Commit Graph

973 Commits

Author SHA1 Message Date
ad 9abeea588a Replace some uses of lockmgr() / simplelocks. 2007-02-15 15:40:50 +00:00
ad f8fe10ea6a Need to acquire procp->p_mutex for procfs_dir(). 2007-02-15 15:35:45 +00:00
ad c18c0d2eaa Eliminate a couple of reference count and mutex leaks. 2007-02-11 17:16:08 +00:00
ad b07ec3fc38 Merge newlock2 to head. 2007-02-09 21:55:00 +00:00
hannken 4d607243ba Change fstrans enum types to upper case.
No functional change.

From Antti Kantee <pooka@netbsd.org>
2007-01-29 15:42:50 +00:00
hannken 1b9c6382e3 New file system suspension API to replace vn_start_write and vn_finished_write.
The suspension helpers are now put into file system specific operations.
This means every file system not supporting these helpers cannot be suspended
and therefore snapshots are no longer possible.

Implemented for file systems of type ffs.

The new API is enabled on a kernel option NEWVNGATE.  This option is
not enabled by default in any kernel config.

Presented and discussed on tech-kern with much input from
Bill Studenmund <wrstuden@netbsd.org> and YAMAMOTO Takashi <yamt@netbsd.org>.

Welcome to 4.99.9 (new vfs op vfs_suspendctl).
2007-01-19 14:49:08 +00:00
elad b2eb9a5389 Consistent usage of KAUTH_GENERIC_ISSUSER. 2007-01-04 19:07:03 +00:00
elad 5d2c44c76f PR/32877: Geoff C. Wing: mount_procfs(8) doesn't null-terminate cmdline
output

Patch applied, thanks!
2006-12-28 09:17:52 +00:00
elad 8e5a82bb94 Revert bogus NULL check introduced in revision 1.96 that generated false
Coverity "bugs".
2006-12-28 09:12:38 +00:00
alc 8f1ebe33c9 revert previous, after inspection `kfs->kfs_kt' could really not be NULL here.
reported/requested by elad@
2006-12-28 05:51:56 +00:00
alc 94d1925ccb fix comment (forgotten in rev 1.19):
- pfsnode -> kernfs_node
 - procfs -> kernfs
2006-12-28 05:49:05 +00:00
yamt ccfd2c0df0 remove nqnfs. 2006-12-27 12:10:09 +00:00
alc 8ffa4fbf16 CID-3855: check if 'kfs->kfs_kt != NULL' before dereferencing it 2006-12-26 00:01:48 +00:00
elad f02f51a039 PR/35226: Johann Franz: Problems with permissions in
/usr/pkg/emul/linux/proc .

Okay mlelstv@
2006-12-25 12:13:54 +00:00
christos b5fb56163d fix permissions on /proc/<pid> node. From elad. 2006-12-24 17:37:35 +00:00
elad a687717695 Add two comments. No functional change. 2006-12-24 16:45:23 +00:00
elad f1a69ab3ea Some changes to get rid of another KAUTH_GENERIC_ISSUSER usage:
- Make procfs_control() in procfs_ctl.c static,
  - Add an argument to the above, 'pfs', for the pfsnode,
  - Add another request type to KAUTH_PROCESS_CANPROCFS named
    KAUTH_REQ_PROCESS_CANPROCFS_CTL (and update documentation),
  - Use the above combination in a call to kauth_authorize_process().
2006-12-19 09:58:34 +00:00
yamt fc88d88996 put ->K loaned pages on the page queue, so that page loaning doesn't
disturb pagedaemon/pdpolicy.
2006-12-15 13:51:30 +00:00
pooka 4013808f45 Teach deadfs about vm object locking for getpages. This avoids
errors resulting from situations where we take a page fault for a
vnode which has been converted a deadfs vnode.

wrstuden ok
2006-12-10 23:57:33 +00:00
chs c398ae9734 a smorgasbord of improvements to vnode locking and path lookup:
- LOCKPARENT is no longer relevant for lookup(), relookup() or VOP_LOOKUP().
   these now always return the parent vnode locked.  namei() works as before.
   lookup() and various other paths no longer acquire vnode locks in the
   wrong order via vrele().  fixes PR 32535.
   as a nice side effect, path lookup is also up to 25% faster.
 - the above allows us to get rid of PDIRUNLOCK.
 - also get rid of WANTPARENT (just use LOCKPARENT and unlock it).
 - remove an assumption in layer_node_find() that all file systems implement
   a recursive VOP_LOCK() (unionfs doesn't).
 - require that all file systems supply vfs_vptofh and vfs_fhtovp routines.
   fill in eopnotsupp() for file systems that don't support being exported
   and remove the checks for NULL.  (layerfs calls these without checking.)
 - in union_lookup1(), don't change refcounts in the ISDOTDOT case, just
   adjust which vnode is locked.  fixes PR 33374.
 - apply fixes for ufs_rename() from ufs_vnops.c rev. 1.61 to ext2fs_rename().
2006-12-09 16:11:50 +00:00
christos 33b30b1ee3 From Nicolas Joly: restore previous behavior in procfs_validfile_linux, since
readdir passes a NULL lwp.
2006-12-04 18:27:52 +00:00
elad 8a806df7dc Move kauth(9) call to where it belongs. Noticed by Nicolas Joly, thanks! 2006-12-03 13:24:10 +00:00
pooka 5f132bf76c * update comments before putpages(): the vm object is always returned
unlocked instead of locked.  chuq agrees
* use slock set to &uobj->vmobjlock also for the last simple lock
  operation to be consistent with the rest of the function
2006-11-30 06:11:03 +00:00
elad 8bb202af97 Move ktrace, ptrace, systrace, and procfs to use kauth(9).
First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.

