summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_sig.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* When killing a process, the signal is handled by any thread thatbluhm2019-05-131-22/+32
| | | | | | | | | | does not block the signal. If all threads block the signal, we delivered it to the main thread. This does not conform to POSIX. If any thread unblocks the signal, it should be delivered immediately to this thread. Mark such signals pending at the process instead of a single thread. Then any thread can handle it later. OK kettenis@ guenther@
* add a KERNEL_ASSERT_LOCKED() to ptsignaldlg2019-05-011-1/+3
| | | | | | | | | | | | it obviously needs to be called with the kernel lock held, so it makes sense to check that so we can unlock more code without introducing bugs that shoot us in the face in the indeterminate future. csignal is basically a wrapper around ptsignal, so calls to that without the kernel lock should be caught by this too. discussed with mpi@ on bugs@
* open the coredump file non-blocking. cheloha found it blocks with a fifo.tedu2019-02-191-2/+3
| | | | ok cheloha deraadt
* Sprinkle a pinch of timerisvalid/timespecisvalid over the rest of sys/kerncheloha2019-01-231-2/+2
|
* Remove unused function gsignal().visa2018-12-171-13/+1
| | | | OK deraadt@ anton@
* Add a mechanism for managing asynchronous IO signal registrations.visa2018-11-121-1/+271
| | | | | | | | | It centralizes IO signal privilege checking and makes possible to revoke a registration when the target process or process group is deleted. Adapted from FreeBSD. OK kettenis@ mpi@ guenther@
* wrap long linesderaadt2018-08-031-3/+6
|
* Revert the change that delivers process signals to any threads. Asbluhm2018-07-181-7/+4
| | | | | | | side effect pending signals specifically sent to the main thread were handled by other threads. This made gcj in textproc/pdftk port build stall. Noticed and tested by espie@.
* If no thread can immediately handle a signal, which has been sentbluhm2018-07-111-4/+7
| | | | | | | | | to the process, it is made pending at the main thread. There it could hang forever. So also check the main thread for signal delivery. This workaround fixes hung tests in posixtestsuite. The proper solution would be to split pending signals for process and threads. input visa@; OK guenther@
* Move from sendsig() to its callers the initsiginfo() calls andguenther2018-07-101-11/+7
| | | | | | | | instead of passing sendsig() the code+type+val, pass a siginfo_t* to copy from. Eliminate the indirection through struct emul for sendsig(); we no longer have a SunOS4-compat version of sendsig() ok deraadt@
* Clean up the parameters of VOP_LOCK() and VOP_UNLOCK(). It is alwaysvisa2018-04-281-4/+4
| | | | | | | curproc that does the locking or unlocking, so the proc parameter is pointless and can be dropped. OK mpi@, deraadt@
* Implement MAP_STACK option for mmap(). Synchronous faults (pagefault andderaadt2018-04-121-1/+6
| | | | | | | | | | | | | | syscall) confirm the stack register points at MAP_STACK memory, otherwise SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified to create a MAP_STACK sub-region which satisfies alignment requirements. Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the contents of the region -- there is no mprotect() equivalent operation, so there is no MAP_STACK-adding gadget. This opportunistic software-emulation of a stack protection bit makes stack-pivot operations during ROPchain fragile (kind of like removing a tool from the toolbox). original discussion with tedu, uvm work by stefan, testing by mortimer ok kettenis
* Exclude SIGKILL from ptrace(2) interception.mpi2018-03-271-6/+8
| | | | | | | | | | This can lead to a deadlock where the parent waits infinitely for the traced process. Original problem reported by tb@ and worked around by visa@ for release by not calling CURSIG() twice in userret(). ok tb@, visa@
* Avoid calling issignal() twice on signal delivery in order notvisa2018-03-241-2/+2
| | | | | | | | | | | | to generate more than one ptrace(2) event. Do that by checking pending signals first without altering any state. If there is an unmasked signal ready for delivery, acquire the kernel lock and redo the checks in issignal(). This prevents gdb from blocking on exit when it attempts to kill an attached process, issue reported by tb@. OK mpi@, deraadt@
* Fix a TOCTOU race that causes signals to be delivered more than once.mpi2018-02-261-34/+41
