undocumented) and change logic in kauth_authorize_action() to only
allow an action if it wasn't explicitly allowed/denied and there are no
secmodels loaded.
Okay yamt@.
tail instead of an explicit check to add to the head for an empty
queue. Apparently TAILQ_INSERT_HEAD happens to work for a
non-initialized head and does implicit initialization so that
TAILQ_INSERT_TAIL works after that.
variation suggested by yamt on tech-kern.
XXX: The exception is that this doesn't any longer prevent caching
of RENAME, which was implied in a weird weird way previously. But
that's handled by the callers currently.
on comparisons < 0, since they can never be true. All register_t's should
be made signed, and this commit should be reverted. For now cast to int,
since the syscall code is a small number and guaranteed to fit.
Make sure we always FILE_UNUSE the file. To make it easier, exit
via a new "out:" exit path that does so, setting error beforehand.
Fix suggested by Elad, hand-typed by me.
- don't hold the parent directory vnode locked while traversing mount points.
the fs that's mounted might be an NFS served by a userland process
like the automounter, which might need to traverse the parent directory
in order to complete the lookup.
- in the ENAMETOOLONG case fixed in rev. 1.75, set ni_dvp to dp
since we've logically moved on to using "dp" as the parent.
the caller will then handle vput()ing it as normal.
this fixes PR 35279.
decisions, then have a kauth(9) call for security policy enforcement,
and only then proceed to processing each request.
Add a KAUTH_PROCESS_CANSEE call right after pfind(). This should really
be done differently, so mark it with XXX.
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
mount_getargs(), and mount_domount() to handle three main things it can
do.
This makes the code more readable and removes the horrible goto mess
that was lurking there since forever... it also makes it easier to
implement a security policy for that code.
Introduce the (intentionally undocumented) pathname_get(), pathname_path(),
and pathname_put(), to deal with allocating and copying of pathnames from
either kernel- or user-space.
- finish implementing splraiseipl (and makeiplcookie).
http://mail-index.NetBSD.org/tech-kern/2006/07/01/0000.html
- complete workqueue(9) and fix its ipl problem, which is reported
to cause audio skipping.
- fix netbt (at least compilation problems) for some ports.
- fix PR/33218.
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
allowed to view the target process' corename, stop flags, and
rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.
okay yamt@
this is a pullup candidate.
because the latter is always available during the lifetime of the former,
there is little point to use another global list to keep track of them.
it also allows to remove an #ifdef FILEASSOC.
- avoid some operations (memory allocation and VOP) in fileassoc_file_lookup,
when fileassoc table is not used.
ok'ed by elad.
- make fileassoc_t a pointer and remove FILEASSOC_INVAL.
- clean up kern_fileassoc.c. unify duplicated code.
- unexport fileassoc_init using RUN_ONCE(9).
- plug memory leaks in fileassoc_file_delete and fileassoc_table_delete.
- always call callbacks, regardless of the value of the associated data.
ok'ed by elad.
- LOCKPARENT is no longer relevant for lookup(), relookup() or VOP_LOOKUP().
these now always return the parent vnode locked. namei() works as before.
lookup() and various other paths no longer acquire vnode locks in the
wrong order via vrele(). fixes PR 32535.
as a nice side effect, path lookup is also up to 25% faster.
- the above allows us to get rid of PDIRUNLOCK.
- also get rid of WANTPARENT (just use LOCKPARENT and unlock it).
- remove an assumption in layer_node_find() that all file systems implement
a recursive VOP_LOCK() (unionfs doesn't).
- require that all file systems supply vfs_vptofh and vfs_fhtovp routines.
fill in eopnotsupp() for file systems that don't support being exported
and remove the checks for NULL. (layerfs calls these without checking.)
- in union_lookup1(), don't change refcounts in the ISDOTDOT case, just
adjust which vnode is locked. fixes PR 33374.
- apply fixes for ufs_rename() from ufs_vnops.c rev. 1.61 to ext2fs_rename().
processes through sysctl
Fix inverted logic in boolean assignment. This is why these tests should
not be done outside the secmodel code.
Thanks for the report.
handle a single entry and veriexec_table_delete() to handle an entire
table. veriexec_convert() now takes a struct vnode *, and made
veriexec_table_lookup() take struct mount * (that's entirely internal
now).
Tested on amd64, built successfully on amd64, i386, sparc, and sparc64.
for work on some future functionality.
- Veriexec data-structures are no longer exposed.
- Thanks to using proplib for data passing now, the interface
changes further to accomodate that.
Introduce four new functions. First, veriexec_file_add(), to add
a new file to be monitored by Veriexec, to replace both
veriexec_load() and veriexec_hashadd(). veriexec_table_add(), to
replace veriexec_newtable(), will be used to optimize hash table
size (during preload), and finally, veriexec_convert(), to convert
an internal entry to one userland can read.
- Introduce veriexec_unmountchk(), to enforce Veriexec unmount
policy. This cleans up a bit of code in kern/vfs_syscalls.c.
- Rename veriexec_tblfind() with veriexec_table_lookup(), and make
it static. More functions that became static: veriexec_fp_cmp(),
veriexec_fp_calc().
- veriexec_verify() no longer returns the entry as well, but just
sets a boolean indicating whether an entry was found or not.
- veriexec_purge() now takes a struct vnode *.
- veriexec_add_fp_name() was merged into veriexec_add_fp_ops(), that
changed its name to veriexec_fpops_add(). veriexec_find_ops() was
also renamed to veriexec_fpops_lookup().
