| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This can be used by single-threaded processes which don't share a file
descriptor table to access their file objects without having to
reference them.
For example select consumers tend to match the requirement and have
several file descriptors to inspect.
|
|
|
|
|
|
|
|
| |
This lets callers avoid atomic ops by initializing the count to required
value from the get go.
While here add falloc_abort to backpedal from this without having to
fdrop.
|
|
|
|
|
| |
Can be used to consume an already existing reference and consequently
avoid atomic ops.
|
|
|
|
| |
This avoids testing for td != NULL.
|
|
|
|
| |
Tested by: pho
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No functional change intended.
Tracking these structures separately for each proc enables future work to
correctly emulate clone(2) in linux(4).
__FreeBSD_version is bumped (to 1300130) for consumption by, e.g., lsof.
Reviewed by: kib
Discussed with: markj, mjg
Differential Revision: https://reviews.freebsd.org/D27037
Notes:
svn path=/head/; revision=367777
|
|
|
|
|
|
|
|
|
|
|
| |
Since the code exits smr section prior to calling pwd_hold, the used
pwd can be freed and a new one allocated with the same address, making
the comparison erroneously true.
Note it is very unlikely anyone ran into it.
Notes:
svn path=/head/; revision=366462
|
|
|
|
|
|
|
|
|
| |
Reviewed by: kib
Tested by: pho (in a patchset)
Differential Revision: https://reviews.freebsd.org/D25577
Notes:
svn path=/head/; revision=363518
|
|
|
|
|
|
|
|
|
|
|
| |
It keeps recalculated way more often than it is needed.
Provide a routine (fdlastfile) to get it if necessary.
Consumers may be better off with a bitmap iterator instead.
Notes:
svn path=/head/; revision=363214
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to the change the once set pointer would never be updated.
Unbreaks reboot -r.
Reported by: Ross Gohlke
Notes:
svn path=/head/; revision=360374
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has a side effect of eliminating filedesc slock/sunlock during path
lookup, which in turn removes contention vs concurrent modifications to the fd
table.
Reviewed by: markj, kib
Differential Revision: https://reviews.freebsd.org/D23889
Notes:
svn path=/head/; revision=358734
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new structure is copy-on-write. With the assumption that path lookups are
significantly more frequent than chdirs and chrooting this is a win.
This provides stable root and jail root vnodes without the need to reference
them on lookup, which in turn means less work on globally shared structures.
Note this also happens to fix a bug where jail vnode was never referenced,
meaning subsequent access on lookup could run into use-after-free.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D23884
Notes:
svn path=/head/; revision=358503
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang has the unfortunate property of paying little attention to prediction
hints when faced with a loop spanning the majority of the rotuine.
In particular fget_unlocked has an unlikely corner case where it starts almost
from scratch. Faced with this clang generates a maze of taken jumps, whereas
gcc produces jump-free code (in the expected case).
Work around the problem by providing a variant which only tries once and
resorts to calling the original code if anything goes wrong.
While here note that the 'seq' parameter is almost never passed, thus the
seldom users are redirected to call it directly.
Notes:
svn path=/head/; revision=357471
|
|
|
|
|
|
|
| |
It is almost always NULL.
Notes:
svn path=/head/; revision=357470
|
|
|
|
|
|
|
|
|
|
| |
Linux generates the content of procfs files using a mechanism prefixed with
seq_*. This in particular came up with recent gcov import.
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=344648
|
|
|
|
|
|
|
|
|
|
| |
1) filecaps_init was unnecesarily a function call
2) an asignment at the end was preventing tail calling of cap_rights_init
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=342058
|
|
|
|
|
|
|
|
|
| |
While here annotate out of range as unlikely.
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=341219
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fget_cap() tries to do a cheaper snapshot of a file descriptor without
holding the file descriptor lock. This snapshot does not do a deep
copy of the ioctls capability array, but instead uses a different
return value to inform the caller to retry the copy with the lock
held. However, filecaps_copy() was returning 1 to indicate that a
retry was required, and fget_cap() was checking for 0 (actually
'!filecaps_copy()'). As a result, fget_cap() did not do a deep copy
of the ioctls array and just reused the original pointer. This cause
multiple file descriptor entries to think they owned the same pointer
and eventually resulted in duplicate frees.
The only code path that I'm aware of that triggers this is to create a
listen socket that has a restricted list of ioctls and then call
accept() which calls fget_cap() with a valid filecaps structure from
getsock_cap().
To fix, change the return value of filecaps_copy() to return true if
it succeeds in copying the caps and false if it fails because the lock
is required. I find this more intuitive than fixing the caller in
this case. While here, change the return type from 'int' to 'bool'.
Finally, make filecaps_copy() more robust in the failure case by not
copying any of the source filecaps structure over. This avoids the
possibility of leaking a pointer into a structure if a similar future
caller doesn't properly handle the return value from filecaps_copy()
at the expense of one more branch.