Add secmodel back-end to handle each subsystem.
2006-11-28 17:27:09 +00:00
elad 21bc112176 Implement Veriexec's raw disk policy on-top of kauth(9)'s device scope,
using both the rawio_spec and passthru actions to detect raw disk
activity. Same for kernel memory policy.

Update documentation (no longer need to expose veriexec_rawchk()) and
remove all Veriexec-related bits from specfs.
2006-11-26 20:27:27 +00:00
elad 98f4b1ff55 Part of PR/33280: Christian Ehrhardt: If LK_INTERLOCK is set
vp->v_interlock may be unlocked twice: Once explicitly and a second time
implicilty by lockmgr. LK_INTERLOCK is cleared from the variable flags but
not from ap->a_flags which is used with lockmgr. This is not so much of a
problem because there seems to be no call site that actually uses
LK_INTERLOCK with layer_unlock or VOP_UNLOCK.

okay martin@
2006-11-25 22:36:24 +00:00
elad 895827f391 Part of PR/33280: Christian Ehrhardt: In the error path (which probably
can't happen) lmp->layerm_hashlock is not unlocked.
2006-11-25 22:14:38 +00:00
christos 52411aad22 instead of const int, use a #define which most of the time will evaluate
in a compile-time constant.
2006-11-25 21:15:01 +00:00
skrll 45ea587c94 Expose the 'exe' symlink to the process realpath in NetBSD as well. An
example user is gdb.

OK'd by christos.
2006-11-25 09:39:34 +00:00
wiz 09cb1d6f1c s/existance/existence/, from Zafer. 2006-11-24 22:52:16 +00:00
elad 72438de6ef Remove redundant securelevel check; this is already done in procfs_rw()
and we can't get here (procfs_control()) without being there first.

Pointed out by yamt@.
2006-11-22 15:48:11 +00:00
christos 168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
reinoud dc6975451a Add missing space in comment 2006-11-10 22:31:19 +00:00
jmmv 9d877d347c Use size_t in a couple of places as it makes more sense WRT the places
where the variables are later used.  From PR kern/25277 by Jeff Ito.
2006-11-04 20:51:32 +00:00
elad fe9e2303fd Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o
requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU.

Expose iskmemdev() through sys/conf.h.

okay yamt@
2006-11-04 09:30:00 +00:00
elad 7e8b842ffa Redo Veriexec raw disk/memory access policies so they hold only if the
request is for write access.
2006-11-02 12:48:35 +00:00
elad 45f88cbee1 Only use blkdev/bvp for the Veriexec case. While here, fix up IPS mode
restrictions on kernel memory.

okay yamt@
2006-11-01 09:37:28 +00:00
elad ea927d2c6a oops, remove debug printf slipped in. good catch from yamt@, thanks! 2006-10-30 12:19:23 +00:00
christos 3f792e2267 add an "emul" file node. 2006-10-29 22:35:35 +00:00
christos 26bb1685bd don't allocate large buffers on the stack. 2006-10-27 16:49:01 +00:00
christos e8926fa3f7 1. fix procfs_validfile{,_linux} to test for NULL pointers properly.
2. make "exe" entry be a symlink to the executable, instead of pointing
   directly to the vnode of the executable.
3. factor out commonly used code.
2006-10-25 18:59:52 +00:00
elad 59e67acd85 kauth_cred_geteuid() is okay for the purposes of these checks. Revert
conversion to kauth_authorize_generic() done some time ago.
2006-10-25 11:59:34 +00:00
elad af94ee3081 PR/34888: Nicolas Joly: kernel panic while trying to access
/emul/linux/proc/0/stat

Patch applied, thanks for the report!
2006-10-23 18:19:14 +00:00
reinoud 0ce809091d Replace the LIST structure mp->mnt_vnodelist to a TAILQ structure since all
vnodes were synced and processed backwards. This meant that the last
accessed node was processed first and the earlierst last.

An extra benefit is the removal of the ugly hack from the Berkly days on
LFS.

