f504530d9f
real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
151 lines
5.9 KiB
C
151 lines
5.9 KiB
C
/*
|
|
* Copyright (c) 1990, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by the University of
|
|
* California, Berkeley and its contributors.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* @(#)filedesc.h 8.1 (Berkeley) 6/2/93
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef _SYS_FILEDESC_H_
|
|
#define _SYS_FILEDESC_H_
|
|
|
|
#include <sys/queue.h>
|
|
|
|
/*
|
|
* This structure is used for the management of descriptors. It may be
|
|
* shared by multiple processes.
|
|
*
|
|
* A process is initially started out with NDFILE descriptors stored within
|
|
* this structure, selected to be enough for typical applications based on
|
|
* the historical limit of 20 open files (and the usage of descriptors by
|
|
* shells). If these descriptors are exhausted, a larger descriptor table
|
|
* may be allocated, up to a process' resource limit; the internal arrays
|
|
* are then unused. The initial expansion is set to NDEXTENT; each time
|
|
* it runs out, it is doubled until the resource limit is reached. NDEXTENT
|
|
* should be selected to be the biggest multiple of OFILESIZE (see below)
|
|
* that will fit in a power-of-two sized piece of memory.
|
|
*/
|
|
#define NDFILE 20
|
|
#define NDEXTENT 50 /* 250 bytes in 256-byte alloc. */
|
|
|
|
struct filedesc {
|
|
struct file **fd_ofiles; /* file structures for open files */
|
|
char *fd_ofileflags; /* per-process open file flags */
|
|
struct vnode *fd_cdir; /* current directory */
|
|
struct vnode *fd_rdir; /* root directory */
|
|
struct vnode *fd_jdir; /* jail root directory */
|
|
int fd_nfiles; /* number of open files allocated */
|
|
u_short fd_lastfile; /* high-water mark of fd_ofiles */
|
|
u_short fd_freefile; /* approx. next free file */
|
|
u_short fd_cmask; /* mask for file creation */
|
|
u_short fd_refcnt; /* reference count */
|
|
|
|
int fd_knlistsize; /* size of knlist */
|
|
struct klist *fd_knlist; /* list of attached knotes */
|
|
u_long fd_knhashmask; /* size of knhash */
|
|
struct klist *fd_knhash; /* hash table for attached knotes */
|
|
};
|
|
|
|
/*
|
|
* Basic allocation of descriptors:
|
|
* one of the above, plus arrays for NDFILE descriptors.
|
|
*/
|
|
struct filedesc0 {
|
|
struct filedesc fd_fd;
|
|
/*
|
|
* These arrays are used when the number of open files is
|
|
* <= NDFILE, and are then pointed to by the pointers above.
|
|
*/
|
|
struct file *fd_dfiles[NDFILE];
|
|
char fd_dfileflags[NDFILE];
|
|
};
|
|
|
|
/*
|
|
* Per-process open flags.
|
|
*/
|
|
#define UF_EXCLOSE 0x01 /* auto-close on exec */
|
|
#if 0
|
|
#define UF_MAPPED 0x02 /* mapped from device */
|
|
#endif
|
|
|
|
/*
|
|
* Storage required per open file descriptor.
|
|
*/
|
|
#define OFILESIZE (sizeof(struct file *) + sizeof(char))
|
|
|
|
/*
|
|
* This structure holds the information needed to send a SIGIO or
|
|
* a SIGURG signal to a process or process group when new data arrives
|
|
* on a device or socket. The structure is placed on an SLIST belonging
|
|
* to the proc or pgrp so that the entire list may be revoked when the
|
|
* process exits or the process group disappears.
|
|
*/
|
|
struct sigio {
|
|
union {
|
|
struct proc *siu_proc; /* process to receive SIGIO/SIGURG */
|
|
struct pgrp *siu_pgrp; /* process group to receive ... */
|
|
} sio_u;
|
|
SLIST_ENTRY(sigio) sio_pgsigio; /* sigio's for process or group */
|
|
struct sigio **sio_myref; /* location of the pointer that holds
|
|
* the reference to this structure */
|
|
struct ucred *sio_ucred; /* current credentials */
|
|
pid_t sio_pgid; /* pgid for signals */
|
|
};
|
|
#define sio_proc sio_u.siu_proc
|
|
#define sio_pgrp sio_u.siu_pgrp
|
|
|
|
SLIST_HEAD(sigiolst, sigio);
|
|
|
|
#ifdef _KERNEL
|
|
int closef __P((struct file *fp, struct proc *p));
|
|
int dupfdopen __P((struct proc *p, struct filedesc *fdp, int indx, int dfd, int mode,
|
|
int error));
|
|
int falloc __P((struct proc *p, struct file **resultfp, int *resultfd));
|
|
int fdalloc __P((struct proc *p, int want, int *result));
|
|
int fdavail __P((struct proc *p, int n));
|
|
void fdcloseexec __P((struct proc *p));
|
|
struct filedesc *fdcopy __P((struct proc *p));
|
|
void fdfree __P((struct proc *p));
|
|
struct filedesc *fdinit __P((struct proc *p));
|
|
struct filedesc *fdshare __P((struct proc *p));
|
|
void ffree __P((struct file *fp));
|
|
pid_t fgetown __P((struct sigio *sigio));
|
|
int fsetown __P((pid_t pgid, struct sigio **sigiop));
|
|
void funsetown __P((struct sigio *sigio));
|
|
void funsetownlst __P((struct sigiolst *sigiolst));
|
|
struct file *holdfp __P((struct filedesc *fdp, int fd, int flag));
|
|
int getvnode __P((struct filedesc *fdp, int fd, struct file **fpp));
|
|
void setugidsafety __P((struct proc *p));
|
|
|
|
#endif /* _KERNEL */
|
|
|
|
#endif /* !_SYS_FILEDESC_H_ */
|