| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
| |
pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.
It is expected for the caller to explicitly define the policy. It is a kernel
bug to not do so.
ok deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
used less than "stdio" -- include all the "self" operations. Instead of
different defines, use regular PLEDGE_* in the "p_pledgenote" variable
(which indicates the operation subtype a system call is performing). Many
checks before easier to understand. p_pledgenote can often be passed
directly to ktrace, so that kdump says:
15565 test CALL pledge(0xa9a3f804c51,0)
15565 test STRU pledge request="stdio"
15565 test RET pledge 0
15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>)
15565 test NAMI "/tmp/testfile"
15565 test PLDG open, "wpath", errno 1 Operation not permitted
with help from semarie, ok guenther
|
| |
|
|
|
|
| |
"stdio rpath" this would fail to execve. pre-indicate exec actions to the
namei checker to allow them through.
ok semarie
|
| |
|
|
|
|
| |
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.
|
| | |
|
| |
|
|
| |
ok tedu@ deraadt@
|
| |
|
|
| |
ok guenther tedu
|
| |
|
|
|
| |
spotted by Maxime Villard
ok guenther millert
|
| |
|
|
|
|
| |
memory for lazy binding
ok deraadt@
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
|
| |
fixed stack area of the exec'd image, and risking hitting process limits,
should we want to increase stackgap_random, the randomness is applied to the
stack region in the process' vmspace.
|
| |
|
|
|
|
|
|
| |
vm_minsaddr or vm_maxsaddr, depending upon the direction the stack goes in.
This should have no effect on the existing behaviourrr.
ok kettenis@ deraadt@
|
| |
|
|
| |
ok deraadt miod
|
| |
|
|
|
|
|
| |
This allows us the unmap the initial part of the stack, such that it can't
be used as a staging area for ROP (or other) attacks.
ok guenther@, tedu@
|
| |
|
|
|
|
|
|
| |
per-process value, and therefpore turns the VM_PSSTRINGS sysctl into a
per-process one as well. This gets rid of a pointer to the bottom of the
stack at a fixed location. Also clears the road for unmapping the stackgap.
ok deraadt@
|
| |
|
|
|
|
| |
a fork.
ok deraadt@
|
| |
|
|
|
|
|
| |
in the signal trampoline. Solves some long-standing issues with debugging
signal handlers in GDB.
ok deraadt@
|
| |
|
|
|
|
| |
doesn't have all the values and therefore can't be used everywhere.
ok deraadt@ kettenis@
|
| |
|
|
|
|
| |
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt
|
| |
|
|
|
|
| |
eliminating the must-be-kept-in-sync UVM_INH_* macros
ok deraadt@ tedu@
|
| | |
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| |
|
|
|
|
|
| |
PROT_NONE, PROT_READ, PROT_WRITE, and PROT_EXEC from mman.h.
PROT_MASK is introduced as the one true way of extracting those bits.
Remove UVM_ADV_* wrapper, using the standard names.
ok doug guenther kettenis
|
| |
|
|
|
|
|
|
| |
construct ELF executables for which ep_daddr ends up not being properly
aligned. Sanitize the addresses before setting up the address space for the
new executable. Should fix the panic discovered by Alejandro Hernandez.
ok miod@
|
| |
|
|
|
|
| |
and km_free(9) calls.
ok tedu@, mlarkin@
|
| |
|
|
|
|
| |
months that I broke it before the 5.5 release.
confirmed as not being required by ports by sthen@, ajacoutot@, dcoppa@
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| |
|
|
|
| |
don't need to be married.
ok guenther miod beck jsing kettenis
|
| |
|
|
|
|
|
|
|
|
| |
to the process's vmspace and filedescs. struct proc continues to
keep copies of the pointers, copying them on fork, clearing them
on exit, and (for vmspace) refreshing on exec.
Also, make uvm_swapout_threads() thread aware, eliminating p_swtime
in kernel.
particular testing by ajacoutot@ and sebastia@
|
| |
|
|
|
|
|
|
|
| |
to avoid possible use-after-free references when swapping ids in threaded
processes. "Do I have the right creds?" checks are always made with the
threads creds.
Inspired by FreeBSD and NetBSD
"right time" deraadt@
|
| |
|
|
|
|
|
|
|
| |
struct ucred; struct process then directly links to the ucred
Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.
ok matthew@
|
| |
|
|
|
|
|
|
|
| |
Tweak the handling of ktrace EMUL when changing ktracing: only
generate one per process (not one per thread) and pass the correct
proc pointer down to the VFS layer. Permit generating of NAMI and
CSW records inside ktrace(2) itself.
ok deraadt@ millert@
|
| |
|
|
|
|
|
|
|
| |
macro which is unaware that stacks may need larger alignment. This may
mean that some workarounds in crt0 can go away (here's looking at you
mips64..)
Tested on about half the architectures (the most special cases), so let's
see what happens.
with tobiasu
|
| | |
|
| |
|
|
|
|
| |
can be further simplified.
ok kettenis@
|
| |
|
|
|
|
|
|
| |
including CLOCK_{PROCESS,THREAD}_CPUTIME_ID constants and
{clock,pthread}_getcpuclockid() functions.
Worked out at t2k13 with help from tedu@ and matthew@ and testing by aja@
ok matthew@
|
| |
|
|
|
|
| |
leaving us with a free type function that isn't atomic. deal with this
by erasing any reachable pointers to the vnode first, then free it.
ok deraadt guenther
|
| |
|
|
|
| |
.h files to pull it in, if needed
ok tedu
|
| |
|
|
|
|
|
| |
profil() by moving P_PROFIL from proc->p_flag to process->ps_flags with
matching adjustment in fork1() and exit1()
ok matthew@
|
| |
|
|
|
|
| |
the process.
noted and ok markus@
|
| |
|
|
|
|
| |
anticipation of further changes to closef(). No binary change.
ok krw@ miod@ deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
It implements a full-stop model where all threads are stopped before handing
over control to the debugger. Events are reported as before through wait(2);
you will have to call ptrace(PT_GET_PROCESS_STATE, ...) to find out which
thread hit the event. Since this changes the size of struct ptrace_state,
you will have to recompile gdb.
ok guenther@
|
| | |
|
| |
|
|
| |
ok jsing guenther miod
|
| |
|
|
|
|
|
| |
of per-rthread. Handling of per-thread tick and runtime counters
inspired by how FreeBSD does it.
ok kettenis@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
no oks (it is really a pain to review properly)
extensively tested, I'm confident it'll be stable
'now is the time' from several icb inhabitants
Diff provides:
- ability to specify different allocators for different regions/maps
- a simpler implementation of the current allocator
- currently in compatibility mode: it will generate similar addresses
as the old allocator
|
| |
|
|
|
|
|
|
|
|
| |
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT
ok kettenis@
|
tedu
semarie
deraadt
guenther
jsg
miod
kettenis
mikeb
ariane