tjr [Wed, 23 Oct 2002 04:35:25 +0000 (04:35 +0000)]
Replace this wcsncpy() implementation with one based on strncpy.c to fix
two major bugs:
- off-by-one overflow when the length of the source string exceeds or
equals the destination buffer size.
- old version was not padding the destination buffer with null wide chars
rwatson [Wed, 23 Oct 2002 03:40:47 +0000 (03:40 +0000)]
Teach ifconfig(8) how to print and set the MAC labels on network
interfaces using the 'mac' argument. Without MAC support in the
kernel, this does not change the behavior of ifconfig.
marcel [Wed, 23 Oct 2002 03:33:06 +0000 (03:33 +0000)]
Don't complain if we have an inconsistent map that may be the
result of an incomplete migration. An incomplete migration is
one where the MBR is not turned into a PMBR after creating the
GPT. This early in the game it's more convenient to allow the
inconsistency, because that avoids that we have to destroy the
MBR partitioning for now.
rwatson [Wed, 23 Oct 2002 03:19:34 +0000 (03:19 +0000)]
Add a new '-s' option to su(1): if the flag is present, attempt to
also set the user's MAC label as part of the user credential setup
by setting setusercontext(3)'s SETMAC flag. By default, change only
traditional process properties.
rwatson [Wed, 23 Oct 2002 03:17:22 +0000 (03:17 +0000)]
If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see
if the user has a 'label' entry in their login class. If so, attempt
to set that label on the process as part of the credential setup. If
we're unable to parse the label, or unable to set the label, fail.
In the future, we may also want to warn if a label is set but the
kernel doesn't support MAC.
rwatson [Wed, 23 Oct 2002 03:15:24 +0000 (03:15 +0000)]
Introduce simple command line tools to manage MAC labels on processes and
files. Basically wrappers for mac_{get,set}_{file,link,pid,proc}(3).
Man pages to be updated shortly.
thomas [Tue, 22 Oct 2002 20:18:51 +0000 (20:18 +0000)]
Fill in missing parts of the ATAPI/CAM XPT: implement XPT_RESET_BUS
and XPT_RESET_DEV.
In order to properly handle reset requests whether they originate in the
ATA layer (atacontrol reinit) or from the CAM layer (camcontrol reset)
ata_reinit does not cause the SIM to be deallocated anymore. The SIM
is now unconditionnally created for each ATAPI bus.
This change may cause existing bus ids to change on some setups.
jhb [Tue, 22 Oct 2002 18:44:59 +0000 (18:44 +0000)]
Don't dereference the 'x' pointer if it is NULL, instead skip the
assignment. The netsmb code likes to call these functions with a NULL
x argument a lot.
jake [Tue, 22 Oct 2002 18:03:15 +0000 (18:03 +0000)]
- Expand struct trapframe to 256 bytes, make all fields fixed width and the
same size. Add some fields that previously overlapped with something else
or were missing.
- Make struct regs and struct mcontext (minus floating point) the same as
struct trapframe so converting between them is easy (null).
- Add space for saving floating point state to struct mcontext. This requires
that it be 64 byte aligned.
- Add assertions that none of these structures change size, as they are part
of the ABI.
- Remove some dead code in sendsig().
- Save and restore %gsr in struct trapframe. Remember to restore %fsr.
- Add some comments to exception.S.
rwatson [Tue, 22 Oct 2002 17:19:06 +0000 (17:19 +0000)]
Remove the mac_te policy bits from 'struct oldmac' -- we're not going
to merge mac_te, since the SEBSD port of SELinux/FLASK provides a much
more mature Type Enforcement implementation. This changes the size
of the on-disk 'struct oldmac' EA labels, which may require regeneration.
robert [Tue, 22 Oct 2002 16:06:28 +0000 (16:06 +0000)]
Change the `mutex_prof' structure to use three variables contained
in an anonymous structure as counters, instead of an array with
preprocessor-defined names for indices. Remove the associated XXX-
comment.