I also added a test case that panics before this change and now passes.
Reviewed by: kib
Discussed with: mjg (not a fan of the extra branch)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D15047
Notes:
svn path=/head/; revision=332657
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mainly focus on files that use BSD 3-Clause license.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
Notes:
svn path=/head/; revision=326023
|
|
|
|
|
|
|
|
|
|
|
|
| |
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
Notes:
svn path=/head/; revision=314436
|
|
|
|
|
|
|
| |
It has no use without it and is now less error prone.
Notes:
svn path=/head/; revision=306272
|
|
|
|
|
|
|
|
|
| |
They can be used to obtain capabilities along with a referenced fp.
Reviewed by: mjg@
Notes:
svn path=/head/; revision=305756
|
|
|
|
|
|
|
|
|
| |
It was supposed to return NULL if a fp is not installed.
Facepalm-by: mjg
Notes:
svn path=/head/; revision=305383
|
|
|
|
|
|
|
|
|
|
| |
Turns out fd_lastfile can survive being -1 for some processes, giving
incorrect results with the cast.
Noted by: cem
Notes:
svn path=/head/; revision=305124
|
|
|
|
| |
Notes:
svn path=/head/; revision=305093
|
|
|
|
| |
Notes:
svn path=/head/; revision=305091
|
|
|
|
|
|
|
|
|
| |
The filedesc lock is only needed if ioctls caps are present, which is a
rare situation. This is a step towards reducing the scope of the filedesc
lock.
Notes:
svn path=/head/; revision=287539
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
falloc_noinstall() followed by finstall() allows you to create and
install file descriptors with custom capabilities. Add falloc_caps()
that can do both of these actions in one go.
This will be used by CloudABI to create pipes with custom capabilities.
Reviewed by: mjg
Notes:
svn path=/head/; revision=286020
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
In a runtime that is purely based on capability-based security, there is
a strong emphasis on how programs start their execution. We need to make
sure that we execute an new program with an exact set of file
descriptors, ensuring that credentials are not leaked into the process
accidentally.
Providing the right file descriptors is just half the problem. There
also needs to be a framework in place that gives meaning to these file
descriptors. How does a CloudABI mail server know which of the file
descriptors corresponds to the socket that receives incoming emails?
Furthermore, how will this mail server acquire its configuration
parameters, as it cannot open a configuration file from a global path on
disk?
CloudABI solves this problem by replacing traditional string command
line arguments by tree-like data structure consisting of scalars,
sequences and mappings (similar to YAML/JSON). In this structure, file
descriptors are treated as a first-class citizen. When calling exec(),
file descriptors are passed on to the new executable if and only if they
are referenced from this tree structure. See the cloudabi-run(1) man
page for more details and examples (sysutils/cloudabi-utils).
Fortunately, the kernel does not need to care about this tree structure
at all. The C library is responsible for serializing and deserializing,
but also for extracting the list of referenced file descriptors. The
system call only receives a copy of the serialized data and a layout of
what the new file descriptor table should look like:
int proc_exec(int execfd, const void *data, size_t datalen, const int *fds,
size_t fdslen);
This change introduces a set of fd*_remapped() functions:
- fdcopy_remapped() pulls a copy of a file descriptor table, remapping
all of the file descriptors according to the provided mapping table.
- fdinstall_remapped() replaces the file descriptor table of the process
by the copy created by fdcopy_remapped().
- fdescfree_remapped() frees the table in case we aborted before
fdinstall_remapped().
We then add a function exec_copyin_data_fds() that builds on top these
functions. It copies in the data and constructs a new remapped file
descriptor. This is used by cloudabi_sys_proc_exec().
Test Plan:
cloudabi-run(1) is capable of spawning processes successfully, providing
it data and file descriptors. procstat -f seems to confirm all is good.
Regular FreeBSD processes also work properly.
Reviewers: kib, mjg
Reviewed By: mjg
Subscribers: imp
Differential Revision: https://reviews.freebsd.org/D3079
Notes:
svn path=/head/; revision=285622
|
|
|
|
|
|
|
|
|
|
|
| |
Previously several places were doing it on its own, partially
incorrectly (e.g. without the filedesc locked) or even actively harmful
by populating jdir or assigning rootvnode without vrefing it.
Reviewed by: kib
Notes:
svn path=/head/; revision=285391
|
|
|
|
|
|
|
|
|
|
|
| |
Prefix exported functions with pwd_.
Deduplicate some code by adding a helper for setting fd_cdir.
Reviewed by: kib
Notes:
svn path=/head/; revision=285390
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- make mode enum start from 0 so that the assertion covers all cases [1]
- rename prefix _CLOEXEC flag with _FLAG
- postpone fhold on the old file descriptor, which eliminates the need to fdrop
in error cases.