In the proces, i've also replaced the various variations hand written loops
by the TAILQ_FOREACH() macro's.
2006-10-20 18:58:12 +00:00
yamt 37c68a65cf add wrapper functions of lockmgr on g_glock. 2006-10-14 09:16:28 +00:00
yamt eee3695a7f genfs_getpages: use kmem_zalloc. 2006-10-14 09:15:52 +00:00
yamt c2ae921270 genfs_do_io: iodone handler should be called at splbio. 2006-10-14 08:31:14 +00:00
yamt 35048d7491 genfs_putpages: don't try to deactivate loaned pages.
reported and tested by Nicolas Joly on current-users@.
2006-10-12 10:10:48 +00:00
thorpej 867f8cb239 genfs_lease_check(): Consume the arguments even if NFSSERVER is not defined. 2006-10-12 04:25:43 +00:00
christos 4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
dogcow 62ce183fe4 fix build error in mount_sysvbfs. 2006-10-06 02:17:25 +00:00
chs 33c1fd1917 add support for O_DIRECT (I/O directly to application memory,
bypassing any kernel caching for file data).
2006-10-05 14:48:32 +00:00
jld 0ebf778b9d The poll routine needs to return POLLERR on error, not an errno. Sorry
about that.  Pointed out by Juergen Hannken-Illjes in mail.
2006-09-30 21:00:13 +00:00
jld 754d606748 Protect spec_poll from racing against revocation and thus dereferencing a
NULL v_specinfo.  Mostly copied (with understanding) from rev 1.83's fix
to spec_ioctl, and needed for the same reason (kern/vfs_subr.c r1.231).
2006-09-21 09:28:37 +00:00
manu a540ef296e Emulate Linux's /proc/devices 2006-09-20 08:09:05 +00:00
elad 3964702f3a For the VBLK case, we always check vfs_mountedon() and it has nothing
to do with the security model used. Move back the call to spec_open(),
which can now return the real return value from vfs_mountedon() (EBUSY)
and not EPERM, changing semantics.
2006-09-19 16:41:57 +00:00
yamt 9d3e3eab23 merge yamt-pdpolicy branch.
- separate page replacement policy from the rest of kernel
	- implement an alternative replacement policy
2006-09-15 15:51:12 +00:00
elad bada0c776a Don't use KAUTH_RESULT_* where it's not applicable.
Prompted by yamt@.
2006-09-13 10:07:42 +00:00
elad 5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
christos 4e6ffbfcf0 add missing initializers 2006-09-03 22:28:53 +00:00
christos df1dfef2bc add missing initializers 2006-09-03 21:01:12 +00:00
christos 309d51fb22 add missing initializers 2006-09-03 04:56:33 +00:00
christos e89033a3e5 add missing initializers 2006-09-03 04:54:24 +00:00
christos 3c95928caf add missing initializers. 2006-09-02 06:37:41 +00:00
cube bd859bd3de Restore dependency on PTRACE for PROCFS.
Bump required config(1) version.
2006-08-30 13:49:27 +00:00
jnemeth 944592a2ee revert previous as it breaks the build due to invalid syntax 2006-08-30 07:46:37 +00:00
christos 676e77765a fix missing initializers 2006-08-30 01:28:53 +00:00
matt 9e0ec4816e Make PTRACE and COREDUMP optional. Make the default (status quo) by putting
them in conf/std.
2006-08-29 23:34:48 +00:00
christos ce0ef6cfc4 Pretending to be Elad's keyboard:
fileassoc.diff adds a fileassoc_table_run() routine that allows you to
pass a callback to be called with every entry on a given mount.

veriexec.diff adds some raw device access policies: if raw disk is
opened at strict level 1, all fingerprints on this disk will be
invalidated as a safety measure. level 2 will not allow opening disk
for raw writing if we monitor it, and prevent raw writes to memory.
level 3 will not allow opening any disk for raw writing.

both update all relevant documentation.

veriexec concept is okay blymn@.
2006-08-11 19:17:47 +00:00
ad f474dceb13 Use the LWP cached credentials where sane. 2006-07-23 22:06:03 +00:00
yamt 54a9d2b0f7 - genfs_getpages: in the case of PGO_LOCKED, check if we can acquire
g_glock as suggested by Chuck Silvers on tech-kern@.
- genfs_rel_pages: handle PGO_DONTCARE so that it can be used for the above.
2006-07-22 08:49:13 +00:00
yamt f9458a6ba1 - in genfs_getpages, take g_glock earlier so that it can't be
intervened by truncation.
  it also fixes a deadlock.  (g_glock vs pages locking order)
- uvm_vnp_setsize: modify v_size while holding v_interlock.

reviewed by Chuck Silvers.
2006-07-22 08:47:56 +00:00
martin a3b5baed42 Fix alignement problems for fhandle_t, exposed by gcc4.1.
While touching all vptofh/fhtovp functions, get rid of VFS_MAXFIDSIZ,
version the getfh(2) syscall and explicitly pass the size available in
the filehandle from userland.

Discussed on tech-kern, with lots of help from yamt (thanks!).
2006-07-13 12:00:24 +00:00
christos f36aa0cd37 PR/33815: Nicolas Joly: /emul/linux/proc/#/stat always report current
process status
2006-06-24 16:34:02 +00:00
christos 7173cfeec6 remove useless genop 2006-06-23 20:54:21 +00:00
bouyer 14349e5550 For internal types call kernfs_default_xread() directly, as no entry in
the splay tree has been added for these types. Fix kern/33797 by
Geoff C. Wing.
While here also fix writes the same way (probably broken for 2 years),
and properly implement KERNFS_XREAD.
The IPsec code could probably be moved out now, and use kernfs_alloctype().
2006-06-23 20:30:11 +00:00
bouyer 82722a8d91 Backout previous: of course the change
"Allow optional /kern regular files to have custom read methods..."
works, it's used by Xen.
2006-06-23 16:26:59 +00:00
christos c8ee2595ab PR/33797: Geoff C. Wing: kernfs files are not supplying information
Roll back the change:
    'Allow optional /kern regular files to have custom read methods...'
which does not work.
2006-06-23 14:59:40 +00:00
yamt f7c7538921 use KAUTH_PROCESS_CANSEE rather than CURTAIN where appropriate. 2006-06-13 13:57:33 +00:00
yamt f755e9e9b8 remove unnecessary arguments from kauth_authorize_process.
ie. make it similar to the one found in apple TN.
2006-06-13 13:56:50 +00:00
kardel de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
rpaulo 9f668d8be9 Call to kauth_cred_getgroups() should use kauth_cred_ngroups() result,
not the size of the array.
2006-06-05 13:25:28 +00:00
rpaulo abd28afaa8 pcr_ngroups should be uint16_t. 2006-06-05 13:24:22 +00:00
elad fc9422c9d9 integrate kauth. 2006-05-14 21:31:52 +00:00
christos 9ae6310d36 Coverity CID 2851: Check for NULL before freeing. 2006-04-12 01:09:43 +00:00
yamt 4ddfb52ac9 genfs_getpages:
- use "overwrite" variable consistently.
- remove a set-only variable.
no functional changes.
2006-04-11 09:34:58 +00:00
christos afa610222b Coverity CID 1002: Yes, this could really be NULL, so check against it. 2006-04-04 14:24:15 +00:00
christos b33df30820 Coverity CID 1087: Clarify NULL test. 2006-04-04 14:21:55 +00:00
christos e2b3af9d2c Coverity CID 1140: NULL dereference cannot happen, but protect against it. 2006-04-04 14:18:35 +00:00
christos 41a4245aa5 Coverity CID 2413: NULL deref cannot happen, but nevertheless protect against
it.
2006-04-04 14:16:46 +00:00
yamt c5fcdd1719 some cleanups after the introduction of GOP_SIZE_MEM flag.
- remove GOP_SIZE_READ/GOP_SIZE_WRITE flags.
  they have not been used since the change.
- ufs_balloc_range: remove code which has been no-op since the change.
  thanks Konrad Schroder for explaining the original intention of the code.
- ffs_gop_size: don't extend past eof, in the case of GOP_SIZE_MEM.
  otherwise genfs_getpages end up to allocate pages past eof unnecessarily.
2006-03-30 12:40:06 +00:00
bouyer 59b64d6167 Allow optionnal /kern regular files to have custom read methods, the same
way writes are handled: Add KERNFS_XREAD and KERNFS_FILEOP_WRITE files
operations definitions to kfsfileop, a xread function pointer to
kernfs_fileop, rename kernfs_read to kernfs_default_xread and add a
kernfs_read calling kernfs_try_fileop(KERNFS_FILEOP_READ).

