| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.
Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).
We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.
The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.
While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).
Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618
|
| |
|
|
|
|
|
|
|
| |
In sysproto.h, stop including sys/acl.h as syscall defintions now use
__acl* types from sys/_types.h. Add sys/types.h to provide types
previously provided by sys/param.h (via sys/acl.h).
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D44467
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Move the timerfd impelemntation from linux compat code to sys/kern. Use
it to implement the new system calls for timerfd. Add a hook to kern_tc
to allow timerfd to know when the system time has stepped. Add kqueue
support to timerfd. Adjust a few names to be less Linux centric.
RelNotes: YES
Reviewed by: markj (on irc), imp, kib (with reservations), jhb (slack)
Differential Revision: https://reviews.freebsd.org/D38459
|
| |
|
|
| |
Sponsored by: Netflix
|
| | |
|
| |
|
|
|
|
|
|
| |
Missed issues in truss on at least armv7 and powerpcspe need to be
resolved before recommit.
This reverts commit 3889fb8af0b611e3126dc250ebffb01805152104.
This reverts commit 1544e0f5d1f1e3b8c10a64cb899a936976ca7ea4.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
There there are two changes here. First, ofreebsd32_sigreturn
is declared to take a struct osigcontext rather than a struct
ia32_sigcontext3. This type is incorrect, but harmlessly so.
Second, the name of the unimplemented ogetkerninfo changes in
freebsd32_syscallnames.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
fspacectl(2) does not require special handling on freebsd32. The
presence of off_t in a struct does not cause it's size to change
between the native ABI and the 32-bit ABI supported by freebsd32
because off_t is always int64_t on BSD systems. Further, byte
order only requires handling for paired argument or return registers.
(32-byte alignment of 64-bit objects on i386 can require special
handling, but that situtation does not apply here.)
Reviewed by: kib, khng, emaste, delphij
Differential Revision: https://reviews.freebsd.org/D32994
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
| |
semid_t is historically an intptr_t so it should be an int32_t.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
|
| |
Some 32-bit architectures pass 64-bit values in aligned
register pairs (a0,a1), (a2,a3) etc. In freebsd32 we add these pads
explicitly from compat code. We also sometimes add pads in the default
ABI. Differentiate the two by making the freebsd32 ones int _pad.
In a future commit the 32-bit ones will be automatically generated.
Reviewed by: kevans
|
| |
|
|
|
|
|
| |
This matches the default ABI and we work around issues with
union sigval by extracting the bottom 32-bits in a manual handler.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
Add freebsd32 versions of getfsstat and freebsd11_getfsstat so that
bufsize is properly sign-extended if a negative value is passed.
Reject negative values before passing to kern_getfsstat as a size_t.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
Syscalls that take signed longs need to treat the 32-bit versions as
signed int so that sign extension happens correctly. Improve
decleration quality and add a few minimal syscall implementations.
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
| |
The upcoming change to generate freebsd32 generated files from
sys/kern/syscalls.master doesn't have a way to handle disabling
this one without disabling the non-COMPAT counterpart so just add
a stub for now.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously, the code would copy twice as many pointers as specified
and print pairs of them a single 64-bit pointer.
abort2 doesn't return so make the return type void
freebsd32_abort2 is in it's own file with a 2-clause BSD license
based on a discussion with Wojciech many years ago.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
| |
These are required when supporting i386 because time_t is 32-bit which
reduces struct bintime to 12-bytes when combined with the fact that 64-bit
integers only requiring 32-bit alignment on i386. Reusing the default
ABI version resulted in 4-byte overreads or overwrites to userspace.
Reviewed by: kevans
|
| |
|
|
|
|
| |
It's exactly the same as freebsd11_getdents.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
| |
ofreebsd32_sigprocmask, ofreebsd32_sigblock, ofreebsd32_sigsetmask,
and ofreebsd32_sigsuspend were all duplicates of the default ABI
versions and there are no type concerns as all arguments are the
same.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
The freebsd32_recvfrom() serves no purpose as no arguments require
translation. The prototype was mis-declared and the implementation
contained (relatively harmless) errors.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pipe requires no special handling.
ofreebsd32_sigpending did differ from osigpending in that it acted
on the siglist rather than the sigqueue, but this appears to be an
oversight in 3fbdb3c21524d9d95278ada1d61b4d1e6bee654b.
ogetpagesize could theoretically have ABI-dependent results, but in
practice does not. If it does it would be easy handle in the central
implementation and be the least of the problems in changing the value of
PAGE_SIZE.
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
| |
This matches struct __wrusage
Reviewed by: kevans
|
| |
|
|
|
|
|
| |
This mirrors sys/kern/syscall.master and will simplify generation
of freebsd32 files.
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
| |
Move the 32 from ...32_old to ..._old32 to aid automatic generation.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
Follow common convention and put the `32` on the end of the struct
name. This is a step toward generating freebsd32 syscall files
from sys/kern/syscalls.master.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
Use this for COMPAT7 support. In practice it's the same as
union semun32 since the pointers become uint32_t's the it's more
symetric and is the logical thing to generate from semun_old.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
| |
Make pointers to arrays of pointers `uint32_t *` so the sizes of the
array elements are correct. In an ideal world we'd use something
like __ptr32 annotations instead.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
| |
Rename struct statfs32 to struct ostatfs32 to mirror struct ostatfs.
These structs are use for COMPAT4 support. Stop using struct statfs32
for modern implementations as struct statfs uses fixed-width types
and it the same on all architectures.
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
|
| |
While the caller will never pass a larger value, we can use size_t
due to it being unsigned.
Reviewed by: kevans
|
| |
|
|
|
|
|
| |
The command is a u_long and unsigned integers do not require special
handling. The data argument isn't a special structure, just use char *.
Reviewed by: kevans
|
| |
|
|
| |
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
|
|
| |
A number of syscalls have missing consts on their arguments relative to
the default syscalls.master.
Also, use timespec32 and timeval32 where appropriate.
No functional change.
Reviewed by: kevans
|
| |
|
|
|
|
| |
This matches the default ABI's struct __ucontext.
Reviewed by: kevans
|
| |
|
|
|
|
|
|
|
|
|
| |
Rename struct freebsd4_freebsd32_ucontext to struct freebsd4_ucontext32
allowing conversion from the default ABI's struct freebsd4_ucontext
by appending "32". This has no practical effect as this type does not
actually exist.
Give freebsd4_freebsd32_sigreturn an ANSI C prototype.
Reviewed by: kevans
|
| |
|
|
|
|
|
| |
This allows freebsd32 to use struct siginfo32 with an automatable
conversion.
Reviewed by: kevans
|
