Commit Graph

108 Commits

Author SHA1 Message Date
pooka
7e5aba5af0 Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.
2008-10-11 13:40:57 +00:00
ad
30115e937a Most contention on proc_lock is from getppid(), so cache the parent's PID. 2008-06-02 16:18:09 +00:00
ad
6d70f903e6 Network protocol interrupts can now block on locks, so merge the globals
proclist_mutex and proclist_lock into a single adaptive mutex (proc_lock).
Implications:

- Inspecting process state requires thread context, so signals can no longer
  be sent from a hardware interrupt handler. Signal activity must be
  deferred to a soft interrupt or kthread.

- As the proc state locking is simplified, it's now safe to take exit()
  and wait() out from under kernel_lock.

- The system spends less time at IPL_SCHED, and there is less lock activity.
2008-04-24 15:35:27 +00:00
dsl
7e2790cf6f Convert all the system call entry points from:
int foo(struct lwp *l, void *v, register_t *retval)
to:
    int foo(struct lwp *l, const struct foo_args *uap, register_t *retval)
Fixup compat code to not write into 'uap' and (in some cases) to actually
pass a correctly formatted 'uap' structure with the right name to the
next routine.
A few 'compat' routines that just call standard ones have been deleted.
All the 'compat' code compiles (along with the kernels required to test
build it).
98% done by automated scripts.
2007-12-20 23:02:38 +00:00
dsl
477e862d2a Fix inverted check in sys_setgroups(). 2007-06-30 21:31:41 +00:00
dsl
04c196a642 Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups
can copy directly to/from userspace.
Avoids exposing the implementation of the group list as an array to code
outside kern_auth.c.
compat code and man page need updating.
2007-06-30 13:32:14 +00:00
dsl
a72d93045f Make sys_getgroups() and sys_setgroups() use the newly added functions
in kern_prot.c in order to simplify the code paths.
NB: the grouplist is not longer sorted - I don't think anything relies
on this (any more) and nfs will use truncated lists where the order of the
entries is important.
Move the external defns for public functios in kern_prot.c into a new
header sys/prot.h (from sys/ucred.h which contains a compat defn that
is exposed to userspace).
2007-06-23 09:08:37 +00:00
ad
c147748d84 - Make the proclist_lock a mutex. The write:read ratio is unfavourable,
and mutexes are cheaper use than RW locks.
- LOCK_ASSERT -> KASSERT in some places.
- Hold proclist_lock/kernel_lock longer in a couple of places.
2007-03-09 14:11:22 +00:00
christos
53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
thorpej
4f3d5a9cc0 TRUE -> true, FALSE -> false 2007-02-22 06:34:42 +00:00
pavel
934634a18c Change the process/lwp flags seen by userland via sysctl back to the
P_*/L_* naming convention, and rename the in-kernel flags to avoid
conflict. (P_ -> PK_, L_ -> LW_ ). Add back the (now unused) LSDEAD
constant.

Restores source compatibility with pre-newlock2 tools like ps or top.

Reviewed by Andrew Doran.
2007-02-17 22:31:36 +00:00
ad
b07ec3fc38 Merge newlock2 to head. 2007-02-09 21:55:00 +00:00
yamt
1a7bc55dcc remove some __unused from function parameters. 2006-11-01 10:17:58 +00:00
christos
4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
elad
5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
ad
a0c8510a86 Single-thread updates to the process credential. 2006-07-30 21:58:11 +00:00
ad
2b79369c7e - Hold a reference to the process credentials in each struct lwp.
- Update the reference on syscall and user trap if p_cred has changed.
- Collect accounting flags in the LWP, and collate on LWP exit.
2006-07-19 21:11:37 +00:00
ad
e7447d9340 - Always make p->p_cred a private copy before modifying.
- Share credentials among processes when forking.
2006-07-17 15:29:06 +00:00
yamt
73f44d02f7 do_setresuid, do_setresgid: use the suser privilege only when necessary. 2006-07-15 06:31:34 +00:00
elad
215bd95ba4 integrate kauth. 2006-05-14 21:15:11 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
rillig
aede7f6775 Made the code of the grsortu function smaller and simpler. Ok'ed by
christos.
2005-09-02 20:51:53 +00:00
christos
62ea392e41 in setgroups(), sort -u the gid_t array to make sure that comparisons are
consistent.
2005-08-23 07:58:58 +00:00
rillig
20f0c3a484 Bugfix: In crcmp, compare n group IDs instead of only n bytes.
Added a big FIXME because two group lists containing the same entries,
but ordered differently, still compare as unequal. The same holds if one
group list contains an entry twice while the other does not. ok'ed by
christos.
2005-08-22 15:10:50 +00:00
pk
3ec3f724be crcopy: no need to lock if we're only reading the structure's reference count. 2004-05-04 21:27:28 +00:00
pk
7d0afa7f41 Add mutex to protect the ucred reference counter. 2004-05-02 12:36:55 +00:00
simonb
b5d0e6bf06 Initialise (most) pools from a link set instead of explicit calls
to pool_init.  Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.

