Commit Graph

152 Commits

Author SHA1 Message Date
elad ae660023a4 PR/41489: Stathis Kamperis: etpriority(2) returns EACCES instead of EPERM
Per discussion on the PR's audit trail, put back original checks for now.
2009-05-26 06:57:38 +00:00
mrg fcc023545e - add new RLIMIT_AS (aka RLIMIT_VMEM) resource that limits the total
address space available to processes.  this limit exists in most other
modern unix variants, and like most of them, our defaults are unlimited.
remove the old mmap / rlimit.datasize hack.

- adds the VMCMD_STACK flag to all the stack-creation vmcmd callers.
it is currently unused, but was added a few years ago.

- add a pair of new process size values to kinfo_proc2{}. one is the
total size of the process memory map, and the other is the total size
adjusted for unused stack space (since most processes have a lot of
this...)

- patch sh, and csh to notice RLIMIT_AS.  (in some cases, the alias
RLIMIT_VMEM was already present and used if availble.)

- patch ps, top and systat to notice the new k_vm_vsize member of
kinfo_proc2{}.

- update irix, svr4, svr4_32, linux and osf1 emulations to support
this information.  (freebsd could be done, but that it's best left
as part of the full-update of compat/freebsd.)


this addresses PR 7897.  it also gives correct memory usage values,
which have never been entirely correct (since mmap), and have been
very incorrect since jemalloc() was enabled.

tested on i386 and sparc64, build tested on several other platforms.

thanks to many folks for feedback and testing but most espcially
chuq and yamt for critical suggestions that lead to this patch not
having a special ugliness i wasn't happy with anyway :-)
2009-03-29 01:02:48 +00:00
rmind db4ca04011 dosetrlimit: remove the checks which are no longer needed since rlim_t
is unsigned again.  Hi <christos>!
2009-02-09 11:13:20 +00:00
drochner 338f42d97e put back a range check in setrlimit() for now
(thanks to Andrew Doran for remembering)
rlim_t _should_ be unsigned, but this needs more work
2009-01-29 22:27:23 +00:00
christos 461a86f9bd merge christos-time_t 2009-01-11 02:45:45 +00:00
pooka 7e5aba5af0 Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.
2008-10-11 13:40:57 +00:00
pooka dc2ebb63b8 Put ui_lock back and use it to modify the socket buffer size.
Typecasting quad_t * to long * and using atomic_add_long can't
possibly be expected to work!

Another fine error caught by the gcc type-punning warning.  That
really really should be on by default in the kernel.
2008-10-11 13:04:39 +00:00
njoly ab896e4008 Small fix to make setpriority(2) with PRIO_PROCESS return ESRCH when
no valid process can be found.
2008-09-30 17:28:47 +00:00
njoly 6d60715500 Make setpriority(2) return EINVAL for incorrect which values. 2008-09-29 21:30:12 +00:00
rmind 59a180ac8f sysctl_proc_stop: fix a lock-leak when kauth returns an error.
From <kefren>.
2008-06-23 20:04:36 +00:00
ad 2feabc3836 PR kern/38812 race between lwp_exit_switchaway and exit1/coredump
Move the LWP RUNNING and TIMEINTR flags into the thread-private flag word.
2008-05-31 21:26:01 +00:00
ad e071d39c84 - Convert hashinit() to use kmem_alloc(). The hash tables can be large
and it's better to not have them in kmem_map.
- Convert a couple of minor items along the way to kmem_alloc().
- Fix some memory leaks.
2008-05-05 17:11:16 +00:00
ad ddeba2439c Ignore processes with PK_MARKER set. 2008-04-29 15:51:23 +00:00
ad 284c2b9aef Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since
we no longer need to guard against access from hardware interrupt handlers.

Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the
child process share the parent's lock so that signal state may be kept in
sync. Partially addresses PR kern/37437.
2008-04-24 18:39:20 +00:00
ad 6d70f903e6 Network protocol interrupts can now block on locks, so merge the globals
proclist_mutex and proclist_lock into a single adaptive mutex (proc_lock).
Implications:

- Inspecting process state requires thread context, so signals can no longer
  be sent from a hardware interrupt handler. Signal activity must be
  deferred to a soft interrupt or kthread.

- As the proc state locking is simplified, it's now safe to take exit()
  and wait() out from under kernel_lock.

