Commit Graph

155 Commits

Author SHA1 Message Date
Don Lewis
a961520c13 Rename the wiredlen member of struct sysctl_req to validlen and always
set it to avoid the need for a bunch of code that tests whether or
not the lock member is set to REQ_WIRED in order to determine which
length member should be used.

Fix another bug in the oldlen return value code.

Fix a potential wired memory leak if a sysctl handler uses
sysctl_wire_old_buffer() and returns an EAGAIN error to trigger
a retry.
2004-03-16 06:53:03 +00:00
Don Lewis
8ac3e8e940 Don't bother calling vslock() and vsunlock() if oldlen is zero.
If vslock() returns ENOMEM, sysctl_wire_old_buffer() should set
wiredlen to zero and return zero (success) so that the handler will
operate according to sysctl(3):
     The size of the buffer is given by the location specified by
     oldlenp before the call, and that location gives the amount
     of data copied after a successful call and after a call that
     returns with the error code ENOMEM.
The handler will return an ENOMEM error because the zero length
buffer will overflow.
2004-03-16 01:28:45 +00:00
Don Lewis
ce8660e395 Revert to the original vslock() and vsunlock() API with the following
exceptions:
	Retain the recently added vslock() error return.

	The type of the len argument should be size_t, not u_int.

Suggested by:	bde
2004-03-15 06:42:40 +00:00
Don Lewis
169299398a Undo the merger of mlock()/vslock and munlock()/vsunlock() and the
introduction of kern_mlock() and kern_munlock() in
        src/sys/kern/kern_sysctl.c      1.150
        src/sys/vm/vm_extern.h          1.69
        src/sys/vm/vm_glue.c            1.190
        src/sys/vm/vm_mmap.c            1.179
because different resource limits are appropriate for transient and
"permanent" page wiring requests.

Retain the kern_mlock() and kern_munlock() API in the revived
vslock() and vsunlock() functions.

Combine the best parts of each of the original sets of implementations
with further code cleanup.  Make the mclock() and vslock()
implementations as similar as possible.

Retain the RLIMIT_MEMLOCK check in mlock().  Move the most strigent
test, which can return EAGAIN, last so that requests that have no
hope of ever being satisfied will not be retried unnecessarily.

Disable the test that can return EAGAIN in the vslock() implementation
because it will cause the sysctl code to wedge.

Tested by:	Cy Schubert <Cy.Schubert AT komquats.com>
2004-03-05 22:03:11 +00:00
Dag-Erling Smørgrav
21885af505 Add sysctl_move_oid() which reparents an existing OID. 2004-02-27 17:13:23 +00:00
Don Lewis
47934cef8f Split the mlock() kernel code into two parts, mlock(), which unpacks
the syscall arguments and does the suser() permission check, and
kern_mlock(), which does the resource limit checking and calls
vm_map_wire().  Split munlock() in a similar way.

Enable the RLIMIT_MEMLOCK checking code in kern_mlock().

Replace calls to vslock() and vsunlock() in the sysctl code with
calls to kern_mlock() and kern_munlock() so that the sysctl code
will obey the wired memory limits.

Nuke the vslock() and vsunlock() implementations, which are no
longer used.

Add a member to struct sysctl_req to track the amount of memory
that is wired to handle the request.

Modify sysctl_wire_old_buffer() to return an error if its call to
kern_mlock() fails.  Only wire the minimum of the length specified
in the sysctl request and the length specified in its argument list.
It is recommended that sysctl handlers that use sysctl_wire_old_buffer()
should specify reasonable estimates for the amount of data they
want to return so that only the minimum amount of memory is wired
no matter what length has been specified by the request.

Modify the callers of sysctl_wire_old_buffer() to look for the
error return.

Modify sysctl_old_user to obey the wired buffer length and clean up
its implementation.

Reviewed by:	bms
2004-02-26 00:27:04 +00:00
Pawel Jakub Dawidek
63dba32b76 Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by:	rwatson
Approved by:	rwatson, scottl (mentor)
Tested with:	LINT (compilation), mac_biba(4) (functionality)
2004-02-22 12:31:44 +00:00
Bruce M Simpson
f05970242b Bring back sysctl_wire_old_buffer(). Fix a bug in sysctl_handle_opaque()
whereby the pointers would not get reset on a retried SYSCTL_OUT() call.