Proposed on tech-kern on Feb 18 2006.
2006-03-14 20:47:52 +00:00
christos 1b2709754a cleanup more SET/CLR/ISSET lossage 2006-03-05 17:33:33 +00:00
yamt ec5a93183a merge yamt-uio_vmspace branch.
- use vmspace rather than proc or lwp where appropriate.
  the latter is more natural to specify an address space.
  (and less likely to be abused for random purposes.)
- fix a swdmover race.
2006-03-01 12:38:10 +00:00
christos 671d9ecff9 PR/32692: Matthew Mondor: linux compatibility in /proc/self should point
directly to the directory containing the pid instead of pointing to
/proc/curproc, because some programs rely on calling readlink on /proc/self
to get the pid.
2006-02-02 00:29:24 +00:00
reinoud a024cb9151 Add genfs support for directories and softlinks next to regular files and
block devices.

Discussed on tech-kern and ok'd by Chuck
2006-01-16 19:45:00 +00:00
yamt 58d3c6b6cd use nestiobuf api for genfs. 2006-01-11 00:46:54 +00:00
yamt 690d424f28 - add simple functions to allocate/free a buffer for i/o.
- make bufpool static.
2006-01-04 10:13:05 +00:00
perry 0f0296d88a Remove leading __ from __(const|inline|signed|volatile) -- it is obsolete. 2005-12-24 20:45:08 +00:00
yamt 238236815c fix lock/unlock mismatch in rev.1.115.
reported by Chris Tribo on current-users@.
2005-12-15 02:23:38 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
yamt 059ae4967d genfs_compat_getpages: add minimum support of async get. ie. ignore them.
should fix a crash reported by Jukka Salmi on current-users@.
2005-12-03 17:23:25 +00:00
yamt e66191b30c genfs_gop_write: use devvp directly as genfs_getpages does. 2005-12-02 00:47:54 +00:00
yamt 8afb2e8ad0 genfs_putpages: initialize marker pages only when needed. 2005-12-02 00:43:51 +00:00
yamt 51a339dd4b revert rev.1.111 as it isn't necessary or correct.
- currently no one in tree has a problem with zero b_lblkno, afaik.
- this buf is used for "devvp", so it doesn't make sense to
  use lbn in the "vp".
2005-11-30 03:45:16 +00:00
reinoud b91433e0fb Learn genfs that (struct buf *)->b_lblkno allways need to point to the
logical block number of the file instead of allways zero.
2005-11-30 01:46:06 +00:00
yamt 221616873d merge yamt-readahead branch. 2005-11-29 22:52:02 +00:00
christos dcc61c764f Fix 64 bit truncation problem reported by http://www.securitylab.net 2005-11-23 22:00:32 +00:00
yamt 89bc307830 genfs_getpages:
- add an assertion.
- call VOP_STRATEGY of underlying vnode directly, rather than
  through the filesystem vnode.
- no need to set b_dev here because VOP_STRATEGY will take care of it.
2005-11-12 22:29:53 +00:00
yamt a748ea88dd merge yamt-vop branch. remove following VOPs.
VOP_BLKATOFF
	VOP_VALLOC
	VOP_BALLOC
	VOP_REALLOCBLKS
	VOP_VFREE
	VOP_TRUNCATE
	VOP_UPDATE
2005-11-02 12:38:58 +00:00
elad a61a2074a3 Remove Veriexec bits from genfs, don't #if 0 them. 2005-10-07 18:19:14 +00:00
elad 2de72bfe34 Various fixes from blymn@ and myself.
Also, put genfs changes under #if 0, and don't do per-page fingerprints
until this is properly discussed, as requested by yamt@.
2005-10-07 18:07:46 +00:00
elad 8fc0d7a9c3 Introduce per-page fingerprints in Veriexec.
This closes a hole pointed out by Thor Lancelot Simon on tech-kern ~3
years ago.