- The system spends less time at IPL_SCHED, and there is less lock activity.
2008-04-24 15:35:27 +00:00
ad be04ac4896 Make rusage collection per-LWP and collate in the appropriate places.
cloned threads need a little bit more work but the locking needs to
be fixed first.
2008-03-27 19:06:51 +00:00
ad 1b558d1305 uid_find:
- Issue membar_producer() before inserting the new uidinfo.
- Optimize slightly and fix a couple of KNF nits.
- Need sys/atomic.h.
2008-03-18 02:35:29 +00:00
rmind 33928e0f83 - Replace uihashtbl_lock and struct uidinfo::ui_lock with atomic operations.
This make uid_find(), chgproccnt(), chgsbsize() and lf_alloc(), lf_free()
  functions lock-less.
- Increase the size of uihashtbl in case of MP system, as suggested by <ad>.
- Add HASH_SLIST type for hashinit().

Reviewed by <ad>.
2008-03-17 21:16:03 +00:00
rmind 05595560a2 - Initialize uihashtbl in resource_init();
- Make some variables static, remove the externs from header;
- Wrap few long lines, misc;

No functional changes are intended.
2008-03-17 00:18:24 +00:00
christos d90e9f98a8 Don't return 0 if the count is not changed in chgproccnt()! 2008-02-24 21:44:51 +00:00
yamt c73d250f0f uid_find: use kmem_alloc rather than malloc. 2008-01-29 12:41:59 +00:00
elad c27d5f30b6 Tons of process scope changes.
- Add a KAUTH_PROCESS_SCHEDULER action, to handle scheduler related
    requests, and add specific requests for set/get scheduler policy and
    set/get scheduler parameters.

  - Add a KAUTH_PROCESS_KEVENT_FILTER action, to handle kevent(2) related
    requests.

  - Add a KAUTH_DEVICE_TTY_STI action to handle requests to TIOCSTI.

  - Add requests for the KAUTH_PROCESS_CANSEE action, indicating what
    process information is being looked at (entry itself, args, env,
    open files).

  - Add requests for the KAUTH_PROCESS_RLIMIT action indicating set/get.

  - Add requests for the KAUTH_PROCESS_CORENAME action indicating set/get.

  - Make bsd44 secmodel code handle the newly added rqeuests appropriately.

All of the above make it possible to issue finer-grained kauth(9) calls in
many places, removing some KAUTH_GENERIC_ISSUSER requests.

  - Remove the "CAN" from KAUTH_PROCESS_CAN{KTRACE,PROCFS,PTRACE,SIGNAL}.

Discussed with christos@ and yamt@.
2008-01-23 15:04:38 +00:00
ad ea3f10f7e0 Merge more changes from vmlocking2, mainly:
- Locking improvements.
- Use pool_cache for more items.
2007-12-26 16:01:34 +00:00
yamt 949e16d902 use binuptime for l_stime/l_rtime. 2007-12-22 01:14:53 +00:00
dsl 7e2790cf6f Convert all the system call entry points from:
int foo(struct lwp *l, void *v, register_t *retval)
to:
    int foo(struct lwp *l, const struct foo_args *uap, register_t *retval)
Fixup compat code to not write into 'uap' and (in some cases) to actually
pass a correctly formatted 'uap' structure with the right name to the
next routine.
A few 'compat' routines that just call standard ones have been deleted.
All the 'compat' code compiles (along with the kernels required to test
build it).
98% done by automated scripts.
2007-12-20 23:02:38 +00:00
ad 598ab03ad0 Match the docs: MUTEX_DRIVER/SPIN are now only for porting code written
for Solaris.
2007-12-05 07:06:50 +00:00
ad 4acbed1e86 Fix DIAGNOSTIC build. 2007-11-29 18:33:29 +00:00
ad e7e13da4c3 Use atomics to adjust lim->pl_refcnt. 2007-11-29 18:21:03 +00:00
ad d831186d55 Merge scheduler changes from the vmlocking branch. All discussed on
tech-kern:

- Invert priority space so that zero is the lowest priority. Rearrange
  number and type of priority levels into bands. Add new bands like
  'kernel real time'.
- Ignore the priority level passed to tsleep. Compute priority for
  sleep dynamically.
- For SCHED_4BSD, make priority adjustment per-LWP, not per-process.
2007-11-06 00:42:39 +00:00
ad 36a1712707 Merge run time accounting changes from the vmlocking branch. These make
the LWP "start time" per-thread instead of per-CPU.
2007-10-08 20:06:17 +00:00
dsl 2e20a70dbf Change the way p->p_limit (and hence p->p_rlimit) is locked.
Should fix PR/36939 and make the rlimit code MP safe.
Posted for comment to tech-kern (non received!)

