional modules (such as digi.ko loading a card's BIOS) die
badly in the vn_open() called from linker_search_module().

It may be worth checking (KASSERTing?) that rootdev != NODEV in
vn_open() too.
2002-04-10 01:14:45 +00:00
Brian Somers
96987c74d6 Change linker_reference_module() so that it's passed a struct
mod_depend * (which may be NULL).  The only consumer of this
function at the moment is digi_loadmoduledata(), and that passes
a NULL mod_depend *.

In linker_reference_module(), check to see if we've already got
the required module loaded.  If we have, bump the reference count
and return that, otherwise continue the module search as normal.
2002-04-10 01:13:57 +00:00
John Baldwin
44731cab3b Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
Andrew R. Reiter
517f30c2c1 - Recommit the securelevel_gt() calls removed by commits rev. 1.84 of
kern_linker.c and rev. 1.237 of vfs_syscalls.c since these are not the
  source of the recent panics occuring around kldloading file system
  support modules.

Requested by: rwatson
2002-03-25 18:26:34 +00:00
Andrew R. Reiter
fe3240e9aa - Back out the commit to make the linker_load_file() securelevel check
made aware in jail environments.  Supposedly something is broken, so
  this should be backed out until further investigation proves otherwise,
  or a proper fix can be provided.
2002-03-22 04:56:09 +00:00
Andrew R. Reiter
e85b9ae9ac - Fix a logic error in checking the securelevel that was introduced in the
previous commit.

Pointy hats to: arr, rwatson
2002-03-21 15:27:39 +00:00
Andrew R. Reiter
c457a4403a - Change a check of securelevel to securelevel_gt() call in order to help
against users within a jail attempting to load kernel modules.
- Add a check of securelevel_gt() to vfs_mount() in order to chop some
  low hanging fruit for the repair of securelevel checking of linking and
  unlinking files from within jails.  There is more to be done here.

Reviewed by: rwatson
2002-03-20 16:03:42 +00:00
Andrew R. Reiter
08a54da785 - Change a malloc / bzero pair to make use of the M_ZERO malloc(9) flag. 2002-03-19 15:41:21 +00:00
Andrew R. Reiter
9b3851e9e3 - Lock down the ``module'' structure by adding an SX lock that is used by
all the global bits of ``module'' data.  This commit adds a few generic
  macros, MOD_SLOCK, MOD_XLOCK, etc., that are meant to be used as ways
  of accessing the SX lock.  It is also the first step in helping to lock
  down the kernel linker and module systems.

Reviewed by: jhb, jake, smp@
2002-03-18 07:45:30 +00:00
David Malone
6c75a65a00 Don't assign strcmp to a variable called err and then compare it
with zero, just compare strcmp with zero. This fixes the same bug
which Maxim just fixed and fixes some odd style too.

PR:		35712
Reviewed by:	arr
2002-03-10 23:12:43 +00:00
Maxim Sobolev
832af2d5ed Fix a breakage introduced in rev.1.75 (supposedly style cleanup), which results
in "missing dependencies" error when loading some kld modules. It is sad to
see how often these days style cleanus break doesn't broken things. Perhaps
people should recall good old principle: "don't fix it if it isn't broken".
2002-03-10 19:20:01 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Andrew R. Reiter
e68baa7073 - Whitespace fixes leftover from previous commit.
Submitted by:	bde
2002-02-22 13:43:56 +00:00
Andrew R. Reiter
8e92b63c6f - Massive style fixup.
Reviewed by: mike
Approved by: dfr
2002-02-22 04:14:49 +00:00
Robert Watson
894c9fe04e Add a comment indicating that the vnode locking in this section of the
kernel linker code may be wrong: it fails to hold a lock across the
call to VOP_GETATTR(), and vn_rdwr() with IO_NODELOCKED.
2002-02-10 21:29:02 +00:00
Andrew R. Reiter
b489b4075c - Ensure that linker file id's are unique, rather than blindly
incrementing the value.

Reviewed by: dfr, peter
2001-11-18 18:19:35 +00:00
Ian Dowse
7b9716bad2 Fix a number of misspellings of "dependency" and "dependencies" in
comments and function names.

PR:		kern/8589
Submitted by:	Rajesh Vaidheeswarran <rv@fore.com>
2001-11-16 21:08:40 +00:00
Robert Watson
fc5d29ef7d o Move suser() calls in kern/ to using suser_xxx() with an explicit
credential selection, rather than reference via a thread or process
  pointer.  This is part of a gradual migration to suser() accepting
  a struct ucred instead of a struct proc, simplifying the reference
  and locking semantics of suser().

