| Age | Commit message (Collapse) | Author |
|---|
|
This includes a change of siginfo_r which is technically an ABI break but
this should have no real-world impact since the members involved are
never touched by the kernel.
ok millert@, deraadt@
|
|
memory mappings so they cannot be changed by a later mmap(), mprotect(),
or munmap(), which will error with EPERM instead.
ok kettenis
|
|
to int like other flag parameters, NetBSD uses unsigned int, FreeBSD
and Linux do int.
OK bluhm@
|
|
once. libc, man page, and regress parts to come.
With input from jca@, bluhm@.
OK bluhm@
|
|
once. libc, man page, and regress parts to come.
With input from jca@, guenther@, bluhm@.
OK bluhm@
|
|
to the padded syscalls going away.
|
|
ok guenther
|
|
rights, so that libc/yp could access YP services via a fairly complex 'protocol'
including file access, sockets, etc. This YP protocol is also used by ypldap --
this is our way of bringing 'NIS' services into libc without monster sub-libraries.
I have managed to remove this "inet" right by creating a new ypconnect() system
call, which performs parts of the yp_bind.c dance inside the kernel.. It checks if
domainname is set, looks for a binding file with advisory lock, reads it to
get the IP and udp/tcp port numbers, and then establishes a connnected socket
direct to that ypserv. This socket has a SS_YP flag set, and non-required system
calls are prohibited. libc maintains lifetime on this socket so a process
should never see it, but it seems safer to block udp re-connect and other calls
even in non-pledge mode.
Userland changes to use this will follow in a few days.
Lots of help from claudio and jmatthew, also ok miod
|
|
Protect the ps_pledge/ps_execpledge fields with ps_mtx. Shuffle the
code to call unveil_destroy() outside the critical section. Only writes
to those fields are protected. Since we may only remove bits from those
fields, garbage values should do no harm even when a read crosses
a write on 32 bits systems.
Input claudio@ kettenis@ deraadt@, ok deraadt@
|
|
- Rearrange the security check code in sys_kbind() so that we only
need to take the kernel lock once if we need to raise SIGILL.
- Protect process.ps_kbind_addr and process.ps_kbind_cookie with
process.ps_mtx. This is easier to do after the aforementioned
rearrangement. Under normal circumstances this isn't necessary:
the process is single-threaded when we initialize kbind(2).
But in stranger situations this brief mutex ensures that the
first thread to reach sys_kbind() initializes both variables.
- Wrap the binding loop with the kernel lock. We need to carefully
confirm that uvm_unmap_remove(), uvm_map_extract(), and
uvm_unmap_detach() are MP-safe in a subsequent patch before
completely removing the kernel lock from sys_kbind().
- Remove the kernel lock from kbind(2) in syscalls.master.
Prompted by mpi@, dlg@, and deraadt@. Current patch workshopped with
deraadt@. Based on a patch from dlg@.
With input from dlg@, bluhm@, mpi@, kettenis@, deraadt@, and
guenther@.
Thread: https://marc.info/?l=openbsd-tech&m=165274831829349&w=2
ok deraadt@ kettenis@ mpi@
|
|
modification is already protected by `fd_lock' rwlock(9).
ok bluhm@
|
|
'sockaddr' structure with socket's address. For key management and route
domain sockets it just returns error.
ok bluhm@
|
|
which was unlocked with accept(2) unlocking. For key management and
route domain sockets it just copies the read-only data.
ok bluhm@
|
|
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!
Time for a story...
When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate
To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.