The p_limit field (for a process) is only be changed once (on the first
  write), and a reference to the old structure is kept (for code paths
  that have cached the pointer).
Only p->p_limit is now locked by p->p_mutex, and since the referenced memory
  will not go away, is only needed if the pointer is to be changed.
The contents of 'struct plimit' are all locked by pl_mutex, except that the
  code doesn't bother to acquire it for reads (which are basically atomic).
Add FORK_SHARELIMIT that causes fork1() to share the limits between parent
  and child, use it for the IRIX_PR_SULIMIT.
Fix borked test for both IRIX_PR_SUMASK and IRIX_PR_SDIR being set.
2007-09-29 12:22:30 +00:00
dsl 4bacff8183 Rename members of 'struct plimit' so that the fields are 'pl_xxx' and
no longer have the same names as members of 'struct proc'.
2007-09-21 19:19:20 +00:00
rmind 7b2bfeb941 uid_find: Destroy mutex before free.
From CID: 4555
2007-09-06 02:03:06 +00:00
ad 41368c8e7e Grab locks in getrusage/getrlimit. 2007-08-08 14:07:11 +00:00
ad 88ab7da936 Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
yamt f03010953f merge yamt-idlelwp branch. asked by core@. some ports still needs work.
from doc/BRANCHES:

	idle lwp, and some changes depending on it.

	1. separate context switching and thread scheduling.
	   (cf. gmcgarry_ctxsw)
	2. implement idle lwp.
	3. clean up related MD/MI interfaces.
	4. make scheduler(s) modular.
2007-05-17 14:51:11 +00:00
ad c147748d84 - Make the proclist_lock a mutex. The write:read ratio is unfavourable,
and mutexes are cheaper use than RW locks.
- LOCK_ASSERT -> KASSERT in some places.
- Hold proclist_lock/kernel_lock longer in a couple of places.
2007-03-09 14:11:22 +00:00
christos 53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
thorpej 4f3d5a9cc0 TRUE -> true, FALSE -> false 2007-02-22 06:34:42 +00:00
ad b07ec3fc38 Merge newlock2 to head. 2007-02-09 21:55:00 +00:00
elad a78693aa19 Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.
2007-01-20 16:47:38 +00:00
elad 238ad51d2d - moves 'nice' access semantics to secmodel code,
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
  allowed to view the target process' corename, stop flags, and
  rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
  KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
  and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.

okay yamt@

this is a pullup candidate.
2006-12-14 11:45:08 +00:00
ad ffa6c5cf99 sysctl_proc_corename(): do the second auth check against the correct
process.
2006-12-07 20:04:31 +00:00
elad 97f57b38e7 PR/35021: Brian de Alwis: root cannot get/set rlimit information of user
processes through sysctl

Fix inverted logic in boolean assignment. This is why these tests should
not be done outside the secmodel code.

Thanks for the report.
2006-12-05 21:30:50 +00:00
yamt 1a7bc55dcc remove some __unused from function parameters. 2006-11-01 10:17:58 +00:00
christos 4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
elad 5d97bceb4a Use KAUTH_PROCESS_CORENAME instead of checking securelevel. 2006-10-10 10:02:34 +00:00
elad bada0c776a Don't use KAUTH_RESULT_* where it's not applicable.
Prompted by yamt@.
2006-09-13 10:07:42 +00:00
elad 5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
elad 5446ee0ef6 ugh.. more stuff that's overdue and should not be in 4.0: remove the
sysctl(9) flags CTLFLAG_READONLY[12]. luckily they're not documented
so it's only half regression.

only two knobs used them; proc.curproc.corename (check added in the
existing handler; its CTLFLAG_ANYWRITE, yay) and net.inet.ip.forwsrcrt,
that got its own handler now too.
2006-07-30 17:38:19 +00:00