Obtained from:	TrustedBSD Project
2001-11-01 20:56:57 +00:00
Brian Feldman
bb9fe9dd9e Add the sysctl "kern.function_list", which currently exports all
function symbols in the kernel in a list of C strings, with an extra
nul-termination at the end.

This sysctl requires addition of a new linker operation.  Now,
linker_file_t's need to respond to "each_function_name" to export
their function symbols.

Note that the sysctl doesn't currently allow distinguishing multiple
symbols with the same name from different modules, but could quite
easily without a change to the linker operation.  This will be a nicety
to have when it can be used.

Obtained from:	NAI Labs CBOSS project
Funded by:	DARPA
2001-10-30 15:21:45 +00:00
Julian Elischer
b40ce4165d KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
Peter Wemm
8ee6d9e90f Fix the kern.module_path issue that required the trailing '/' character
on each module path component.  Fix a one-byte buffer overflow at the
same time that got highlighted in the process.
2001-09-12 00:50:23 +00:00
Peter Wemm
505222d35f Implement the long-awaited module->file cache database. A userland
tool (kldxref(8)) keeps a cache of what modules and versions are inside
what .ko files.  I have tested this on both Alpha and i386.

Submitted by:	bp
2001-09-11 01:09:24 +00:00
Matthew Dillon
835a82ee2d Giant Pushdown. Saved the worst P4 tree breakage for last.
reboot() getpriority() setpriority() rtprio() osetrlimit() ogetrlimit()
    setrlimit() getrlimit() getrusage() getpid() getppid() getpgrp()
    getpgid() getsid() getgid() getegid() getgroups() setsid() setpgid()
    setuid() seteuid() setgid() setegid() setgroups() setreuid() setregid()
    setresuid() setresgid() getresuid() getresgid () __setugid() getlogin()
    setlogin() modnext() modfnext() modstat() modfind() kldload() kldunload()
    kldfind() kldnext() kldstat() kldfirstmod() kldsym() getdtablesize()
    dup2() dup() fcntl() close() ofstat() fstat() nfsstat() fpathconf()
    flock()
2001-09-01 19:04:37 +00:00
Dima Dorfman
fcd7e67061 Sync the default module search path with the one in
sys/boot/common/module.c.

PR:		21405
Submitted by:	Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-20 01:12:28 +00:00
Jake Burkholder
98b0e9d587 Don't try to print a field that doesn't exist; in usually commented
out debugging code.
2001-07-31 03:51:07 +00:00
Dag-Erling Smørgrav
0e79fe6f0e Constify (silence warnings introduced by last commit to sys/module.h) 2001-06-20 16:08:45 +00:00
Brian Somers
09dbb40410 Add linker_reference_module().
This function loads a module if required, otherwise bumps the reference
count -- the opposite of linker_file_unload().
2001-06-18 15:09:33 +00:00
Peter Wemm
f41325db5f With this commit, I hereby pronounce gensetdefs past its use-by date.
Replace the a.out emulation of 'struct linker_set' with something
a little more flexible.  <sys/linker_set.h> now provides macros for
accessing elements and completely hides the implementation.

The linker_set.h macros have been on the back burner in various
forms since 1998 and has ideas and code from Mike Smith (SET_FOREACH()),
John Polstra (ELF clue) and myself (cleaned up API and the conversion
of the rest of the kernel to use it).

The macros declare a strongly typed set.  They return elements with the
type that you declare the set with, rather than a generic void *.

For ELF, we use the magic ld symbols (__start_<setname> and
__stop_<setname>).  Thanks to Richard Henderson <rth@redhat.com> for the
trick about how to force ld to provide them for kld's.

For a.out, we use the old linker_set struct.

NOTE: the item lists are no longer null terminated.  This is why
the code impact is high in certain areas.

The runtime linker has a new method to find the linker set
boundaries depending on which backend format is in use.

linker sets are still module/kld unfriendly and should never be used
for anything that may be modular one day.

Reviewed by:	eivind
2001-06-13 10:58:39 +00:00
Peter Wemm
81930014ef Make the TUNABLE_*() macros look and behave more consistantly like the
SYSCTL_*() macros.  TUNABLE_INT_DECL() was an odd name because it didn't
actually declare the int, which is what the name suggests it would do.
2001-06-06 22:17:08 +00:00