| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
ACLs, Capabilities, Information Labels, and MAC Labels on the
queried file system.
|
|
|
|
|
|
|
|
| |
sysctl purposes. Also add two fields to struct vnode, v_cachedfs and
v_cachedid, which hold the vnode's device and file id and are filled in
by vn_open_cred() and vn_stat().
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
| |
purposes.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the number of policy slots to 4.
(Having run a quick errand, time to start on phase 2 of the MAC
integration)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
access control.
Label socket IPC objects, permitting security features to be maintained
at the granularity of the socket. Two labels are stored for each
socket: the label of the socket itself, and a cached peer label
permitting interogation of the remote endpoint. Since socket locking
is not yet present in the base tree, these objects are not locked,
but are assumed to follow the same semantics as other modifiable
entries in the socket structure.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel access control.
Label pipe IPC objects, permitting security information to be
maintained at the granularity of the pipe object. The label is
shared between the two pipe endpoints in the style of the
pipe mutex, and is maintained using similar conventions. The
label is protected by the pipe mutex.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
access control.
Label process credentials, permitting security information to be
maintained at the granularity of processes and cached credential
objects. cr_label follows the semantics of other entries in struct
ucred: when a credential is exclusively referenced, it may be
modified. Otherwise, it must be treated as immutable. As with
other interesting entries in struct ucred, failing to use the
documented credential management APIs (such as crcopy, crdup, ...)
can result in data corruption or incorrect behavior.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Label file system mount points, permitting security information to be
maintained at the granularity of the file system. Two labels are
currently maintained: a security label for the mount itself, and
a default label for objects in the file system (in particular, for
file systems not supporting per-vnode labeling directly).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Label vnodes, permitting security information to maintained at the
granularity of the individual file, directory (et al). This data is
protected by the vnode lock and may be read only when holding a shared
lock, or modified only when holding an exclusive lock. Label
information may be considered either the primary copy, or a cached
copy. Individual file systems or kernel services may use the
VCACHEDLABEL flag for accounting purposes to determine which it is.
New VOPs will be introduced to refresh this label on demand, or to
set the label value.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Label mbuf's with packet header data, permitting in-flight datagrams
to be labeled in the TrustedBSD MAC implementation. Add a questionable
recursive #include of sys/mac.h to maintain the current API for
applications and kernel code including mbuf.h to get 'struct mbuf'
definition.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
kernel access control. The MAC framework permits loadable kernel
modules to link to the kernel at compile-time, boot-time, or run-time,
and augment the system security policy. This commit includes the
initial kernel implementation, although the interface with the userland
components of the oeprating system is still under work, and not all
kernel subsystems are supported. Later in this commit sequence,
documentation of which kernel subsystems will not work correctly with
a kernel compiled with MAC support will be added.
Include files to declare MAC userland interface (mac.h), MAC subsystem
entry points (mac.h), and MAC policy entry points (mac_policy.h). These
files define the interface between the kernel and the MAC framework,
and between the MAC framework and each registered policy module. These
APIs and ABIs may not be assumed to be stable until following FreeBSD
5.1-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
| |
function. This permits conditionally compiled extensions to the
packet header copying semantic, such as extensions to copy MAC
labels.
Reviewed by: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
| |
macros.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
swapped in, we do not have to ask for the scheduler thread to do
that.
- Assert that a process is not swapped out in runq functions and
swapout().
- Introduce thread_safetoswapout() for readability.
- In swapout_procs(), perform a test that may block (check of a
thread working on its vm map) first. This lets us call swapout()
with the sched_lock held, providing a better atomicity.
|
|
|
|
|
| |
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
| |
except for the fact tha they are presently swapped out. Also add a process
flag to indicate that the process has started the struggle to swap
back in. This will be needed for the case where multiple threads
start the swapin action top a collision. Also add code to stop
a process fropm being swapped out if one of the threads in this
process is actually off running on another CPU.. that might hurt...
Submitted by: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
|
|
|
|
|
|
|
|
|
| |
<stdint.h>. Previously, parts were defined in <machine/ansi.h> and
<machine/limits.h>. This resulted in two problems:
(1) Defining macros in <machine/ansi.h> gets in the way of that
header only defining types.