rwatson [Tue, 22 Oct 2002 15:56:44 +0000 (15:56 +0000)]
Invoke mac_check_vnode_mmap() during mmap operations on vnodes,
permitting policies to restrict access to memory mapping based on
the credential requesting the mapping, the target vnode, the
requested rights, or other policy considerations.
rwatson [Tue, 22 Oct 2002 15:53:43 +0000 (15:53 +0000)]
Introduce MAC_CHECK_VNODE_SWAPON, which permits MAC policies to
perform authorization checks during swapon() events; policies
might choose to enforce protections based on the credential
requesting the swap configuration, the target of the swap operation,
or other factors such as internal policy state.
rwatson [Tue, 22 Oct 2002 14:38:49 +0000 (14:38 +0000)]
Hook up a sample mac.conf to the install. The sample basically
tells applications to print labels for all of the TrustedBSD-
generated policies, if they are present.
rwatson [Tue, 22 Oct 2002 14:36:11 +0000 (14:36 +0000)]
Reflect MAC kernel/user API changes into the libc MAC implementation.
This removes a lot of complexity, since we basically just reserve
space on a retrieval of a label, and pass around strings. Two new
elements: (1) consumers of the API must now declare what label
elements they are interested in retrieving, or (2) rely on the default
provided in a new configuration file, mac.conf.
rwatson [Tue, 22 Oct 2002 14:31:34 +0000 (14:31 +0000)]
Adapt MAC policies for the new user API changes; teach policies how
to parse their own label elements (some cleanup to occur here in the
future to use the newly added kernel strsep()). Policies now
entirely encapsulate their notion of label in the policy module.
jhb [Tue, 22 Oct 2002 14:31:32 +0000 (14:31 +0000)]
- Check that a process isn't a new process (p_state == PRS_NEW) before
trying to acquire it's proc lock since the proc lock may not have been
constructed yet.
- Split up the one big comment at the top of the loop and put the pieces
in the right order above the various checks.
rwatson [Tue, 22 Oct 2002 14:29:47 +0000 (14:29 +0000)]
Support the new MAC user API in kernel: modify existing system calls
to use a modified notion of 'struct mac', and flesh out the new variation
system calls (almost identical to existing ones except that they permit
a pid to be specified for process label retrieval, and don't follow
symlinks). This generalizes the label API so that the framework is
now almost entirely policy-agnostic.
rwatson [Tue, 22 Oct 2002 14:27:44 +0000 (14:27 +0000)]
Revised APIs for user process label management; the existing APIs relied
on all label parsing occuring in userland, and knowledge of the loaded
policies in the user libraries. This revision of the API pushes that
parsing into the kernel, avoiding the need for shared library support
of policies in userland, permitting statically linked binaries (such
as ls, ps, and ifconfig) to use MAC labels. In these API revisions,
high level parsing of the MAC label is done in the MAC Framework,
and interpretation of label elements is delegated to the MAC policy
modules. This permits modules to export zero or more label elements
to user space if desired, and support them in the manner they want
and with the semantics they want. This is believed to be the final
revision of this interface: from the perspective of user applications,
the API has actually not changed, although the ABI has.
rwatson [Tue, 22 Oct 2002 14:22:24 +0000 (14:22 +0000)]
Flesh out prototypes for __mac_get_pid, __mac_get_link, and
__mac_set_link, based on __mac_get_proc() except with a pid,
and __mac_get_file(), __mac_set_file() except that they do
not follow symlinks. First in a series of commits to flesh
out the user API.
phk [Tue, 22 Oct 2002 09:13:02 +0000 (09:13 +0000)]
Swing the weed-whacker around libdisk:
Constify some things.
Staticize some things.
Remove some unused things.
Prototype some things.
Don't install a gazillion man-pages links.
Drop support for ON-TRACK disk-manager.
mckusick [Tue, 22 Oct 2002 01:23:00 +0000 (01:23 +0000)]
This update further fine tunes the locking of snapshot vnodes in
the ffs_copyonwrite routine to avoid a deadlock between the syncer
daemon trying to sync out a snapshot vnode and the bufdaemon
trying to write out a buffer containing the snapshot inode.