Noticed by:	bde
2003-10-05 13:31:33 +00:00
Bruce M Simpson
dcf59a59fc Fix a security problem in sysctl() the long way round.
Use pre-emption detection to avoid the need for wiring a userland buffer
when copying opaque data structures.

sysctl_wire_old_buffer() is now a no-op. Other consumers of this
API should use pre-emption detection to notice update collisions.

vslock() and vsunlock() should no longer be called by any code
and should be retired in subsequent commits.

Discussed with:	pete, phk
MFC after:	1 week
2003-10-05 09:37:47 +00:00
Bruce M Simpson
51830edcc5 Fold the vslock() and vsunlock() calls in this file with #if 0's; they will
go away in due course. Involuntary pre-emption means that we can't count
on wiring of pages alone for consistency when performing a SYSCTL_OUT()
bigger than PAGE_SIZE.

Discussed with:	pete, phk
2003-10-05 08:38:22 +00:00
Bruce M Simpson
5be99846fc Remove magic numbers surrounding locking state in the sysctl module, and
replace them with more meaningful defines.
2003-10-05 05:38:30 +00:00
David E. O'Brien
677b542ea2 Use __FBSDID(). 2003-06-11 00:56:59 +00:00
Maxime Henrion
193f2edbf9 When loading a module that contains a sysctl which is already compiled
in the kernel, the sysctl_register() call would fail, as expected.
However, when unloading this module again, the kernel would then panic
in sysctl_unregister().  Print a message error instead.

Submitted by:	Nicolai Petri <nicolai@catpipe.net>
Reviewed by:	imp
Approved by:	re@ (jhb)
2003-05-29 21:19:18 +00:00
John Baldwin
740190593a Use a shorter and less redundant name for the sysctl tree lock. 2003-03-11 20:01:51 +00:00
John Baldwin
263067951a Replace calls to WITNESS_SLEEP() and witness_list() with equivalent calls
to WITNESS_WARN().
2003-03-04 21:03:05 +00:00
Robert Watson
90623e1a9e Don't panic when enumerating SYSCTL_NODE() nodes without any children
nodes.

Submitted by:	green, Hiten Pandya <hiten@unixdaemons.com>
2003-02-22 17:58:06 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Matthew Dillon
fe41ca530c Introduce the ability to flag a sysctl for operation at secure level 2 or 3
in addition to secure level 1.  The mask supports up to a secure level of 8
but only add defines through CTLFLAG_SECURE3 for now.

As per the missif in the log entry for 1.11 of ip_fw2.c which added the
secure flag to the IPFW sysctl's in the first place, change the secure
level requirement from 1 to 3 now that we have support for it.

Reviewed by:	imp
With Design Suggestions by:	imp
2003-01-14 19:35:33 +00:00
Maxime Henrion
5d9155dfee Fix kernel build.
Pointy hats to:	dillon, Hiten Pandya <hiten@unixdaemons.com>
2003-01-11 12:39:45 +00:00
Robert Watson
d3fc69ee6a Implement mac_check_system_sysctl(), a MAC Framework entry point to
permit MAC policies to augment the security protections on sysctl()
operations.  This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification.  Affects MAC kernels
only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-27 07:12:34 +00:00
Maxime Henrion
5b8ee62bc2 Fix a style nit. 2002-10-26 18:19:46 +00:00
Robert Drehmel
e80fb43467 Use strlcpy() instead of strncpy() to copy NUL terminated strings
for safety and consistency.
2002-10-17 20:03:38 +00:00
Poul-Henning Kamp
37c841831f Be consistent about "static" functions: if the function is marked
static in its prototype, mark it static at the definition too.

Inspired by:    FlexeLint warning #512
2002-09-28 17:15:38 +00:00
Maxime Henrion
306e6b8393 Introduce a new sysctl flag, CTLFLAG_SKIP, which will cause
sysctl_sysctl_next() to skip this sysctl.  The sysctl is
still available, but doesn't appear in a "sysctl -a".

This is especially useful when you want to deprecate a sysctl,
and add a warning into it to warn users that they are using
an old interface.  Without this flag, the warning would get
echoed when running "sysctl -a" (which happens at boot).
2002-08-10 19:56:45 +00:00
Don Lewis
b74f2c1878 Don't automagically call vslock() from SYSCTL_OUT(). Instead, complain
about calls to SYSCTL_OUT() made with locks held if the buffer has not
been pre-wired.  SYSCTL_OUT() should not be called while holding locks,
but if this is not possible, the buffer should be wired by calling
sysctl_wire_old_buffer() before grabbing any locks.
2002-08-06 11:28:09 +00:00
Don Lewis
9e74cba35a Make a temporary copy of the output data in the generic sysctl handlers
so that the data is less likely to be inconsistent if SYSCTL_OUT() blocks.
If the data is large, wire the output buffer instead.