(2) Defining C99 limits in <machine/limits.h> adds pollution to
<limits.h>.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
implementation. This flag will indicate that the security label
in the vnode is currently valid, and therefore doesn't need to
be refreshed before an access control decision can be made. Most
file systems (or stdvops) will set this flag after they load the
MAC label from disk the first time to prevent redundant disk I/O;
some file synthetic file systems (procfs, for example) may not.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
| |
ages ago. The prototype was missed.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
| |
since it breaks mtx_owned() on spin mutexes when used outside of
mtx_assert(). Unfortunately we currently use it in the i386 MD code
and in the sio(4) driver.
Reported by: bde
|
| |
|
|
|
|
|
|
| |
Cleanup a define
Correct locking notes (a bit)
Add a definition and a field for future work on thread suspension.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
non-default but reasonable values of hz this member overflowed,
breaking NFS over UDP.
Also, as long as I'm plowing up struct sockbuf ... Change certain
members from u_long/long to u_int/int in order to reduce wasted
space on 64-bit machines. This change was requested by Andrew
Gallatin.
Netstat and systat need to be rebuilt. I am incrementing
__FreeBSD_version in case any ports need to change.
|
|
|
|
|
| |
they grab a lock so that they don't block in SYSCTL_OUT() with the lock
being held.
|
|
|
|
|
|
|
| |
bits for vnodes passed to vaccess() and friends.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
| |
Add flags VSTAT, VAPPEND required for TrustedBSD.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
handler in the kernel at the same time. Also, allow for the
exec_new_vmspace() code to build a different sized vmspace depending on
the executable environment. This is a big help for execing i386 binaries
on ia64. The ELF exec code grows the ability to map partial pages when
there is a page size difference, eg: emulating 4K pages on 8K or 16K
hardware pages.
Flesh out the i386 emulation support for ia64. At this point, the only
binary that I know of that fails is cvsup, because the cvsup runtime
tries to execute code in pages not marked executable.
Obtained from: dfr (mostly, many tweaks from me).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As this code is not actually used by any of the existing
interfaces, it seems unlikely to break anything (famous
last words).
The internal kernel interface to manipulate these attributes
is invoked using two new IO_ flags: IO_NORMAL and IO_EXT.
These flags may be specified in the ioflags word of VOP_READ,
VOP_WRITE, and VOP_TRUNCATE. Specifying IO_NORMAL means that
you want to do I/O to the normal data part of the file and
IO_EXT means that you want to do I/O to the extended attributes
part of the file. IO_NORMAL and IO_EXT are mutually exclusive
for VOP_READ and VOP_WRITE, but may be specified individually
or together in the case of VOP_TRUNCATE. For example, when
removing a file, VOP_TRUNCATE is called with both IO_NORMAL
and IO_EXT set. For backward compatibility, if neither IO_NORMAL
nor IO_EXT is set, then IO_NORMAL is assumed.
Note that the BA_ and IO_ flags have been `merged' so that they
may both be used in the same flags word. This merger is possible
by assigning the IO_ flags to the low sixteen bits and the BA_
flags the high sixteen bits. This works because the high sixteen
bits of the IO_ word is reserved for read-ahead and help with
write clustering so will never be used for flags. This merge
lets us get away from code of the form:
if (ioflags & IO_SYNC)
flags |= BA_SYNC;
For the future, I have considered adding a new field to the
vattr structure, va_extsize. This addition could then be
exported through the stat structure to allow applications to
find out the size of the extended attribute storage and also
would provide a more standard interface for truncating them
(via VOP_SETATTR rather than VOP_TRUNCATE).
I am also contemplating adding a pathconf parameter (for
concreteness, lets call it _PC_MAX_EXTSIZE) which would
let an application determine the maximum size of the extended
atribute storage.
