Commit Graph

500 Commits

Author SHA1 Message Date
Matthew Dillon
cac4515267 Implement data, text, and vmem limit checking in the elf loader and svr4
compat code.  Clean up accounting for multiple segments.  Part 1/2.

Submitted by:	Andrey Alekseyev <uitm@zenon.net> (with some modifications)
MFC after:	3 days
2002-08-30 18:09:46 +00:00
Archie Cobbs
4a6a94d8d8 Replace (ab)uses of "NULL" where "0" is really meant. 2002-08-22 21:24:01 +00:00
Maxim Sobolev
62f7648682 Increase size of ifnet.if_flags from 16 bits (short) to 32 bits (int). To avoid
breaking application ABI use unused ifreq.ifru_flags[1] for upper 16 bits in
SIOCSIFFLAGS and SIOCGIFFLAGS ioctl's.

Reviewed by:	-hackers, -net
2002-08-18 07:05:00 +00:00
Robert Watson
d49fa1ca6e In continuation of early fileop credential changes, modify fo_ioctl() to
accept an 'active_cred' argument reflecting the credential of the thread
initiating the ioctl operation.

- Change fo_ioctl() to accept active_cred; change consumers of the
  fo_ioctl() interface to generally pass active_cred from td->td_ucred.
- In fifofs, initialize filetmp.f_cred to ap->a_cred so that the
  invocations of soo_ioctl() are provided access to the calling f_cred.
  Pass ap->a_td->td_ucred as the active_cred, but note that this is
  required because we don't yet distinguish file_cred and active_cred
  in invoking VOP's.
- Update kqueue_ioctl() for its new argument.
- Update pipe_ioctl() for its new argument, pass active_cred rather
  than td_ucred to MAC for authorization.
- Update soo_ioctl() for its new argument.
- Update vn_ioctl() for its new argument, use active_cred rather than
  td->td_ucred to authorize VOP_IOCTL() and the associated VOP_GETATTR().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-17 02:36:16 +00:00
Robert Watson
ea6027a8e1 Make similar changes to fo_stat() and fo_poll() as made earlier to
fo_read() and fo_write(): explicitly use the cred argument to fo_poll()
as "active_cred" using the passed file descriptor's f_cred reference
to provide access to the file credential.  Add an active_cred
argument to fo_stat() so that implementers have access to the active
credential as well as the file credential.  Generally modify callers
of fo_stat() to pass in td->td_ucred rather than fp->f_cred, which
was redundantly provided via the fp argument.  This set of modifications
also permits threads to perform these operations on behalf of another
thread without modifying their credential.

Trickle this change down into fo_stat/poll() implementations:

- badfo_poll(), badfo_stat(): modify/add arguments.
- kqueue_poll(), kqueue_stat(): modify arguments.
- pipe_poll(), pipe_stat(): modify/add arguments, pass active_cred to
  MAC checks rather than td->td_ucred.
- soo_poll(), soo_stat(): modify/add arguments, pass fp->f_cred rather
  than cred to pru_sopoll() to maintain current semantics.
- sopoll(): moidfy arguments.
- vn_poll(), vn_statfile(): modify/add arguments, pass new arguments
  to vn_stat().  Pass active_cred to MAC and fp->f_cred to VOP_POLL()
  to maintian current semantics.
- vn_close(): rename cred to file_cred to reflect reality while I'm here.
- vn_stat(): Add active_cred and file_cred arguments to vn_stat()
  and consumers so that this distinction is maintained at the VFS
  as well as 'struct file' layer.  Pass active_cred instead of
  td->td_ucred to MAC and to VOP_GETATTR() to maintain current semantics.

- fifofs: modify the creation of a "filetemp" so that the file
  credential is properly initialized and can be used in the socket
  code if desired.  Pass ap->a_td->td_ucred as the active
  credential to soo_poll().  If we teach the vnop interface about
  the distinction between file and active credentials, we would use
  the active credential here.

Note that current inconsistent passing of active_cred vs. file_cred to
VOP's is maintained.  It's not clear why GETATTR would be authorized
using active_cred while POLL would be authorized using file_cred at
the file system level.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-16 12:52:03 +00:00
Robert Watson
9ca435893b In order to better support flexible and extensible access control,
make a series of modifications to the credential arguments relating
to file read and write operations to cliarfy which credential is
used for what:

- Change fo_read() and fo_write() to accept "active_cred" instead of
  "cred", and change the semantics of consumers of fo_read() and
  fo_write() to pass the active credential of the thread requesting
  an operation rather than the cached file cred.  The cached file
  cred is still available in fo_read() and fo_write() consumers
  via fp->f_cred.  These changes largely in sys_generic.c.