This is somewhat less than optimal, since the handler could skip the copy
if it knew that the data was static.

If the data is dynamic, we are still not guaranteed to get a consistent
copy since another processor could change the data while the copy is in
progress because the data is not locked.  This problem could be solved if
the generic handlers had the ability to grab the proper lock before the
copy and release it afterwards.

This may duplicate work done in other sysctl handlers in the kernel which
also copy the data, possibly while a lock is held, before calling they call
a generic handler to output the data.  These handlers should probably call
SYSCTL_OUT() directly.
2002-07-28 21:06:14 +00:00
Don Lewis
0600730d73 Provide a way for sysctl handlers to pre-wire their output buffer before
they grab a lock so that they don't block in SYSCTL_OUT() with the lock
being held.
2002-07-22 08:25:37 +00:00
Mark Murray
f0d2d03884 Fix a bazillion lint and WARNS warnings. One major fix is the removal of
semicolons from the end of macros:

#define FOO() bar(a,b,c);

becomes

#define FOO() bar(a,b,c)

Thus requiring the semicolon in the invocation of FOO. This is much
cleaner syntax and more consistent with expectations when writing
function-like things in source.

With both peril-sensitive sunglasses and flame-proof undies on, tighten
up some types, and work around some warnings generated by this. There
are some _horrible_ const/non-const issues in this code.
2002-07-15 17:28:34 +00:00
Alfred Perlstein
016091145e more caddr_t removal. 2002-06-29 02:00:02 +00:00
Robert Watson
3bd1da2958 Update comment regarding the locking of the sysctl tree.
Rename memlock to sysctllock, and MEMLOCK()/MEMUNLOCK() to SYSCTL_LOCK()/
SYSCTL_UNLOCK() and related changes to make the lock names make more
sense.

Submitted by:	Jonathan Mini <mini@haikugeek.com>
2002-04-02 05:50:07 +00:00
Alfred Perlstein
29a2c0cd09 Use sx locks instead of flags+tsleep locks.
Submitted by: Jonathan Mini <mini@haikugeek.com>
2002-04-02 04:20:38 +00:00
John Baldwin
44731cab3b Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
Robert Watson
7906271f25 In sysctl, req->td is believed always to be non-NULL, so there's no need
to test req->td for NULL values and then do somewhat more bizarre things
relating to securelevel special-casing and suser checks.  Remove the
testing and conditional security checks based on req->td!=NULL, and insert
a KASSERT that td != NULL.  Callers to sysctl must always specify the
thread (be it kernel or otherwise) requesting the operation, or a
number of current sysctls will fail due to assumptions that the thread
exists.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
Discussed with:	bde
2002-03-22 14:58:27 +00:00
John Baldwin
a854ed9893 Simple p_ucred -> td_ucred changes to start using the per-thread ucred
reference.
2002-02-27 18:32:23 +00:00
Luigi Rizzo
6105f81565 Add code to export and print the description associated to sysctl
variables. Use the -d flag in sysctl(8) to see this information.

Possible extensions to sysctl:
 + report variables that do not have a description
 + given a name, report the oid it maps to.

Note to developers: have a look at your code, there are a number of
	variables which do not have a description.

Note to developers: do we want this in 4.5 ? It is a very small change
	and very useful for documentation purposes.

Suggested by: Orion Hodson
2001-12-16 02:55:41 +00:00
Peter Wemm
023a0e6100 Dont print the sysctl node tree unless you're root.
Found by:	jkb (Yahoo OS troublemaker)
2001-11-28 03:11:16 +00:00
Robert Watson
ce17880650 o Replace reference to 'struct proc' with 'struct thread' in 'struct
sysctl_req', which describes in-progress sysctl requests.  This permits
  sysctl handlers to have access to the current thread, permitting work
  on implementing td->td_ucred, migration of suser() to using struct
  thread to derive the appropriate ucred, and allowing struct thread to be
  passed down to other code, such as network code where td is not currently
  available (and curproc is used).

o Note: netncp and netsmb are not updated to reflect this change, as they
  are not currently KSE-adapted.

Reviewed by:		julian
Obtained from:	TrustedBSD Project
2001-11-08 02:13:18 +00:00
Peter Pentchev
88fbb423d4 Remove the panic when trying to register a sysctl with an oid too high.
This stops panics on unloading modules which define their own sysctl sets.

