Instead, free an LWP's specificdata from lwp_exit() (if it is not the
last LWP) or exit1() (if it is the last LWP). For consistency, free the
proc's specificdata from exit1() as well. Add lwp_finispecific() and
proc_finispecific() functions to make this more convenient.
wrappers around the speicificdata subroutines. Also:
- Call the new lwpinit() function from main() after calling procinit().
- Move some pool initialization out of kern_proc.c and into files that
are directly related to the pools in question (kern_lwp.c and kern_ras.c).
- Convert uipc_sem.c to proc_{get,set}specific(), and eliminate the p_ksems
member from struct proc.
subsystems, based on work by YAMAMOTO Takashi. This is intended to
be used by other subsystems (such as the proc_*() or lwp_*() routines)
rather than directly by consumers.
In 30 minutes from now Jason Thorpe will come up with an implementation
of a proplib dictionary in struct proc, so adding an int doesn't really
make any sense.
recent bugs introduced with the usage of kauth(9) in MD/device code.
While here, change the sanity checks to KASSERT(), because they're really
bugs we should fix if triggered.
Brought up on tech-kern@ some ~2 months ago, didn't seem to be an
objection; brought up again recently and no objection either... this is
not too intrusive and I've been running with this for a while.
It uses an authorization wrapper per device class on the system to
ensure type-safety.
For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.
Update documentation.
kfilter slots are used: no guarantee previously that last
slot had a NULL name.
- Reuse previously deregistered user kfilter slots in
kfilter_register().
For the benefit of linux emulation create a new minor device '2'
which is a ptmx with linux semantics. Linux changes the permissions
of the slave pty upon creation, not when grantpt(3) is called. The
glibc linux grantpt(3) checks that the pty is on ptyfs, and if it is,
it does nothing. To make use of this fix:
mknod /emul/linux/dev/ptmx c 165 2
chmod 666 /emul/linux/dev/ptmx
This is a lot simpler than copying a bunch of code and creating a
ptmx device just for the benefit of linux emulation.
schemas. Disk information and disk geometry are designed to replace
information currently conveyed to user space using struct disklabel.
- Add a dk_info member to struct disk; a reference to a disk information
dictionary. This dictionary is to be allocated and the reference stored
in struct disk by individual drivers.
- disk_detach0() will release dk_info if non-NULL.
- Convert the wd(4) driver to stash geometry and other disk properties
as the "disk-info" property in its properties dictionary. This needs
some cleanup, but will serve as an example of what to do with other
disk drivers.
"execute a command" ioctl that takes a dictionary as an argument
(specifying the command and arguments) and returns a dictionary
with the results (error code, optional error message, optional
result data).
- Define and implement a "get-properties" command for DRVCTLCOMMAND
that returns the properties dictionary of the specified device.
- Add a -p flag to drvctl(8) to fetch and display the properties of
the specified device.
This is a great example of how to use prop_dictionary_sendrecv_ioctl().
the logic in kauth_authorize_action() to use it.
When we try to authorize a request and the flag is FALSE, it means a
kernel was compiled with no listeners (or we're in very early boot stages),
and we always allow the request because it's likely to be coming from the
kernel itself or from loading an LKM with the security model (later on).
Assert that if the "listeners have been loaded" flag is FALSE, there are
really no listeners for the scope we're authorizing on.
When the flag is TRUE (ie., listeners have been loaded) but they were
later removed, creating a scope with no listeners, the request will be
denied further down.
This allows us to have the security model compiled outside the NetBSD
kernel and later loaded as an LKM, without fearing an attack will just
remove listeners we loaded earlier to create a "fail open" situation.
Input from yamt@, thorpej@, gdt@, dan@.
Okay yamt@, thorpej@.
is giving you. Also, while here, bump the threshold for "preposterous"
dates by 20 years. Now any date earlier than late 1994 is considered
preposterous.
assumed that all the strings were stored in a row, separated by NUL chars,
at the address pointed bu argv[0] (or envp[0]).
This was wrong: if the program changed argvs[0], we still read the
first string correctly, but the next strings did contain unexpected data.
The fix: read the whole argv (or envp) array, then copy the string one by
one, using their addresses in argv (or agrp)
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.htmlhttp://mail-index.netbsd.org/tech-security/2006/03/24/0001.htmlhttp://mail-index.netbsd.org/tech-security/2006/04/18/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/05/15/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/08/01/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
* Stop fhandle memory leaks and use the correct fhandle dealloc routine
(thanks to Elad for these fixes)
* Remove include of kmem.h, it is not required.
is defined. if this option is present in the Makefile CFLAGS and we are
using GCC4, build kern_synch.c with -fno-reorder-blocks, so that this
actually works.
XXX be nice if KERN_SYNCH_BPENDTSLEEP_LABEL was a normal 'defflag' option
XXX but for now take the easy way out and make it checkable in CFLAGS.
in tc_init() with splclock(). Fixes doubled-up "selected timecounter"
messages on some architectures, including pc532 and cobalt.
Fix suggested by Frank Kardel.
that check. So instead, we test to make sure we have a non-negative second
after the conversion.
While here, we also add a check to round the second counter up when setting
time if we are more than half-way into the second.
todr_settime_ymdhms. This allows drivers to avoid repeated conversions, and
allows us to centralize check for Y2038 overflow. As discussed on
tech-kern.
1) don't set a clock when panicing during early boot
2) if the filesystem time is newer than the rtc time (by at least 2 days) then
revert to the filesystem time.
3) use x86 style messaging.
We still use a threshold of 2 days of gain or loss in time to warn though.
pooka