The problem was with running binaries from remote storage, where our
kernel (and Veriexec) has no control over any changes to files.

An attacker could, after the fingerprint has been verified and
program loaded to memory, inject malicious code into the backing
store on the remote storage, followed by a forced flush, causing
a page-in of the malicious data from backing store, bypassing
integrity checks.

Initial implementation by Brett Lymn.
2005-10-05 13:48:48 +00:00
atatat fca6393ad4 Add "cwd" and "root" symlinks to each process's directory. The cwd
link points to the process's current working directory, and the root
link points to the process's root directory.  What else would you
expect?

For directories that are out of reach (caller is in a chroot, target
process is in a different chroot, etc), the links point to "/"
instead.
2005-10-01 03:17:37 +00:00
jmmv 9ba32cead7 Follow compat naming tradition: rename compat_export_args to export_args30. 2005-09-25 21:17:05 +00:00
jmmv 2a3e5eeb7c Apply the NFS exports list rototill patch:
- Remove all NFS related stuff from file system specific code.
- Drop the vfs_checkexp hook and generalize it in the new nfs_check_export
  function, thus removing redundancy from all file systems.
- Move all NFS export-related stuff from kern/vfs_subr.c to the new
  file sys/nfs/nfs_export.c.  The former was becoming large and its code
  is always compiled, regardless of the build options.  Using the latter,
  the code is only compiled in when NFSSERVER is enabled.  While doing this,
  also make some functions in nfs_subs.c conditional to NFSSERVER.
- Add a new command in nfssvc(2), called NFSSVC_SETEXPORTSLIST, that takes a
  path and a set of export entries.  At the moment it can only clear the
  exports list or append entries, one by one, but it is done in a way that
  allows setting the whole set of entries atomically in the future (see the
  comment in mountd_set_exports_list or in doc/TODO).
- Change mountd(8) to use the nfssvc(2) system call instead of mount(2) so
  that it becomes file system agnostic.  In fact, all this whole thing was
  done to remove a 'XXX' block from this utility!
- Change the mount*, newfs and fsck* userland utilities to not deal with NFS
  exports initialization; done internally by the kernel when initializing
  the NFS support for each file system.
- Implement an interface for VFS (called VFS hooks) so that several kernel
  subsystems can run arbitrary code upon receipt of specific VFS events.
  At the moment, this only provides support for unmount and is used to
  destroy NFS exports lists from the file systems being unmounted, though it
  has room for extension.

Thanks go to yamt@, chs@, thorpej@, wrstuden@ and others for their comments
and advice in the development of this patch.
2005-09-23 12:10:31 +00:00
christos eefcfba9b0 When readdir() is called from vfs_getcwd, uio->uio_procp is NULL. Deal with
that. Fixes 'cd /dev/fd && pwd'
2005-09-14 14:53:47 +00:00
elad a894866511 Implement curtain for procfs. 2005-09-11 20:15:53 +00:00
xtraeme 0cbb812de5 Add sysctl options for the syncer:
vfs.sync.delay: max time to delay syncing data
vfs.sync.filedelay: time to delay syncing files
vfs.sync.dirdelay: time to delay syncing directories
vfs.sync.metadelay: time to delay syncing metadata

Note that using a value of 0 is allowed, but it's not
recommended.
2005-09-11 17:55:56 +00:00
chs 0840b7949f in spec_ioctl(), don't dereference v_specinfo if it's NULL.
this is needed due to rev. 1.231 of kern/vfs_subr.c, which now sets
v_specinfo to NULL before changing the vnode's ops vector.
2005-09-11 14:18:54 +00:00
christos 7791a8f18b Also protect the ipsec ioctls from negative offsets to prevent panics
in m_copydata(). Pointed out by Karl Janmar. Move the negative offset
check from kernfs_xread() to kernfs_read().
2005-09-01 06:25:26 +00:00
christos 218f69d99f Don't allow negative offsets when reading the message buffer, because it
can allow reading arbitrary kernel memory.
2005-08-31 09:54:54 +00:00
xtraeme af97f2e875 Remove __P() 2005-08-30 20:08:01 +00:00
christos 50f8955b6e 64 bit inode changes. 2005-08-19 02:04:03 +00:00
yamt 79ff185ac4 don't write-protect wired pages. pointed by Chuck Silvers.
for now, leave a vnode on the syncer's queue, as suggested by him.
2005-07-26 08:06:29 +00:00
erh fbd6fe6c7f Provide a sysctl (vfs.layerfs.debug) to control verbose output when
LAYERFS_DIAGNOSTIC is turned on.
2005-07-24 17:33:24 +00:00
yamt b7bfe82866 update file timestamps for nfsd loaned-read and mmap.
PR/25279.  discussed on tech-kern@.
2005-07-23 12:18:41 +00:00
yamt 01f4919e33 genfs_putpages: don't bother to clean the vnode unless VONWORKLST. 2005-07-17 16:07:19 +00:00
yamt 8af42d8d3c ensure that vnodes with dirty pages are always on syncer's queue.
- genfs_putpages: wait for i/o completion of PG_RELEASED/PG_PAGEOUT pages by
  setting "wasclean" false when encountering them.
  suggested by Stephan Uphoff in PR/24596 (1).

- genfs_putpages: write protect pages when cleaning out, if
  we're going to take the vnode off the syncer's queue.
  uvm_fault: don't write-map pages unless its vnode is already on
  the syncer's queue.

  fix PR/24596 (3) but in the different way from the suggested fix.
  (to keep our current behaviour, ie. not to require explicit msync.
  discussed on tech-kern@.)