Sponsored by: DARPA & NAI Labs.
|
|
|
|
|
|
|
|
|
|
| |
after a panic which is not an interrupt thread, or the thread which
caused the panic. Also, remove panicstr checks from msleep() and from
cv_wait() in order to allow threads to go to sleep and yeild the cpu
to the panicing thread, or to an interrupt thread which might
be doing the crashdump.
Reviewed by: jhb (and it was mostly his idea too)
|
|
|
|
|
|
|
| |
made to reduce confusion between st_ctime and st_createtime.
Submitted by: Eric Allman <eric@sendmail.org>
Sponsored by: DARPA & NAI Labs.
|
|
|
|
| |
in confstr() processing.
|
|
|
|
|
| |
to allow us to claim compliance.) Define a few other nearby feature tests
in the way required by 1003.1-2001.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
semicolons from the end of macros:
#define FOO() bar(a,b,c);
becomes
#define FOO() bar(a,b,c)
Thus requiring the semicolon in the invocation of FOO. This is much
cleaner syntax and more consistent with expectations when writing
function-like things in source.
With both peril-sensitive sunglasses and flame-proof undies on, tighten
up some types, and work around some warnings generated by this. There
are some _horrible_ const/non-const issues in this code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This represents the original standardization of the following functions
and headers:
popen()
<regex.h>: regcomp(), regexec(), regerror(), regfree()
<fnmatch.h>: fnmatch()
getopt(), optarg, optind, opterr, optopt
<glob.h>: glob()
<wordexp.h>: wordexp(), wordfree()
confstr()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and a cluster in one shot.
o Introduce MBP_PERSIST and MBP_PERSISTENT control bits to mb_alloc();
MBP_PERSIST means "if you can allocate, then keep the cache lock
held on exit," and MBP_PERSISTENT means "a cache lock is alredy held
on entry, so allocate from the specified (already locked) cache."
They may be used in combination.
o m_getcl() uses the MBP_PERSIST/MBP_PERSISTENT interface so that it
doesn't drop the cache lock in between the mbuf and cluster allocations.
o m_getm(), which takes a size and allocates an mbuf + cluster "best fit"
chain, has been moved from uipc_mbuf.c to subr_mbuf.c and shown how to
use MBP_PERSIST/MBP_PERSISTENT to attempt to do a grouped allocation
without dropping the cache lock in between.
Why this is good: much less bus-locked lock acquires/drops when they're
not needed. Also, prototype for m_getcl():
struct mbuf * m_getcl(int how, short type, int flags);
"how" and "type" are self-explanatory. "flags" may be M_PKTHDR, in
which case m_getcl() will make the mbuf a pkthdr-mbuf.
While I'm in subr_mbuf.c:
o Every exported routine now has a nice comment with a description of
the expected arguments. Eventually, mbuf(9) needs to be re-vamped
but there's still more code to write/finalize before I get to that.
o internal macros have been changed a bit.
o consistently use 'short' for "type." This somehow slipped through
before (that 'type' was sometimes declared as int).
Alfred has been pushing for the MBP_PERSIST{,ENT} thing for almost a
year now. Luigi asked for m_getcl(), and will probably MFC that
part of this commit.
TODO [Related]: teach mb_free() about MBP_PERSIST{, ENT}.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
formulated. The correct states should be:
IDLE: On the idle KSE list for that KSEG
RUNQ: Linked onto the system run queue.
THREAD: Attached to a thread and slaved to whatever state the thread is in.
This means that most places where we were adjusting kse state can go away
as it is just moving around because the thread is..
The only places we need to adjust the KSE state is in transition to and from
the idle and run queues.
Reviewed by: jhb@freebsd.org
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
page-zeroing code as well as from the general page-zeroing code and use a
lazy tlb page invalidation scheme based on a callback made at the end
of mi_switch.
A number of people came up with this idea at the same time so credit
belongs to Peter, John, and Jake as well.
Two-way SMP buildworld -j 5 tests (second run, after stabilization)
2282.76 real 2515.17 user 704.22 sys before peter's IPI commit
2266.69 real 2467.50 user 633.77 sys after peter's commit
2232.80 real 2468.99 user 615.89 sys after this commit
Reviewed by: peter, jhb
Approved by: peter
|
| |
|