The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.
ok deraadt@
|
|
follow the same code path.
ok bluhm@
|
|
Tested by mpi@ and tb@
OK mpi@
|
|
ok mpi@
|
|
consistent.
ok mpi@
|
|
At least one of them cause a deadlock involving `unplock' and mbuf allocations
('mbufpl') as reported by millert@.
|
|
ok mpi@
|
|
ok mpi@
|
|
ok mpi@
|
|
ok mpi@
|
|
In August 2019 I tried to unlock lseek which failed since the vnode lock
could not be acquired without holding the kernel lock back then.
claudio@ recently made it possible to acquire a vnode lock without
holding the kernel lock. The kernel lock is still required around
VOP_GETATTR() as the underlying file system implementations are not
MP-safe.
ok claudio@
|
|
With the changes in kern_time.c v1.150, neither getitimer(2) nor
setitimer(2) need the kernel lock anymore.
ok anton@, mpi@
|
|
held but this path is only followed while `syslogf' socket is not set.
New `syslogf_rwlock' used to protect `syslogf' access.
ok bluhm@
|
|
ok mpi@
|
|
ok mpi@ visa@
|
|
ok visa@
|
|
ok kettenis@ mpi@ visa@
|
|
Tested by krw@, anton@
OK mpi@, anton@
|
|
intended for shm/fd passing, but for programs that may otherwise like
filesystem access.
ok beck deraadt kettenis
|
|
Threads in __thrsleep(2) are tracked using queues, one queue per each
process for synchronization between threads of a process, and one
system-wide queue for the special ident -1 handling. Each of these
queues has an associated rwlock that serializes access.
The queue lock is released when calling copyin() and copyout() in
thrsleep(). This preserves the existing behaviour where a blocked copy
operation does not prevent other threads from making progress.
Tested by anton@, claudio@
OK anton@, claudio@, tedu@, mpi@
|
|
Tested by and OK anton@
OK mpi@, kettenis@
|
|
serialization at this point since everything is protected by the
pipe_lock.
Thanks to tb@ and visa@ for testing; ok mpi@ visa@
|
|
OK cheloha@, anton@, mpi@
|
|
be used by kernel and ld.so in the near future. Adding the system call
earlier will reduce the number of people who try to build through and
encounter agony.
ok kettenis guenther
|
|
which is not allowed without holding the kernel lock. Otherwise, wakeups
could be lost.
Reported-by: syzbot+57588681ca9e3e9ba926@syzkaller.appspotmail.com
|
|
VOP_GETATTR() must still be serialized using the kernel lock since the
underlying file system implementation is not MP-safe.
no objection from deraadt@ and ok mpi@ visa@
|
|
assert "cpipe->pipe_buffer.cnt == 0" occured whereas it shouldn't.
Reported-by: syzbot+b559fa9d3292c3cb0343@syzkaller.appspotmail.com
|
|
initial work from mpi@
ok visa@ mpi@
|
|
OK semarie@ mpi@ deraadt@ anton@
|
|
unlocks read(2) and write(2) syscalls families, and push the KERNEL_LOCK
deeper in the code path. KERNEL_LOCK is managed per file type in fileops
handlers (fo_read, fo_write, and fo_close). read(2) and write(2) on
socket are KERNEL_LOCK-free.
initial work from mpi@ and ians@
ok mpi@ kettenis@ visa@ ians@
|
|
We want this so that we can stop allowing readlink() on traversed
vnodes in unveil().
This includes all the kernel side and the system call.
This is not yet used in libc for realpath, so nothing calls this yet.
The libc wrapper will be committed later.
Testing by many, and ports build by naddy@
ok deraadt@
|
|
clock_settime(2)/settimeofday(2) still need KERNEL_LOCK for a moment
when resetting the RTC, as that's done periodically from a task under
KERNEL_LOCK. Not quite sure how to approach that one yet.
ok visa@ mpi@, "good stuff" tedu@,
"please wait until after [tree] unlock" deraadt@
|
|
about shared resources which no program should see. only a few pieces of
software use it, generally poorly thought out. they are being fixed, so
mincore() can be deleted.
ok guenther tedu jca sthen, others
|
|
ok kettenis@, sthen@, deraadt@, visa@, krw@
|
|
man page change will follow
|
|
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.
Still needs to send the unveil's across forks and execs before
fully enabling.
Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@
|
|
malloc(9) is apparently not mpsafe as found the hardway by sthen@.
|