- genfs_putpages: don't mistakenly take a vnode off the queue
  by introducing a generation number in genfs_node.
  genfs_getpages: increment the generation number.
  suggested by Stephan Uphoff in PR/24596 (2).

- add some assertions.
2005-07-17 12:27:47 +00:00
yamt 2a6dc9d02d - introduce PGO_NOBLOCKALLOC and use it for ubc mapping
to prevent unnecessary block allocations in the case that
  page size > block size.

- ufs_balloc_range: use VM_PROT_WRITE+PGO_NOBLOCKALLOC rather than
  VM_PROT_READ.
2005-07-17 09:13:35 +00:00
yamt e9e22b28eb genfs_getpages: don't forget to put the vnode onto the syncer's work queue
even in the case of PGO_LOCKED.
2005-07-16 03:54:08 +00:00
yamt 44d128fa8e - constify genfs_ops.
- use member designators.
2005-06-28 09:30:37 +00:00
ws 9d78e0cf36 PR-30566: Poll must not return <sys/errno.h> values.
Start with those places I can easily test.
2005-06-21 14:01:11 +00:00
christos 1979e6e175 rename delay. 2005-05-30 22:13:50 +00:00
christos c107ef9edc - sprinkle const
- avoid shadowed variables.
2005-05-29 21:55:33 +00:00
chs 448875a34c kernfs does not support mmap(), remove code that pretends that it does. 2005-05-20 13:16:54 +00:00
christos 8f3566ce61 PR/29782: Martin Husemann: procfs can not unmount when some process has its
current directory in curproc. Fix from Pedro Martelletto:
We cannot call vgone() from procfs_inactive() if we are coming from
vclean(). that's what's probably causing the deadlock.
2005-04-02 06:15:09 +00:00
thorpej e633e8b61b - Define a VFS_ATTACH() macro that places a reference to a vfsops structure
into the "vfsops" link set.
- Use VFS_ATTACH() where vfsops are declared for individual file systems.
- In vfsinit(), traverse the "vfsops" link set, rather than vfs_list_initial[].
2005-03-29 02:41:05 +00:00
christos bb48399e9b Remove bogus len setting noted by J. Chapman Flack. 2005-03-01 04:39:59 +00:00
christos 1a63592a9b Give more space for cpu info and allocate it dynamically. 2005-02-27 22:29:50 +00:00
perry 477853c351 nuke trailing whitespace 2005-02-26 22:58:54 +00:00
chs d67b9b2ff2 undo the part of rev. 1.93 that turned the past-EOF check into an assertion.
read() can't request pages past EOF, but mmap() can.  apparently I had
disengaged the brain when I said that was ok.
2005-02-16 15:25:33 +00:00
wrstuden e384a44e9d Extend fsync_range(2) to support the FDISKSYNC flag, which requests
that the sync be propogated out through the disk drive caches.
2005-01-25 23:55:20 +00:00
drochner 7d0567768c -in the read-ahead code, avoid to issue read requests at/past EOF
-because noone should request reads past EOF, or writes past EOF which
 are not explicitely marked as file-extending (PGO_PASTEOF), turn
 a boundary check into a KASSERT
approved by Chuck Silvers
2005-01-25 09:50:31 +00:00
thorpej 1c95472d01 Add the system call and VFS infrastructure for file system extended
attributes.

From FreeBSD.
2005-01-02 16:08:28 +00:00
dbj 8962229d27 check for _KERNEL_OPT around opt include 2004-12-22 23:29:51 +00:00
christos 31c81b28f5 Cloning cleanup:
1. make fileops const
2. add 2 new negative errno's to `officially' support the cloning hack:
    - EDUPFD (used to overload ENODEV)
    - EMOVEFD (used to overload ENXIO)
3. Created an fdclone() function to encapsulate the operations needed for
   EMOVEFD, and made all cloners use it.
4. Centralize the local noop/badop fileops functions to:
   fnullop_fcntl, fnullop_poll, fnullop_kqfilter, fbadop_stat
2004-11-30 04:25:43 +00:00
atatat e23f0e2a34 Pass the caller's proc* to soreceive() via auio.uio_procp so that
unp_externalize() is called properly.

Addresses PR kern/28194.
2004-11-12 04:15:29 +00:00
jdolecek d5e68a44ca ptyfs moved from sys/miscfs/ to sys/fs/ 2004-11-11 18:57:21 +00:00
christos 0ecbe2ed07 Cosmetic; cleanup unused junk and fix comments. 2004-11-11 05:46:10 +00:00
christos 7fc8278a34 Add ptyfs. This is experimental. 2004-11-11 01:40:32 +00:00
skrll 89ce37fcdb Backout previous. 2004-10-27 06:55:53 +00:00
skrll 13d6d39771 Don't pass &proc0 in the UIO_SYSSPACE case it is not needed. 2004-10-27 06:51:06 +00:00
yamt 364ea008bb procfs_readdir:
- return correct cookie when buffer size is small.
- simplify logic.
2004-10-04 08:40:18 +00:00
yamt ef763f0a42 procfs_readdir: remove a redundant assignment. 2004-10-04 08:37:06 +00:00
enami d3482ced60 Backout previous; seeing many busy page on the pageq is normal. 2004-10-04 00:28:30 +00:00
enami b6d06fab27 So that not to leave pages busy unnecessarily, bound to specified region
when building cluster if we aren't pagedaemon and clean entire cluster
if we are pagedaemon.
2004-10-03 08:14:25 +00:00
enami a55995c148 Count obj pages freed by pagedaemon. 2004-10-03 07:59:02 +00:00
yamt d79c3679ea procfs_getattr: correct size of /proc/self. 2004-10-02 04:28:57 +00:00
yamt 269a1761b2 procfs_readdir:
- fix a locking problem, using proclist_foreach_call.  PR/27098.
- correct snprintf size argument.
2004-10-01 16:32:16 +00:00
yamt 3cca1d9e20 procfs_readdir: fix an offset handling bug after addition of /proc/self. 2004-10-01 14:09:55 +00:00
yamt f8f70a5eb4 procfs_readdir: use a list macro. 2004-10-01 14:09:14 +00:00
jdolecek 845beacce3 add 'mounts' file for -o linux, which lists all currently mounted
filesystems; Linux glibc statvfs() uses this to get some of mount flags,
and this file is also useful as /emul/linux/etc/mtab (via symlink)
2004-09-20 17:53:08 +00:00
skrll f7155e40f6 There's no need to pass a proc value when using UIO_SYSSPACE with
vn_rdwr(9) and uiomove(9).