 Convert struct session, ucred and lockf to pools.
2004-04-25 16:42:40 +00:00
christos
f13a3d0852 PR/9347: Eric E. Fair: socket buffer pool exhaustion leads to system deadlock
and unkillable processes.
1. Introduce new SBSIZE resource limit from FreeBSD to limit socket buffer
   size resource.
2. make sokvareserve interruptible, so processes ltsleeping on it can be
   killed.
2004-04-17 15:15:29 +00:00
agc
aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence.
Patches provided by Joel Baker in PR 22364, verified by myself.
2003-08-07 16:26:28 +00:00
christos
ade6fba604 add a crcmp() function. 2003-05-16 13:55:18 +00:00
jdolecek
479a3334a4 sys_setreuid(): parenthesize the ruid check in ?: condition, so that
it would be more difficult to mistake == for = when reading it
2003-03-27 17:47:45 +00:00
dsl
9be8ac5294 Alternative pid/proc allocater, removes all searches associated with pid
lookup and allocation, and any dependency on NPROC or MAXUSERS.
NO_PID changed to -1 (and renamed NO_PGID) to remove artificial limit
on PID_MAX.
As discussed on tech-kern.
2003-03-19 11:36:32 +00:00
dsl
a5de203f9f Add do_setresuid() and do_setresgid() and implement sys_setuid, sys_seteuid,
sys_setreuid (and gid equivs) in terms of them.
2003-03-05 18:42:19 +00:00
enami
5bb41745ed Cosmetic changes. 2003-02-28 23:24:40 +00:00
wiz
9ceb9b4b15 Add newline character to logname change warning.
Noted missing by Sean Davis on tech-kern.
2003-02-18 19:26:23 +00:00
dsl
b80a5f24c5 KNF kern_prot.c 2003-02-18 08:37:41 +00:00
dsl
aed442201d Fix support of 15 and 16 character lognames.
Warn if the logname is changed within a session - usually a missing setsid.
(approved by christos)
2003-02-15 18:10:15 +00:00
thorpej
b193480908 Add extensible malloc types, adapted from FreeBSD. This turns
malloc types into a structure, a pointer to which is passed around,
instead of an int constant.  Allow the limit to be adjusted when the
malloc type is defined, or with a function call, as suggested by
Jonathan Stone.
2003-02-01 06:23:35 +00:00
thorpej
e0d8d366df Merge the nathanw_sa branch. 2003-01-18 10:06:22 +00:00
thorpej
7055457a98 Fix some signed/unsigned comparison warnings from GCC 3.3. 2002-08-25 21:30:40 +00:00
christos
d343ff07bf remove diagnostic test checking for cr_ref = 0. It will never be, because
free() will stick 0xdeadbeef into it.
2001-12-06 23:11:59 +00:00
christos
2a73d40eab introduce crcvt() that converts from struct uucred to struct ucred. 2001-11-29 21:21:13 +00:00
jdolecek
577b809930 crfree(): add DIAGNOSTIC sanity check of cr_ref; unfortunately, if the memory
is freed prematurely the check won't be triggered immediatelly, probably
since the memory is likely to be reused fast; but it _would_ be triggered
eventually
2001-11-27 07:30:03 +00:00
lukem
adc783d537 add RCSIDs 2001-11-12 15:25:01 +00:00
thorpej
4cb159296b Remove an splimp() that really has no purpose in life. 2001-04-12 03:08:42 +00:00
mycroft
acbeba20e1 Fix compile glitch. 2000-12-09 07:17:32 +00:00
mycroft
02d8d5f9bf Define 3 new functions:
* sys_getpid_with_ppid()
* sys_getuid_with_euid()
* sys_getgid_with_egid()
that do the retval[1] hack.  Use them when COMPAT_43 is defined.
2000-12-09 07:04:47 +00:00
jdolecek
fc181f91c6 use EMUL_GETPID_PASS_PPID or EMUL_GETID_PASS_EID to find out if one should
pass parent pid for getpid() or effective id for get[ug]id(), instead
of compile-time dependency
2000-12-01 20:34:17 +00:00
christos
0628f0a87e knf [from charles] 2000-10-17 23:38:55 +00:00
christos
23c15f1578 Don't set P_SUGID if the calls to set{e,}{u,g}id(), setreuid(),
setgroups() did not result in actual changes. This has the nice
side effect that we don't needlesly allocate new credential and
resource limit data structures.

This is so that non setuid programs that call seteuid(getuid()),
don't end up setting P_SUGID, resulting in broken behavior [i.e.
non setuid ssh, doesn't read ~/.hostaliases...].

This is a good candidate for a pullup, if someone reviews it.
2000-10-17 20:53:45 +00:00