Also on the fp-ops front, the three function types used to initialize,
update, and finalize a hash context were renamed to
veriexec_fpop_init_t, veriexec_fpop_update_t, and veriexec_fpop_final_t
respectively.
- Introduce a new malloc(9) type, M_VERIEXEC, and use it instead of
M_TEMP, so we can tell exactly how much memory is used by Veriexec.
- And, most importantly, whitespace and indentation nits.
Built successfuly for amd64, i386, sparc, and sparc64. Tested on amd64.
Obviously, this breaks the already unstable Veriexec ABI, but that's
it. Some cool additions are planned to be introduced, and this just
makes it so that NetBSD 4.0 users will be able to easily use them as
well.
This also removes the fingerprint type name limit, so relevant code
was adjusted.
Thoroughly tested (even uncovered a bug in proplib! thanks for fixing
that cube@!). Documentation updated.
First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.
Add secmodel back-end to handle each subsystem.
using both the rawio_spec and passthru actions to detect raw disk
activity. Same for kernel memory policy.
Update documentation (no longer need to expose veriexec_rawchk()) and
remove all Veriexec-related bits from specfs.
version.
Add disk_blocksize(9) so that disk drivers can record the physical
block size of a disk if it is different to DEV_BSIZE. Right now this
simply initialises dk_blkshift and dk_byteshift according to the
supplied block size. This information is used in the MI version of
bounds_check_with_label().
* XXX: This is bogus. There's an obvious race condition between the time
* XXX: the disk is open for writing, in which an attacker can access a
* XXX: monitored file to get its signature cached again, and when the raw
* XXX: file is overwritten on disk.
* XXX:
* XXX: To solve this, we need something like the following:
* XXX: open raw disk:
* XXX: - raise refcount,
* XXX: - invalidate fingerprints,
* XXX: - mark all entries with "no cache" flag
* XXX:
* XXX: veriexec_verify:
* XXX: - if "no cache", don't cache evaluation result
* XXX:
* XXX: close raw disk:
* XXX: - lower refcount,
* XXX: - if refcount == 0, remove "no cache" flag from all entries
implies that _UC_CPU must be set in the context passed. Check for this
and return EINVAL if not; this gives a cheap test for corrupted
ucontexts eg on a signal handler stack which would go unnoticed otherwise.
-Don't ckeck for NULL ucontext pointers explicitely. This is an error,
except in the swapcontext() case where it can be easily caught in
userland.
required to initialize ksyms_hdr. Otherwise LKMs do not work when using
ksyms_init_explicit instead of ksyms_init, as is the case of booting an
i386 kernel using Multiboot.
use it. idea partly from yamt. assert SCHED_ASSERT_UNLOCKED() in
all the places we call ksiginfo_queue() without a ksiginfo.
fixes recent panics detected by LOCKDEBUG.
XXX: We still install rmd160.h and sha2.h in /usr/include/crypto, unlike
the other hash functions which get installed in /usr/include for compatibility.
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).
Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.
Documented and updated examples as well.
exact address of the symtab and strtab ELF sections contents beforehand.
This will be used in i386's Multiboot code to add the initial kernel ksyms
without having to prepare a minimal ELF image that matches the format
expected by the reguluar ksyms_init function.
This part was reviewed by cube@ and successfully passes a full i386 release
build.
for the disk.
- Add a new function, disk_ioctl(), that does generic disk ioctl handling.
DIOCGDISKINFO is handled here now, and others will be added in the future.
- In the wd driver, fill in the dk_info member of struct disk and use the
new disk_ioctl() function.
Make some "#ifdef DIAGNOSTIC" blocks always compiled in; others
convert to KASSERT() where appropriate.
Add some sanity checks and comments while here.
Add _lwp_getspecific_by_lwp() to get lwp specific data from other lwp's.
Protected by #ifdef _LWP_API_PRIVATE.
Approved by: Jason Thorpe <thorpej@netbsd.org>
pool_get(). pre-allocate the ksiginfo_t before taking sched_lock and
use it if necessary, or freeing it if it is unused.
rename ksiginfo_{get,put}() to ksiginfo_{dequeue,queue}() (idea from chuq.)
this fixes PR#32962. thanks to christos, chuq and go for help/ideas.
vnodes were synced and processed backwards. This meant that the last
accessed node was processed first and the earlierst last.
An extra benefit is the removal of the ugly hack from the Berkly days on
LFS.
In the proces, i've also replaced the various variations hand written loops
by the TAILQ_FOREACH() macro's.
Instead, free an LWP's specificdata from lwp_exit() (if it is not the
last LWP) or exit1() (if it is the last LWP). For consistency, free the
proc's specificdata from exit1() as well. Add lwp_finispecific() and
proc_finispecific() functions to make this more convenient.
wrappers around the speicificdata subroutines. Also:
- Call the new lwpinit() function from main() after calling procinit().
- Move some pool initialization out of kern_proc.c and into files that
are directly related to the pools in question (kern_lwp.c and kern_ras.c).
- Convert uipc_sem.c to proc_{get,set}specific(), and eliminate the p_ksems
member from struct proc.
subsystems, based on work by YAMAMOTO Takashi. This is intended to
be used by other subsystems (such as the proc_*() or lwp_*() routines)
rather than directly by consumers.
In 30 minutes from now Jason Thorpe will come up with an implementation
of a proplib dictionary in struct proc, so adding an int doesn't really
make any sense.
