aboutsummaryrefslogtreecommitdiff
path: root/sys/sys/filedesc.h
Commit message (Collapse)AuthorAgeFilesLines
* fd: add fget_only_userMateusz Guzik2021-01-291-0/+12
| | | | | | | | | This can be used by single-threaded processes which don't share a file descriptor table to access their file objects without having to reference them. For example select consumers tend to match the requirement and have several file descriptors to inspect.
* fd: add refcount argument to falloc_noinstallMateusz Guzik2021-01-131-1/+3
| | | | | | | | This lets callers avoid atomic ops by initializing the count to required value from the get go. While here add falloc_abort to backpedal from this without having to fdrop.
* fd: add finstall_refedMateusz Guzik2021-01-131-0/+2
| | | | | Can be used to consume an already existing reference and consequently avoid atomic ops.
* fd: provide a dedicated closef variant for unix socket codeMateusz Guzik2021-01-131-0/+1
| | | | This avoids testing for td != NULL.
* fd: inline pwd_get_smrMateusz Guzik2021-01-011-1/+1
| | | | Tested by: pho
* Split out cwd/root/jail, cmask state from filedesc tableConrad Meyer2020-11-171-26/+43
| | | | | | | | | | | | | | | | No functional change intended. Tracking these structures separately for each proc enables future work to correctly emulate clone(2) in linux(4). __FreeBSD_version is bumped (to 1300130) for consumption by, e.g., lsof. Reviewed by: kib Discussed with: markj, mjg Differential Revision: https://reviews.freebsd.org/D27037 Notes: svn path=/head/; revision=367777
* cache: fix pwd use-after-free in setting up fallbackMateusz Guzik2020-10-051-0/+1
| | | | | | | | | | | Since the code exits smr section prior to calling pwd_hold, the used pwd can be freed and a new one allocated with the same address, making the comparison erroneously true. Note it is very unlikely anyone ran into it. Notes: svn path=/head/; revision=366462
* vfs: add the infrastructure for lockless lookupMateusz Guzik2020-07-251-0/+1
| | | | | | | | | Reviewed by: kib Tested by: pho (in a patchset) Differential Revision: https://reviews.freebsd.org/D25577 Notes: svn path=/head/; revision=363518
* fd: remove fd_lastfileMateusz Guzik2020-07-151-2/+3
| | | | | | | | | | | It keeps recalculated way more often than it is needed. Provide a routine (fdlastfile) to get it if necessary. Consumers may be better off with a bitmap iterator instead. Notes: svn path=/head/; revision=363214
* pwd: unbreak repeated calls to set_rootvnodeMateusz Guzik2020-04-271-0/+1
| | | | | | | | | | | Prior to the change the once set pointer would never be updated. Unbreaks reboot -r. Reported by: Ross Gohlke Notes: svn path=/head/; revision=360374
* fd: use smr for managing struct pwdMateusz Guzik2020-03-081-3/+44
| | | | | | | | | | | | This has a side effect of eliminating filedesc slock/sunlock during path lookup, which in turn removes contention vs concurrent modifications to the fd table. Reviewed by: markj, kib Differential Revision: https://reviews.freebsd.org/D23889 Notes: svn path=/head/; revision=358734
* fd: move vnodes out of filedesc into a dedicated structureMateusz Guzik2020-03-011-3/+19
| | | | | | | | | | | | | | | | The new structure is copy-on-write. With the assumption that path lookups are significantly more frequent than chdirs and chrooting this is a win. This provides stable root and jail root vnodes without the need to reference them on lookup, which in turn means less work on globally shared structures. Note this also happens to fix a bug where jail vnode was never referenced, meaning subsequent access on lookup could run into use-after-free. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D23884 Notes: svn path=/head/; revision=358503
* fd: streamline fget_unlockedMateusz Guzik2020-02-031-2/+2
| | | | | | | | | | | | | | | | | | clang has the unfortunate property of paying little attention to prediction hints when faced with a loop spanning the majority of the rotuine. In particular fget_unlocked has an unlikely corner case where it starts almost from scratch. Faced with this clang generates a maze of taken jumps, whereas gcc produces jump-free code (in the expected case). Work around the problem by providing a variant which only tries once and resorts to calling the original code if anything goes wrong. While here note that the 'seq' parameter is almost never passed, thus the seldom users are redirected to call it directly. Notes: svn path=/head/; revision=357471
* fd: remove the seq argument from fget_unlockedMateusz Guzik2020-02-031-1/+3
| | | | | | | It is almost always NULL. Notes: svn path=/head/; revision=357470
* Rename seq to seqc to avoid namespace clashes with LinuxMateusz Guzik2019-02-271-7/+7
| | | | | | | | | | Linux generates the content of procfs files using a mechanism prefixed with seq_*. This in particular came up with recent gcov import. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=344648
