| Age | Commit message (Collapse) | Author |
|---|
|
ok mpi@ visa@
|
|
ok visa@
|
|
ok kettenis@ mpi@ visa@
|
|
Tested by krw@, anton@
OK mpi@, anton@
|
|
intended for shm/fd passing, but for programs that may otherwise like
filesystem access.
ok beck deraadt kettenis
|
|
Threads in __thrsleep(2) are tracked using queues, one queue per each
process for synchronization between threads of a process, and one
system-wide queue for the special ident -1 handling. Each of these
queues has an associated rwlock that serializes access.
The queue lock is released when calling copyin() and copyout() in
thrsleep(). This preserves the existing behaviour where a blocked copy
operation does not prevent other threads from making progress.
Tested by anton@, claudio@
OK anton@, claudio@, tedu@, mpi@
|
|
Tested by and OK anton@
OK mpi@, kettenis@
|
|
serialization at this point since everything is protected by the
pipe_lock.
Thanks to tb@ and visa@ for testing; ok mpi@ visa@
|
|
OK cheloha@, anton@, mpi@
|
|
be used by kernel and ld.so in the near future. Adding the system call
earlier will reduce the number of people who try to build through and
encounter agony.
ok kettenis guenther
|
|
which is not allowed without holding the kernel lock. Otherwise, wakeups
could be lost.
Reported-by: syzbot+57588681ca9e3e9ba926@syzkaller.appspotmail.com
|
|
VOP_GETATTR() must still be serialized using the kernel lock since the
underlying file system implementation is not MP-safe.
no objection from deraadt@ and ok mpi@ visa@
|
|
assert "cpipe->pipe_buffer.cnt == 0" occured whereas it shouldn't.
Reported-by: syzbot+b559fa9d3292c3cb0343@syzkaller.appspotmail.com
|
|
initial work from mpi@
ok visa@ mpi@
|
|
OK semarie@ mpi@ deraadt@ anton@
|
|
unlocks read(2) and write(2) syscalls families, and push the KERNEL_LOCK
deeper in the code path. KERNEL_LOCK is managed per file type in fileops
handlers (fo_read, fo_write, and fo_close). read(2) and write(2) on
socket are KERNEL_LOCK-free.
initial work from mpi@ and ians@
ok mpi@ kettenis@ visa@ ians@
|
|
We want this so that we can stop allowing readlink() on traversed
vnodes in unveil().
This includes all the kernel side and the system call.
This is not yet used in libc for realpath, so nothing calls this yet.
The libc wrapper will be committed later.
Testing by many, and ports build by naddy@
ok deraadt@
|
|
clock_settime(2)/settimeofday(2) still need KERNEL_LOCK for a moment
when resetting the RTC, as that's done periodically from a task under
KERNEL_LOCK. Not quite sure how to approach that one yet.
ok visa@ mpi@, "good stuff" tedu@,
"please wait until after [tree] unlock" deraadt@
|
|
about shared resources which no program should see. only a few pieces of
software use it, generally poorly thought out. they are being fixed, so
mincore() can be deleted.
ok guenther tedu jca sthen, others
|
|
ok kettenis@, sthen@, deraadt@, visa@, krw@
|
|
man page change will follow
|
|
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.
Still needs to send the unveil's across forks and execs before
fully enabling.
Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@
|
|
malloc(9) is apparently not mpsafe as found the hardway by sthen@.
|
|
found by visa@.
|
|
This is possible now that the code doing file refcounting is mp-safe.
Tested by many, ok tb@, visa@
|
|
These syscalls can now be executed w/o the KERNEL_LOCK() depending on
the kind of socket.
The current solution uses a single global mutex to serialize access to,
and reference count, 'struct file'.
ok visa@, kettenis@
|
|
and socketpair(2).
Tested by many as part of a larger diff, ok visa@ some time ago.
|
|
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon
|
|
sufficiently and at least one horrific security hole was the result.
ok deraadt@ beck@
|
|
okay bluhm@, deraadt@
|
|
libc and man page parts to come.
ok guenther
|
|
The syscall is marked NOLOCK and only FUTEX_WAIT grabs the KERNEL_LOCK()
because of PCATCH and the signal nightmare.
Serialization of threads is currently done with a global & exclusive
rwlock.
Note that the current implementation still use copyin(9) which is not
guaranteed to be atomic. Committing now such that remaining issues can
be addressed in-tree.
With inputs from guenther@, kettenis@ and visa@.
ok deraadt@, visa@
|
|
and four libc major versions ago
ok sthen@ jsing@ deraadt@ jca@
|
|
ok deraadt@
|
|
|
|
a flags argument
ok guenther sthen
|
|
ok guenther sthen
|
|
|
|
getlogin_r() API; keep existing syscall as getlogin59 for temporary compat.
ok kettenis@ deraadt@
|
|
behind all other threads in the process by temporarily lowering its priority.
This isn't optimal but it is the easiest way to guarantee that we make
progress when we're waiting on an other thread to release a lock. This
results in significant improvements for processes that suffer from lock
contention, most notably firefox. Unfortunately this means that sched_yield(2)
needs to grab the kernel lock again.
All the hard work was done by mpi@, based on observations of the behaviour
of the BFS scheduler diff by Michal Mazurek.
ok deraadt@
|
|
as osendsyslog for a while. The three argument variant is the only
one that will stay.
input kettenis@; OK deraadt@
|
|
passing LOG_CONS
ok millert kettenis beck
|
|
thrkill(2), rolling the kill(2) syscall number with the ABI change to
avoid breaking binaries during during the transition. thrkill(2) includes
a 'tcb' argument that eliminates the need for locking in pthread_kill()
and simplifies pthread_cancel(). Switch __stack_smash_handler() to use
thrkill(2) and explicitly unblock SIGABRT.
Minor bump to both libc and libpthread: make sure you install a new kernel!
ok semarie@
|
|
suspect everyone has upgraded through the approx week-long window since
SOCK_DNS became available and the libc resolver started using them.
|
|
SS_DNS tagged socket which has limited functionality (for example, you
cannot accept on them...) The libc resolver will switch to using these,
therefore pledge can identify a DNS transaction better.
ok tedu guenther kettenis beck and others
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
as Theo is seeing vnode-related panics on several architectures in the
codepath that implements mmap(2).
|
|
|
|
necessary
ok deraadt@ jsing@
|
|
which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cpp symbols to turn the
bits on and off. The resulting API is a bit unexpected, but simplifies the
mapping to enabling bits in the kernel substantially.
vague ok's from various including guenther doug semarie
|