With any luck this will be the last snapshot race condition.
mckusick [Tue, 22 Oct 2002 01:14:25 +0000 (01:14 +0000)]
This update is a performance improvement when allocating blocks on
a full filesystem. Previously, if the allocation failed, we had to
fsync the file before rolling back any partial allocation of indirect
blocks. Most block allocation requests only need to allocate a single
data block and if that allocation fails, there is nothing to unroll.
So, before doing the fsync, we check to see if any rollback will
really be necessary. If none is necessary, then we simply return.
This update eliminates the flurry of disk activity that got triggered
whenever a filesystem would run out of space.
mckusick [Tue, 22 Oct 2002 01:06:44 +0000 (01:06 +0000)]
This update removes a race between unmount and lookup. The lookup
locks the mount point directory while waiting for vfs_busy to clear.
Meanwhile the unmount which holds the vfs_busy lock tried to lock
the mount point vnode. The fix is to observe that it is safe for the
unmount to remove the vnode from the mount point without locking it.
The lookup will wait for the unmount to complete, then recheck the
mount point when the vfs_busy lock clears.
mckusick [Tue, 22 Oct 2002 00:59:49 +0000 (00:59 +0000)]
This checkin reimplements the io-request priority hack in a way
that works in the new threaded kernel. It was commented out of
the disksort routine earlier this year for the reasons given in
kern/subr_disklabel.c (which is where this code used to reside
before it moved to kern/subr_disk.c):
----------------------------
revision 1.65
date: 2002/04/22 06:53:20; author: phk; state: Exp; lines: +5 -0
Comment out Kirks io-request priority hack until we can do this in a
civilized way which doesn't cause grief.
The problem is that it is not generally safe to cast a "struct bio
*" to a "struct buf *". Things like ccd, vinum, ata-raid and GEOM
constructs bio's which are not entrails of a struct buf.
Also, curthread may or may not have anything to do with the I/O request
at hand.
The correct solution can either be to tag struct bio's with a
priority derived from the requesting threads nice and have disksort
act on this field, this wouldn't address the "silly-seek syndrome"
where two equal processes bang the diskheads from one edge to the
other of the disk repeatedly.
Alternatively, and probably better: a sleep should be introduced
either at the time the I/O is requested or at the time it is completed
where we can be sure to sleep in the right thread.
The sleep also needs to be in constant timeunits, 1/hz can be practicaly
any sub-second size, at high HZ the current code practically doesn't
do anything.
----------------------------
As suggested in this comment, it is no longer located in the disk sort
routine, but rather now resides in spec_strategy where the disk operations
are being queued by the thread that is associated with the process that
is really requesting the I/O. At that point, the disk queues are not
visible, so the I/O for positively niced processes is always slowed
down whether or not there is other activity on the disk.
On the issue of scaling HZ, I believe that the current scheme is
better than using a fixed quantum of time. As machines and I/O
subsystems get faster, the resolution on the clock also rises.
So, ten years from now we will be slowing things down for shorter
periods of time, but the proportional effect on the system will
be about the same as it is today. So, I view this as a feature
rather than a drawback. Hence this patch sticks with using HZ.
Sponsored by: DARPA & NAI Labs.
Reviewed by: Poul-Henning Kamp <phk@critter.freebsd.dk>
semenu [Tue, 22 Oct 2002 00:57:51 +0000 (00:57 +0000)]
Remove the OpenBSD comatibility stuff. Many changes to be more style(9)
compilant. Split two pieces if code into separate functions to do not
exceed line length due to indentation.
rwatson [Mon, 21 Oct 2002 23:51:18 +0000 (23:51 +0000)]
Add mac(9), a man page providing a basic introduction to the concepts
associated with the TrustedBSD MAC Framework, as well as some credits
to developers and contributors.
julian [Mon, 21 Oct 2002 22:27:36 +0000 (22:27 +0000)]
Remove the process state PRS_WAIT.
It is never used. I left it there from pre-KSE days as I didn't know
if I'd need it or not but now I know I don't.. It's functionality
is in TDI_IWAIT in the thread.