- fixup FDDUP_FCNTL check missed in the previous commit
This removes 'fp == oldfde->fde_file' assertion which had little value. kern_dup
only calls fd-related functions which cannot drop the lock or a whole lot of
races would be introduced.
Noted by: kib [1]
Notes:
svn path=/head/; revision=285357
|
|
|
|
|
|
|
| |
Tidy up the code inside to switch on the mode.
Notes:
svn path=/head/; revision=285356
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of the CloudABI system calls that operate on file descriptors of an
arbitrary type are prefixed with fd_. This change adds wrappers for
most of these system calls around their FreeBSD equivalents.
The dup2() system call present on CloudABI deviates from POSIX, in the
sense that it can only be used to replace existing file descriptor. It
cannot be used to create new ones. The reason for this is that this is
inherently thread-unsafe. Furthermore, there is no need on CloudABI to
use fixed file descriptor numbers. File descriptors 0, 1 and 2 have no
special meaning.
This change exposes the kern_dup() through <sys/syscallsubr.h> and puts
the FDDUP_* flags in <sys/filedesc.h>. It then adds a new flag,
FDDUP_MUSTREPLACE to force that file descriptors are replaced -- not
allocated.
Differential Revision: https://reviews.freebsd.org/D3035
Reviewed by: mjg
Notes:
svn path=/head/; revision=285323
|
|
|
|
|
|
|
| |
This is is a step towards removal of spurious arguments.
Notes:
svn path=/head/; revision=284446
|
|
|
|
|
|
|
| |
Use it in fd passing functions as the first step towards fd code cleanup.
Notes:
svn path=/head/; revision=284380
|
|
|
|
|
|
|
| |
This gets rid of fdesc_mtx.
Notes:
svn path=/head/; revision=284211
|
|
|
|
|
|
|
|
|
| |
Just accept a thread instead. This makes it consistent with fdalloc.
No functional changes.
Notes:
svn path=/head/; revision=281436
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce fget_fcntl which performs appropriate checks when needed.
This removes a branch from fget_unlocked.
Introduce fget_mmap dealing with cap_rights_to_vmprot conversion.
This removes a branch from _fget.
Modify fget_unlocked to pass sequence counter to interested callers so
that they can perform their own checks and make sure the result was
otained from stable & current state.
Reviewed by: silence on -hackers
Notes:
svn path=/head/; revision=278930
|
|
|
|
| |
Notes:
svn path=/head/; revision=274485
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A read barrier was necessary because fd table pointer and table size were
updated separately, opening a window where fget_unlocked could read new size
and old pointer.
This patch puts both these fields into one dedicated structure, pointer to which
is later atomically updated. As such, fget_unlocked only needs data a dependency
barrier which is a noop on all supported architectures.
Reviewed by: kib (previous version)
MFC after: 2 weeks
Notes:
svn path=/head/; revision=273842
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename it to fdsetugidsafety for consistency with other functions.
There is no need to take filedesc lock if not closing any files.
The loop has to verify each file and we are guaranteed fdtable has space
for at least 20 fds. As such there is no need to check fd_lastfile.
While here tidy up is_unsafe.
Notes:
svn path=/head/; revision=273441
|
|
|
|
| |
Notes:
svn path=/head/; revision=272569
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include sequence counter supports incoditionally [1]. This fixes reprted build
problems with e.g. nvidia driver due to missing opt_capsicum.h.
Replace fishy looking sizeof with offsetof. Make fde_seq the last member in
order to simplify calculations.
Suggested by: kib [1]
X-MFC: with 272505
Notes:
svn path=/head/; revision=272567
|
|
|
|
|
|
|
| |
hopefully allow the build to finish after r272505.
Notes:
svn path=/head/; revision=272523
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fp and appropriate capability lookups were not atomic, which could result in
improper capabilities being checked.
This could result either in protection bypass or in a spurious ENOTCAPABLE.
Make fp + capability check atomic with the help of sequence counters.
Reviewed by: kib
MFC after: 3 weeks
Notes:
svn path=/head/; revision=272505
|
|
|
|
|
|
|
| |
No functional changes.
Notes:
svn path=/head/; revision=272185
|
|
|
|
|
|
|
|
|
|
| |
Proc had to match the thread anyway and 2 parameters were inconsistent
with the rest.
MFC after: 1 week
Notes:
svn path=/head/; revision=268001
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fd_lastfile is guaranteed to be the biggest open fd, so when the intent
is to iterate over active fds or lookup one, there is no point in looking
beyond that limit.
Few places are left unpatched for now.
MFC after: 1 week
Notes:
svn path=/head/; revision=267710
|
|
|
|
|
|
|
|
| |
It rarely returns an error and fdallocn handles the failure of fdalloc
just fine.
Notes:
svn path=/head/; revision=264104
|