* vfs: mostly depessimize NDINIT_ALLMateusz Guzik2018-12-141-1/+7
| | | | | | | | | | 1) filecaps_init was unnecesarily a function call 2) an asignment at the end was preventing tail calling of cap_rights_init Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=342058
* fd: unify fd range check across the routinesMateusz Guzik2018-11-291-3/+3
| | | | | | | | | While here annotate out of range as unlikely. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=341219
* Properly do a deep copy of the ioctls capability array for fget_cap().John Baldwin2018-04-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fget_cap() tries to do a cheaper snapshot of a file descriptor without holding the file descriptor lock. This snapshot does not do a deep copy of the ioctls capability array, but instead uses a different return value to inform the caller to retry the copy with the lock held. However, filecaps_copy() was returning 1 to indicate that a retry was required, and fget_cap() was checking for 0 (actually '!filecaps_copy()'). As a result, fget_cap() did not do a deep copy of the ioctls array and just reused the original pointer. This cause multiple file descriptor entries to think they owned the same pointer and eventually resulted in duplicate frees. The only code path that I'm aware of that triggers this is to create a listen socket that has a restricted list of ioctls and then call accept() which calls fget_cap() with a valid filecaps structure from getsock_cap(). To fix, change the return value of filecaps_copy() to return true if it succeeds in copying the caps and false if it fails because the lock is required. I find this more intuitive than fixing the caller in this case. While here, change the return type from 'int' to 'bool'. Finally, make filecaps_copy() more robust in the failure case by not copying any of the source filecaps structure over. This avoids the possibility of leaking a pointer into a structure if a similar future caller doesn't properly handle the return value from filecaps_copy() at the expense of one more branch. I also added a test case that panics before this change and now passes. Reviewed by: kib Discussed with: mjg (not a fan of the extra branch) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D15047 Notes: svn path=/head/; revision=332657
* sys: further adoption of SPDX licensing ID tags.Pedro F. Giffuni2017-11-201-0/+2
| | | | | | | | | | | | | | | | | Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point. Notes: svn path=/head/; revision=326023
* Renumber copyright clause 4Warner Losh2017-02-281-1/+1
| | | | | | | | | | | | Renumber cluase 4 to 3, per what everybody else did when BSD granted them permission to remove clause 3. My insistance on keeping the same numbering for legal reasons is too pedantic, so give up on that point. Submitted by: Jan Schaumann <jschauma@stevens.edu> Pull Request: https://github.com/freebsd/freebsd/pull/96 Notes: svn path=/head/; revision=314436
* fd: hide fd_modified under CAPABILITIESMateusz Guzik2016-09-231-0/+2
| | | | | | | It has no use without it and is now less error prone. Notes: svn path=/head/; revision=306272
* fd: add fget_cap and fget_cap_locked primitivesMariusz Zaborski2016-09-121-0/+5
| | | | | | | | | They can be used to obtain capabilities along with a referenced fp. Reviewed by: mjg@ Notes: svn path=/head/; revision=305756
* fd: fix up fdeget_fileMateusz Guzik2016-09-041-1/+6
| | | | | | | | | It was supposed to return NULL if a fp is not installed. Facepalm-by: mjg Notes: svn path=/head/; revision=305383
* fd: effectively revert r305091Mateusz Guzik2016-08-311-2/+2
| | | | | | | | | | Turns out fd_lastfile can survive being -1 for some processes, giving incorrect results with the cast. Noted by: cem Notes: svn path=/head/; revision=305124
* fd: add fdeget_locked and use in kern_descripMateusz Guzik2016-08-301-0/+12
| | | | Notes: svn path=/head/; revision=305093
* fd: simplify fd testing in fget_locked by casting to u_intMateusz Guzik2016-08-301-1/+1
| | | | Notes: svn path=/head/; revision=305091
* fd: make the common case in filecaps_copy work locklessMateusz Guzik2015-09-071-1/+2
| | | | | | | | | The filedesc lock is only needed if ioctls caps are present, which is a rare situation. This is a step towards reducing the scope of the filedesc lock. Notes: svn path=/head/; revision=287539
* Introduce falloc_caps() to create descriptors with capabilties in place.Ed Schouten2015-07-291-2/+6
| | | | | | | | | | | | | falloc_noinstall() followed by finstall() allows you to create and install file descriptors with custom capabilities. Add falloc_caps() that can do both of these actions in one go. This will be used by CloudABI to create pipes with custom capabilities. Reviewed by: mjg Notes: svn path=/head/; revision=286020