For each implementation of fo_read() and fo_write(), update cred
usage to reflect this change and maintain current semantics:

- badfo_readwrite() unchanged
- kqueue_read/write() unchanged
  pipe_read/write() now authorize MAC using active_cred rather
  than td->td_ucred
- soo_read/write() unchanged
- vn_read/write() now authorize MAC using active_cred but
  VOP_READ/WRITE() with fp->f_cred

Modify vn_rdwr() to accept two credential arguments instead of a
single credential: active_cred and file_cred.  Use active_cred
for MAC authorization, and select a credential for use in
VOP_READ/WRITE() based on whether file_cred is NULL or not.  If
file_cred is provided, authorize the VOP using that cred,
otherwise the active credential, matching current semantics.

Modify current vn_rdwr() consumers to pass a file_cred if used
in the context of a struct file, and to always pass active_cred.
When vn_rdwr() is used without a file_cred, pass NOCRED.

These changes should maintain current semantics for read/write,
but avoid a redundant passing of fp->f_cred, as well as making
it more clear what the origin of each credential is in file
descriptor read/write operations.

Follow-up commits will make similar changes to other file descriptor
operations, and modify the MAC framework to pass both credentials
to MAC policy modules so they can implement either semantic for
revocation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 20:55:08 +00:00
Robert Watson
6835e7427c On MAC check failure for readdir, use 'goto out' to use the common exit
handling, rather than returning directly to prevent leaking of vnode
reference/lock.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-15 15:46:10 +00:00
Jeff Roberson
08d2496abf - Add the missing td argument to vn_lock that I missed in my last commit. 2002-08-13 20:34:30 +00:00
Jeff Roberson
619eb6e579 - Hold the vnode lock throughout execve.
- Set VV_TEXT in the top level execve code.
 - Fixup the image activators to deal with the newly locked vnode.
2002-08-13 06:55:28 +00:00
Robert Watson
7d834ce78d Enforce MAC policies for the locally implemented vnode services in
SVR4 emulation relating to readdir() and fd_revoke().  All other
services appear to be implemented by simply wrapping existing
FreeBSD native system call implementations, so don't require local
instrumentation in the emulator module.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-12 01:42:21 +00:00
Robert Watson
9702d65212 Another fix that wasn't pulled in from the MAC branch: the
struct mount is not cached as *mp at this point, so use
vp->v_mount directly, following the check that it's non-NULL.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-12 01:24:26 +00:00
Robert Watson
64844747f0 Fix missing parens in MAC readdir() check. This fix was in the MAC
branch, but apparently didn't get moved over when it was made.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-12 01:18:33 +00:00
Jeff Roberson
e6e370a7fe - Replace v_flag with v_iflag and v_vflag
- v_vflag is protected by the vnode lock and is used when synchronization
   with VOP calls is needed.
 - v_iflag is protected by interlock and is used for dealing with vnode
   management issues.  These flags include X/O LOCK, FREE, DOOMED, etc.
 - All accesses to v_iflag and v_vflag have either been locked or marked with
   mp_fixme's.
 - Many ASSERT_VOP_LOCKED calls have been added where the locking was not
   clear.
 - Many functions in vfs_subr.c were restructured to provide for stronger
   locking.

Idea stolen from:	BSD/OS
2002-08-04 10:29:36 +00:00
Robert Watson
eddc160e00 Introduce support for Mandatory Access Control and extensible
kernel access control.

Invoke appropriate MAC entry points for a number of VFS-related
operations in the Linux ABI module.  In particular, handle uselib
in a manner similar to open() (more work is probably needed here),
as well as handle statfs(), and linux readdir()-like calls.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-01 22:23:02 +00:00
Peter Wemm
db27052e18 Regenerate 2002-07-20 02:56:34 +00:00
Peter Wemm
3ebc124838 Infrastructure tweaks to allow having both an Elf32 and an Elf64 executable
handler in the kernel at the same time.  Also, allow for the
exec_new_vmspace() code to build a different sized vmspace depending on
the executable environment.  This is a big help for execing i386 binaries
on ia64.   The ELF exec code grows the ability to map partial pages when
there is a page size difference, eg: emulating 4K pages on 8K or 16K
hardware pages.