OK'd by Jason Thorpe
2004-09-17 14:11:20 +00:00
jdolecek 2993272a0c set mp->mnt_stat.f_namemax on filesystem mount, for use by statvfs 2004-09-13 19:19:44 +00:00
skrll 685703c354 Do previous slightly differently - just pass a struct lwp * and derive the
struct proc *.

OK'd by Jaromir.
2004-08-27 07:02:45 +00:00
jdolecek b1126ead62 fix process used for /proc/<pid>/stat contents - it should be process
<pid>, not the current process looking at the information
2004-08-21 15:59:32 +00:00
mycroft 98a431ae8a Clean up reader/writer counts for the revoke case in fifo_close(). 2004-07-17 20:53:01 +00:00
hannken f59f039ea5 Keep a pointer to the leaf mount. Needed for write gating where a
file system gets suspended and has layered mounts above it.

Welcome to 2.0G

Reviewed by: Bill Studenmund <wrstuden@netbsd.org>
2004-07-01 10:03:29 +00:00
hannken 7ca8e916c9 Do LAYERFS_REMOVED for vop_rmdir.
Reviewed by: Bill Studenmund <wrstuden@netbsd.org>
2004-06-30 17:42:55 +00:00
yamt 9ba27abaf6 layer_islocked: check a status of the lower vnode as well. 2004-06-19 06:17:15 +00:00
wrstuden fc40e52454 Change fifo_{un,}lock and fifo_islocked to use the "real" lock
ops, not the nolock variants. Should have no real impact as according
to mkid, we only use fifo_vnodeop_entries, via fifo_vnodeop_p,
for selective operations on fifos. All the fifo users use the native
file system's locking routines.

Removes one use of genfs_nolock and friends.
2004-06-16 19:22:26 +00:00
wrstuden 9cbb082fac Make sure we actually locked the parent vnode before we clear
PDIRUNLOCK. The whole reason we have the flag is to note (rare)
cases where we are supposed to have the parent directory locked
but don't. Permits error handling code to know what to do with
the parrent vnode (vrele() vs vput()).
2004-06-16 17:59:53 +00:00
yamt 0061167644 - eliminate gratuitous differences between umap_bypass() and layer_bypass().
- fix a typo in a comment.
no functional changes are intended.
2004-06-16 12:39:07 +00:00
yamt 2fa619c249 missing error recover from layer_node_create failure. 2004-06-16 12:37:01 +00:00
yamt c9817d1a97 umap_lookup/layer_lookup: NULL out *ap->a_vpp after calling
underlying filesystem because some caller including lookup()
assume that *vpp is NULL on error.
2004-06-11 12:34:13 +00:00
yamt 656e74e298 do a LAYERFS_REMOVED hack for vop_rename as well. 2004-06-07 17:36:38 +00:00
wrstuden 67a15e9a78 Add layerfs_snapshot() as a handler routine for VFS_SNAPSHOT() calls
through a layered file system.

Note: we don't actually support snapshots through a layered file system,
and this routine returns an error. However we: 1) have clearly documented
what needs fixing (which isn't trivial to fix) and 2) if we do fix
this, all layered file systems can take advantage of it at once.
2004-05-29 23:48:08 +00:00
tron 1db853aa0f Don't leak memory in VFS_MOUNT() if set_statvfs_info() fails. 2004-05-29 14:28:41 +00:00
wrstuden 6753c74560 Since VOP_UPCALL() has been a long time in coming, add this partial
fix for layered-file-removal. It will work for the case of accessing
and deleting a file through the layered file system. Accessing via
the layer and deleting on the underlying still won't work, nor will
accessing via complicated structures (like two umap layers over a
given file systems).

We still need VOP_UPCALL(), but this is better than things were before.

This patch has been discussed off & on for a while. This incarnation
was tested by hannken at netbsd dot org.
2004-05-28 18:55:20 +00:00
yamt ffa2240d3b - remove a comment which is no longer true.
- add "XXX vn_lock" comments where we can call VOP_READ/WRITE
  without vnode lock held. (genfs_compat_*)
2004-05-27 12:53:25 +00:00
hannken 8c21bc6224 Add ffs internal snapshots. Written by Marshall Kirk McKusick for FreeBSD.
- Not enabled by default. Needs kernel option FFS_SNAPSHOT.
- Change parameters of ffs_blkfree.
- Let the copy-on-write functions return an error so spec_strategy
    may fail if the copy-on-write fails.
- Change genfs_*lock*() to use vp->v_vnlock instead of &vp->v_lock.
- Add flag B_METAONLY to VOP_BALLOC to return indirect block buffer.
- Add a function ffs_checkfreefile needed for snapshot creation.
- Add special handling of snapshot files:
    Snapshots may not be opened for writing and the attributes are read-only.
    Use the mtime as the time this snapshot was taken.
    Deny mtime updates for snapshot files.
- Add function transferlockers to transfer any waiting processes from
  one lock to another.
- Add vfsop VFS_SNAPSHOT to take a snapshot and make it accessible through
  a vnode.
- Add snapshot support to ls, fsck_ffs and dump.