However, this also removes the protection against somebody actually
defining a static sysctl with an oid in the range of the dynamic ones,
which would break badly if there is already a dynamic sysctl with
the requested oid.

Apparently, the algorithm for removing sysctl sets needs a bit more work.
For the present, the panic I introduced only leads to Bad Things (tm).

Submitted by:	many users of -current :(
Pointy hat to:	roam (myself) for not testing rev. 1.112 enough.
2001-10-12 09:16:36 +00:00
Robert Watson
c2f413af19 o Modify sysctl access control check to use securelevel_gt(), and
clarify sysctl access control logic.

Obtained from:	TrustedBSD Project
2001-09-26 19:51:25 +00:00
Julian Elischer
b40ce4165d KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
Matthew Dillon
fb99ab8811 Giant Pushdown
clock_gettime() clock_settime() nanosleep() settimeofday()
adjtime() getitimer() setitimer() __sysctl() ogetkerninfo()
sigaction() osigaction() sigpending() osigpending() osigvec()
osigblock() osigsetmask() sigsuspend() osigsuspend() osigstack()
sigaltstack() kill() okillpg() trapsignal() nosys()
2001-09-01 18:19:21 +00:00
Peter Wemm
df55753880 Fix the ogetkerninfo() syscall handling of sizes for
KINFO_BSDI_SYSINFO.  This supposedly fixes Netscape 3.0.4 (bsdi binary)
on -current.  (and is also applicable to RELENG_4)

PR:		25476
Submitted by:	Philipp Mergenthaler <un1i@rz.uni-karlsruhe.de>
2001-08-29 11:47:53 +00:00
Peter Pentchev
7ca4d05f34 Make dynamic sysctl entries start at 0x100, not decimal 100 - there are
static entries with oid's over 100, and defining enough dynamic entries
causes an overlap.

Move the "magic" value 0x100 into <sys/sysctl.h> where it belongs.

PR:		29131
Submitted by:	"Alexander N. Kabaev" <kabaev@mail.ru>
Reviewed by:	-arch, -audit
MFC after:	2 weeks
2001-07-25 17:21:18 +00:00
Peter Pentchev
107e7dc5c3 Style(9): function names on a separate line, max line length 80 chars.
Reviewed by:	-arch, -audit
MFC after:	2 weeks
2001-07-25 17:13:58 +00:00
Matt Jacob
2f7f966cb8 int -> size_t fix 2001-06-22 19:54:38 +00:00
Peter Wemm
f41325db5f With this commit, I hereby pronounce gensetdefs past its use-by date.
Replace the a.out emulation of 'struct linker_set' with something
a little more flexible.  <sys/linker_set.h> now provides macros for
accessing elements and completely hides the implementation.

The linker_set.h macros have been on the back burner in various
forms since 1998 and has ideas and code from Mike Smith (SET_FOREACH()),
John Polstra (ELF clue) and myself (cleaned up API and the conversion
of the rest of the kernel to use it).

The macros declare a strongly typed set.  They return elements with the
type that you declare the set with, rather than a generic void *.

For ELF, we use the magic ld symbols (__start_<setname> and
__stop_<setname>).  Thanks to Richard Henderson <rth@redhat.com> for the
trick about how to force ld to provide them for kld's.

For a.out, we use the old linker_set struct.

NOTE: the item lists are no longer null terminated.  This is why
the code impact is high in certain areas.

The runtime linker has a new method to find the linker set
boundaries depending on which backend format is in use.

linker sets are still module/kld unfriendly and should never be used
for anything that may be modular one day.

Reviewed by:	eivind
2001-06-13 10:58:39 +00:00
Dima Dorfman
b8edb44cc3 When tring to find out if this is a request for a write in
kernel_sysctl and userland_sysctl, check for whether new is NULL, not
whether newlen is 0.  This allows one to set a string sysctl to "".
2001-06-03 04:58:51 +00:00
Jonathan Lemon
1890520a77 Add convenience function kernel_sysctlbyname() for kernel consumers,
so they don't have to roll their own sysctlbyname function.
2001-05-19 05:45:55 +00:00
Thomas Moestl
3a51557243 Make the SYSCTL_OUT handlers sysctl_old_user() and sysctl_old_kernel()
more robust. They would correctly return ENOMEM for the first time when
the buffer was exhausted, but subsequent calls in this case could cause
writes ouside of the buffer bounds.

Approved by:	rwatson
2001-03-08 01:20:43 +00:00