Flesh out the i386 emulation support for ia64.  At this point, the only
binary that I know of that fails is cvsup, because the cvsup runtime
tries to execute code in pages not marked executable.

Obtained from:  dfr (mostly, many tweaks from me).
2002-07-20 02:56:12 +00:00
Robert Drehmel
ad32affe91 Move the switch statement labels for the explicit 64-bit
command arguments into the correct function, linux_fcntl64(),
and thus out of the scope of a compilation for the alpha
platform.

Requested by:	obrien
2002-07-09 19:25:43 +00:00
Robert Drehmel
aaaefc6b56 Enable emulation of the F_GETLK64, F_SETLK64, and F_SETLKW64
lock commands arguments to linux_fcntl64().
2002-07-09 15:57:12 +00:00
Robert Drehmel
6f2df7152b The comment marked with XXX was right: emulate SVR4 for
ELF binaries branded with ELFOSABI_SYSV, this is reported
to work and brandelf(1) puts this type into files if "SVR4"
was specified.
2002-07-09 14:59:27 +00:00
Julian Elischer
e602ba25fd Part 1 of KSE-III
The ability to schedule multiple threads per process
(one one cpu) by making ALL system calls optionally asynchronous.
to come: ia64 and power-pc patches, patches for gdb, test program (in tools)

Reviewed by:	Almost everyone who counts
	(at various times, peter, jhb, matt, alfred, mini, bernd,
	and a cast of thousands)

	NOTE: this is still Beta code, and contains lots of debugging stuff.
	expect slight instability in signals..
2002-06-29 17:26:22 +00:00
Andrew R. Reiter
57d14ec550 - Remove the Giant acquisition from linux_socket_ioctl() as it was really
there to protect fdrop() (which in turn can call vrele()), however,
  fdrop_locked() grabs Giant for us, so we do not have to.

Reviewed by:	jhb
Inspired by:	alc
2002-06-26 15:53:11 +00:00
Robert Watson
fa3b8ffb32 Add a comment about how we should use vn_open() here instead of directly
invoking VOP_OPEN().  This would reduce code redundancy with the rest
of the kernel, and also is required for MAC to work properly.
2002-06-14 07:24:01 +00:00
Alfred Perlstein
85145119ed catch up with ktrace changes, KTRPOINT takes a 'struct thread' not
'struct proc' now.
2002-06-11 21:14:02 +00:00
John Baldwin
60a9bb197d Catch up to changes in ktrace API. 2002-06-07 05:37:18 +00:00
Jens Schweikhardt
21dc7d4f57 Fix typo in the BSD copyright: s/withough/without/
Spotted and suggested by:	des
MFC after:	3 weeks
2002-06-02 20:05:59 +00:00
Seigo Tanimura
4cc20ab1f0 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
Alfred Perlstein
524683999f correct commented out preprocessor test for i386 to __i386__ 2002-05-30 07:28:43 +00:00
Bruce Evans
5cc5b1d344 Fixed a printf format error. It was old and should have been detected by
gcc-2.9x, but somehow wasn't fixed already.
2002-05-25 10:48:03 +00:00
Seigo Tanimura
243917fe3b Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
John Baldwin
f44d9e24fb Change p_can{debug,see,sched,signal}()'s first argument to be a thread
pointer instead of a proc pointer and require the process pointed to
by the second argument to be locked.  We now use the thread ucred reference
for the credential checks in p_can*() as a result.  p_canfoo() should now
no longer need Giant.
2002-05-19 00:14:50 +00:00
Marcel Moolenaar
b76e6a6f09 In msgrcv(), set msgtyp correctly. Hardwiring 0 as the message type
yields incorrect behaviour. The hardwiring was present in the very
first commit that implemented msgrcv() (revision 1.4) and hasn't been
changed since. The native implementation was complete at that time,
so there doesn't seem to be a reason for the hardwiring from a
technical point of view.