* Implement CloudABI's exec() call.Ed Schouten2015-07-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: In a runtime that is purely based on capability-based security, there is a strong emphasis on how programs start their execution. We need to make sure that we execute an new program with an exact set of file descriptors, ensuring that credentials are not leaked into the process accidentally. Providing the right file descriptors is just half the problem. There also needs to be a framework in place that gives meaning to these file descriptors. How does a CloudABI mail server know which of the file descriptors corresponds to the socket that receives incoming emails? Furthermore, how will this mail server acquire its configuration parameters, as it cannot open a configuration file from a global path on disk? CloudABI solves this problem by replacing traditional string command line arguments by tree-like data structure consisting of scalars, sequences and mappings (similar to YAML/JSON). In this structure, file descriptors are treated as a first-class citizen. When calling exec(), file descriptors are passed on to the new executable if and only if they are referenced from this tree structure. See the cloudabi-run(1) man page for more details and examples (sysutils/cloudabi-utils). Fortunately, the kernel does not need to care about this tree structure at all. The C library is responsible for serializing and deserializing, but also for extracting the list of referenced file descriptors. The system call only receives a copy of the serialized data and a layout of what the new file descriptor table should look like: int proc_exec(int execfd, const void *data, size_t datalen, const int *fds, size_t fdslen); This change introduces a set of fd*_remapped() functions: - fdcopy_remapped() pulls a copy of a file descriptor table, remapping all of the file descriptors according to the provided mapping table. - fdinstall_remapped() replaces the file descriptor table of the process by the copy created by fdcopy_remapped(). - fdescfree_remapped() frees the table in case we aborted before fdinstall_remapped(). We then add a function exec_copyin_data_fds() that builds on top these functions. It copies in the data and constructs a new remapped file descriptor. This is used by cloudabi_sys_proc_exec(). Test Plan: cloudabi-run(1) is capable of spawning processes successfully, providing it data and file descriptors. procstat -f seems to confirm all is good. Regular FreeBSD processes also work properly. Reviewers: kib, mjg Reviewed By: mjg Subscribers: imp Differential Revision: https://reviews.freebsd.org/D3079 Notes: svn path=/head/; revision=285622
* Create a dedicated function for ensuring that cdir and rdir are populated.Mateusz Guzik2015-07-111-0/+1
| | | | | | | | | | | Previously several places were doing it on its own, partially incorrectly (e.g. without the filedesc locked) or even actively harmful by populating jdir or assigning rootvnode without vrefing it. Reviewed by: kib Notes: svn path=/head/; revision=285391
* Move chdir/chroot-related fdp manipulation to kern_descrip.cMateusz Guzik2015-07-111-0/+4
| | | | | | | | | | | Prefix exported functions with pwd_. Deduplicate some code by adding a helper for setting fd_cdir. Reviewed by: kib Notes: svn path=/head/; revision=285390
* fd: further cleanup of kern_dupMateusz Guzik2015-07-101-2/+2
| | | | | | | | | | | | | | | | | - make mode enum start from 0 so that the assertion covers all cases [1] - rename prefix _CLOEXEC flag with _FLAG - postpone fhold on the old file descriptor, which eliminates the need to fdrop in error cases. - fixup FDDUP_FCNTL check missed in the previous commit This removes 'fp == oldfde->fde_file' assertion which had little value. kern_dup only calls fd-related functions which cannot drop the lock or a whole lot of races would be introduced. Noted by: kib [1] Notes: svn path=/head/; revision=285357
* fd: split kern_dup flags argument into actual flags and a modeMateusz Guzik2015-07-101-4/+10
| | | | | | | Tidy up the code inside to switch on the mode. Notes: svn path=/head/; revision=285356
* Add implementations for some of the CloudABI file descriptor system calls.Ed Schouten2015-07-091-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | All of the CloudABI system calls that operate on file descriptors of an arbitrary type are prefixed with fd_. This change adds wrappers for most of these system calls around their FreeBSD equivalents. The dup2() system call present on CloudABI deviates from POSIX, in the sense that it can only be used to replace existing file descriptor. It cannot be used to create new ones. The reason for this is that this is inherently thread-unsafe. Furthermore, there is no need on CloudABI to use fixed file descriptor numbers. File descriptors 0, 1 and 2 have no special meaning. This change exposes the kern_dup() through <sys/syscallsubr.h> and puts the FDDUP_* flags in <sys/filedesc.h>. It then adds a new flag, FDDUP_MUSTREPLACE to force that file descriptors are replaced -- not allocated. Differential Revision: https://reviews.freebsd.org/D3035 Reviewed by: mjg Notes: svn path=/head/; revision=285323