Welcome to 2.0F.

Approved by: Jason R. Thorpe <thorpej@netbsd.org>
2004-05-25 14:54:55 +00:00
atatat 53c625655c Sysctl descriptions under vfs subtree 2004-05-25 04:44:43 +00:00
christos 42a255dd25 Unfortunately, we need to allocate space here. Pointed out by Juan RP. 2004-05-22 23:17:04 +00:00
jonathan 230fb9b8ab Eliminate several uses of `curproc' from the socket-layer code and from NFS.
Add a new explicit `struct proc *p' argument to socreate(), sosend().
Use that argument instead of curproc. Follow-on changes to pass that
argument to socreate(), sosend(), and (*so->so_send)() calls.
These changes reviewed and independently recoded  by Matt Thomas.

Changes to soreceive() and (*dom->dom_exernalize() from Matt Thomas:
pass soreceive()'s struct uio* uio->uio_procp to unp_externalize().
Eliminate curproc from unp_externalize.   Also, now soreceive() uses
its uio->uio_procp value, pass that same value downward to
((pr->pru_usrreq)() calls for consistency, instead of (struct proc * )0.

Similar changes in sys/nfs to eliminate (most) uses of curproc,
either via the req-> r_procp field of a struct nfsreq *req argument,
or by passing down new explicit struct proc * arguments.

Reviewed by: Matt Thomas, posted to tech-kern.
NB: The (*pr->pru_usrreq)() change should be tested on more (all!) protocols.
2004-05-22 22:52:13 +00:00
christos a441628d4c we are copying all the infomation from statvfs here; we don't need an
intermediate copy on the stack.
2004-05-22 20:28:38 +00:00
atatat 10a7ba9ef6 Tweak sysctl setup functions (the macros, actually) for use in lkms,
and tweak lkminit_*.c (where applicable) to call them, and to call
sysctl_teardown() when being unloaded.

This consists of (1) making setup functions not be static when being
compiled as lkms (change to sys/sysctl.h), (2) making prototypes
visible for the various setup functions in header files (changes to
various header files), and (3) making simple "load" and "unload"
functions in the actual lkminit stuff.

linux_sysctl.c also needs its root exposed (ie, made not static) for
this (when built as an lkm).
2004-05-20 06:34:24 +00:00
christos 999e9cef64 Simplify the code by:
1. Checking for a negative uio_offset at the beginning. This really does
   not affect us in most cases because we check that later too.
2. Checking for attempts to write to init sooner and in all cases.
2004-05-14 16:35:24 +00:00
cl 719c5983ec Workaround for gcc 2.95.3 failing to initialize structures
and/or unions inside structures using nested designators.
Should be reverted when gcc >=3.3.3 is ready for vax.
2004-05-13 15:44:04 +00:00
jrf 5f626331c1 caddr_t -> void * and removal of some more casts. 2004-05-12 02:07:37 +00:00
cl 65569a4d16 Allow additional entries (files, subdirs) in kernfs. Also allow
defining additional kfstypes and provide hooks to run arbitrary code
for any vnodeop on the additional types.
2004-05-07 15:33:17 +00:00
cl a2a2784bfd remove code no longer needed since the type/permission information
is available in the entry's struct kern_target and every entry has a
(possibly shared) struct kern_target now.
2004-05-07 15:20:29 +00:00
cl 81d3c2061c Make lookup and readdir return the same inode number. kernfs_readdir
now uses kernfs_allocvp to map from kernfs entry to inode number,
kernfs_allocvp is now the only place where entries are mapped to inode
numbers.  Also make KERNFS_FILENO not return random results for entries
not in kern_targets.
2004-05-07 15:06:15 +00:00
cl 5f113f8e16 Find the right entry when doing lookup on dotdot in kern/ipsec subdirs.
Also remove some duplicate code.
2004-05-07 14:56:48 +00:00
jrf bafcaa70cd Removed remaining caddr_t casts we do not need in miscfs. Recompiled
kernel and ran for a day or so. There are still some caddr_t types in
the arguments of some calls, I will do those separately (later) as
they touch a lot more of the system.
Approved by christos@NetBSD.org.
2004-04-29 16:10:54 +00:00
jrf fc97fd571a First pass for some caddr_t removal and changes to get rid of it where we
no longer use and/or need it

	- removed casts from unionfs, deadfs and fdesc
	  (there are more to hunt down still)
	- changed vfs_quotactl args argumet from caddr_t to void *
	- changed vfs_quotactl structures/callers to reflect the api change

Compiled fine and ran for about a day. Approved/reviewed by
christos@netbsd.org and gimpy@netbsd.org.
2004-04-27 17:37:30 +00:00
itojun 8bcb745d7c sprintf -> snprintf 2004-04-22 00:31:00 +00:00
christos 90345b38a6 add sys/dirent.h 2004-04-21 02:40:42 +00:00
christos 4bdb80839b add sys/dirent.h 2004-04-21 02:38:16 +00:00
christos 6bd1d6d4db Replace the statfs() family of system calls with statvfs().
Retain binary compatibility.
2004-04-21 01:05:31 +00:00