Submitted by: Reinier Bezuidenhout <rbezuide@yahoo.com>
2002-05-18 07:53:56 +00:00
Dima Dorfman
b90faaf350 sysctl -w -> sysctl 2002-05-11 06:06:11 +00:00
Peter Wemm
4924b9dd80 Zap some stale unused headers, including one machine/psl.h (which is
a stub on alpha).  Compile tested on alpha and x86.
2002-05-01 02:17:33 +00:00
Robert Watson
b099af16dd Add an XXX: linux_uselib() should be using vn_open() rather than invoking
VOP_OPEN() and doing lots of manual checking.  This would further
centralize use of the name functions, and once the MAC code is integrated,
meaning few extraneous MAC checks scattered all over the place.  I don't
have time to fix this now, but want to make sure it doesn't get
forgotten.  Anyone interested in fixing this should feel free.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-04-20 14:43:34 +00:00
John Baldwin
ea97757a54 - Lock proctree_lock instead of pgrpsess_lock.
- Exclusively lock proctree_lock while calling leavepgrp().
2002-04-16 17:04:21 +00:00
John Baldwin
094a945562 Rework logic of syscalls that modify process credentials as described in
rev 1.152 of sys/kern/kern_prot.c.
2002-04-13 23:11:23 +00:00
John Baldwin
590ae816c2 - p_cansee() needs the target process locked.
- We need the proc lock held for more of procfs_doprocstatus().
2002-04-13 23:09:41 +00:00
John Baldwin
8e4357a4cb Use proc lock to protect p_ucred pointer while we deference it to read a
few values.
2002-04-11 21:00:38 +00:00
John Baldwin
0af24d5151 Use td_ucred in a few spots. 2002-04-11 21:00:05 +00:00
Doug Rabson
5eb29d9b90 Initial support for executing IA-32 binaries. This will not compile
without a few patches for the rest of the kernel to allow the image
activator to override exec_copyout_strings and setregs.

None of the syscall argument translation has been done. Possibly, this
translation layer can be shared with any platform that wants to support
running ILP32 binaries on an LP64 host (e.g. sparc32 binaries?)
2002-04-10 19:34:51 +00:00
John Baldwin
65c9b4303b - Change fill_kinfo_proc() to require that the process is locked when it
is called.
- Change sysctl_out_proc() to require that the process is locked when it
  is called and to drop the lock before it returns.  If this proves too
  complex we can change sysctl_out_proc() to simply acquire the lock at
  the very end and have the calling code drop the lock right after it
  returns.
- Lock the process we are going to export before the p_cansee() in the
  loop in sysctl_kern_proc() and hold the lock until we call
  sysctl_out_proc().
- Don't call p_cansee() on the process about to be exported twice in
  the aforementioned loop.
2002-04-09 20:10:46 +00:00
Bruce Evans
79065dba2a Moved signal handling and rescheduling from userret() to ast() so that
they aren't in the usual path of execution for syscalls and traps.
The main complication for this is that we have to set flags to control
ast() everywhere that changes the signal mask.

Avoid locking in userret() in most of the remaining cases.

Submitted by:	luoqi (first part only, long ago, reorganized by me)
Reminded by:	dillon
2002-04-04 17:49:48 +00:00
John Baldwin
44731cab3b Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
Alfred Perlstein
e9b192b758 Protect proc struct (p_args and p_comm) when doing procfs IO that pulls
data from it.

Submitted by: Jonathan Mini <mini@haikugeek.com>
2002-03-29 19:12:40 +00:00
Alfred Perlstein
8899023f66 Make the reference counting of 'struct pargs' SMP safe.
There is still some locations where the PROC lock should be held
in order to prevent inconsistent views from outside (like the
proc->p_fd fix for kern/vfs_syscalls.c:checkdirs()) that can be
fixed later.

Submitted by: Jonathan Mini <mini@haikugeek.com>
2002-03-27 21:36:18 +00:00
Bruce Evans
4292735db9 Fixed some style bugs in the removal of __P(()). Tabs before "__P(("
were not removed.
2002-03-24 04:04:50 +00:00
Jeff Roberson
851031501a Remove references to vm_zone.h and switch over to the new uma API. 2002-03-20 10:35:22 +00:00
Alfred Perlstein
b63dc6ad47 Remove __P. 2002-03-20 05:48:58 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Robert Drehmel
668ae58863 Use the updated getcredhostname() function. 2002-02-27 16:47:27 +00:00