* Replace struct filedesc argument in getvnode with struct threadMateusz Guzik2015-06-161-1/+1
| | | | | | | This is is a step towards removal of spurious arguments. Notes: svn path=/head/; revision=284446
* fd: move out actual fp installation to _finstallMateusz Guzik2015-06-141-1/+3
| | | | | | | Use it in fd passing functions as the first step towards fd code cleanup. Notes: svn path=/head/; revision=284380
* fd: use atomics to manage fd_refcnt and fd_holcntMateusz Guzik2015-06-101-2/+2
| | | | | | | This gets rid of fdesc_mtx. Notes: svn path=/head/; revision=284211
* fd: remove filedesc argument from fdcloseMateusz Guzik2015-04-111-1/+1
| | | | | | | | | Just accept a thread instead. This makes it consistent with fdalloc. No functional changes. Notes: svn path=/head/; revision=281436
* filedesc: simplify fget_unlocked & friendsMateusz Guzik2015-02-171-1/+8
| | | | | | | | | | | | | | | | | Introduce fget_fcntl which performs appropriate checks when needed. This removes a branch from fget_unlocked. Introduce fget_mmap dealing with cap_rights_to_vmprot conversion. This removes a branch from _fget. Modify fget_unlocked to pass sequence counter to interested callers so that they can perform their own checks and make sure the result was otained from stable & current state. Reviewed by: silence on -hackers Notes: svn path=/head/; revision=278930
* filedesc: oops.. commit missing change to filedesc.hMateusz Guzik2014-11-131-1/+1
| | | | Notes: svn path=/head/; revision=274485
* filedesc: get rid of atomic_load_acq_int from fget_unlockedMateusz Guzik2014-10-301-3/+9
| | | | | | | | | | | | | | | | A read barrier was necessary because fd table pointer and table size were updated separately, opening a window where fget_unlocked could read new size and old pointer. This patch puts both these fields into one dedicated structure, pointer to which is later atomically updated. As such, fget_unlocked only needs data a dependency barrier which is a noop on all supported architectures. Reviewed by: kib (previous version) MFC after: 2 weeks Notes: svn path=/head/; revision=273842
* filedesc: cleanup setugidsafety a littleMateusz Guzik2014-10-221-1/+1
| | | | | | | | | | | | | | Rename it to fdsetugidsafety for consistency with other functions. There is no need to take filedesc lock if not closing any files. The loop has to verify each file and we are guaranteed fdtable has space for at least 20 fds. As such there is no need to check fd_lastfile. While here tidy up is_unsafe. Notes: svn path=/head/; revision=273441
* Keep struct filedescent comments within 80-char limit.Mateusz Guzik2014-10-051-4/+4
| | | | Notes: svn path=/head/; revision=272569
* filedesc: fix up breakage introduced in 272505Mateusz Guzik2014-10-051-16/+2
| | | | | | | | | | | | | | Include sequence counter supports incoditionally [1]. This fixes reprted build problems with e.g. nvidia driver due to missing opt_capsicum.h. Replace fishy looking sizeof with offsetof. Make fde_seq the last member in order to simplify calculations. Suggested by: kib [1] X-MFC: with 272505 Notes: svn path=/head/; revision=272567
* Put and #ifdef _KERNEL around the #include for opt_capsicum.h toBjoern A. Zeeb2014-10-041-0/+2
| | | | | | | hopefully allow the build to finish after r272505. Notes: svn path=/head/; revision=272523
* Plug capability races.Mateusz Guzik2014-10-041-0/+16
| | | | | | | | | | | | | | | fp and appropriate capability lookups were not atomic, which could result in improper capabilities being checked. This could result either in protection bypass or in a spurious ENOTCAPABLE. Make fp + capability check atomic with the help of sequence counters. Reviewed by: kib MFC after: 3 weeks Notes: svn path=/head/; revision=272505
* Make do_dup() static and move relevant macros to kern_descrip.cMateusz Guzik2014-09-261-7/+0
| | | | | | | No functional changes. Notes: svn path=/head/; revision=272185
* Make fdunshare accept only td parameter.Mateusz Guzik2014-06-281-1/+1
| | | | | | | | | | Proc had to match the thread anyway and 2 parameters were inconsistent with the rest. MFC after: 1 week Notes: svn path=/head/; revision=268001
* fd: replace fd_nfiles with fd_lastfile where appropriateMateusz Guzik2014-06-221-1/+1
| | | | | | | | | | | | | fd_lastfile is guaranteed to be the biggest open fd, so when the intent is to iterate over active fds or lookup one, there is no point in looking beyond that limit. Few places are left unpatched for now. MFC after: 1 week Notes: svn path=/head/; revision=267710
* Garbage collect fdavail.Mateusz Guzik2014-04-041-1/+0
| | | | | | | | It rarely returns an error and fdallocn handles the failure of fdalloc just fine. Notes: svn path=/head/; revision=264104
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 02:06:40 +0000