| | | | | | | | | | | | | | | | | The race is only triggerable if one of the threads of a multi-threaded program is in the middle of a NOLOCK syscall when a signal is received. The problem is that `ps_sigact' is shared between threads so its access should be serialized. In the case of SA_RESETHAND, the handler is reset when a signal is delivered, so delivering the signal twice would put the process in an "impossible" state where some threads were stopped and some were waiting for the others to die. Serialize signal checking & processing with the KERNEL_LOCK() for now, and introduce postsig_done() gypped from FreeBSD, to make sure the lock is held when resetting the handler. Bug report from espie@, ok visa@
* Remove almost unused `flags' argument of suser().mpi2018-02-191-2/+2
| | | | | | | The account flag `ASU' will no longer be set but that makes suser() mpsafe since it no longer mess with a per-process field. No objection from millert@, ok tedu@, bluhm@
* Don't pull in <sys/file.h> just to get fcntl.hguenther2017-12-301-2/+2
| | | | ok deraadt@ krw@
* Fix comment typoguenther2017-11-271-2/+2
|
* ASLR, W^X, and guard pages trigger processor traps that result inbluhm2017-06-081-1/+9
| | | | | | | | SIGILL, SIGBUS, SIGSEGV signals. Make such memory violations visible in lastcomm(1). This also works if a programm tries to hide them with a signal handler. Manual kill -SEGV does not generate false positives. OK deraadt@
* Add a port of witness(4) lock validation tool from FreeBSD.visa2017-04-201-1/+4
| | | | Go-ahead from kettenis@, guenther@, deraadt@
* Avoid some false positives with cppcheck. No binary change.bluhm2017-04-141-3/+3
| | | | OK jsg@
* Provide mips64 with kernel-facing TCB_{GET,SET} macros that store itguenther2017-04-131-5/+2
| | | | | | | in struct mdproc. With that, all archs have those and the __HAVE_MD_TCB macro can be unifdef'ed as always defined. ok kettenis@ visa@ jsing@
* Rename pfind(9) into tfind(9) to reflect that it deals with threads.mpi2017-01-241-2/+2
| | | | | | While here document prfind(9. with and ok guenther@
* p_comm is the process's command and isn't per thread, so move it fromguenther2017-01-211-6/+7
| | | | | | struct proc to struct process. ok deraadt@ kettenis@
* Display/test/use the process PID, not the thread's TID, in a few places.guenther2016-10-051-8/+8
| | | | ok mpi@ mikeb@
* all pools have their ipl set via pool_setipl, so fold it into pool_init.dlg2016-09-151-4/+3
| | | | | | | | | | | | | | | | | | | | | | the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
* Remove sys_o58_kill since OpenBSD 6.0 has been tagged/released.jsing2016-09-041-58/+1
| | | | ok deraadt@
* pool_setipldlg2016-08-251-1/+2
| | | | ok kettenis@
* Prevent silly states via knotes on pids > 2^32 and on nonexistent signals.guenther2016-07-141-1/+4
| | | | ok tedu@
* fix several places where calculating ticks could overflow.tedu2016-07-061-3/+3
| | | | | | | | it's not enough to assign to an unsigned type because if the arithmetic overflows the compiler may decide to do anything. so change all the long long casts to uint64_t so that we start with the right type. reported by Tim Newsham of NCC. ok deraadt
* Repair kill(2) on zombie processes.jca2016-06-271-4/+9
| | | | | | | | | | kill(2) is supposed to find zombie processes, this probably got broken when the process reaper was introduced. As a temporary(tm) workaround, walk the list of zombie processes if we can't find the target pid in the main process list. Problem with zsh initially reported by Geoff Wozniak on misc@, analysis done by naddy@. ok kettenis@ tedu@
* Restore the sys_o58_kill system call.jsing2016-06-271-1/+58
| | | | | | | | | | | | | By keeping both the new (sys_kill/sys_thrkill) and old (sys_o58_kill) system calls for the OpenBSD 6.0 release, code that uses either of these mechanisms will work on both of the supported OpenBSD releases. This provides a clean transition for runtimes that make direct system calls (namely the Go programming language). This requires a minimal amount of non-intrusive code and does not block development progress within OpenBSD. ok deraadt@ guenther@
* if the timeout rounds to zero, make it one tick, otherwise we sleeptedu2016-06-111-1/+6
| | | | | | forever. noticed by Davin McCall. while here, if the timeout actually is zero, return appropriate error. ok guenther.
* sys_o58_kill is no longer needed for compat.deraadt2016-05-311-58/+1
| | | | ok guenther sthen
* Use a macro to check if a thread has a sibling.mpi2016-03-291-3/+2
| | | | | | | Note that without locking a thread cannot claim that it is part of a multi-threaded process using this macro. Suggested by miod@, ok guenther@
* add newline on the end of the failure messagebeck2016-03-261-3/+3
| | | | ok deraadt@
* Remove the unused flags argument from VOP_UNLOCK().natano2016-03-191-4/+4
| | | | | | torture tested on amd64, i386 and macppc ok beck mpi stefan "the change looks right" deraadt
* Correct some comments and definitions, from Michal Mazurek.mpi2016-03-091-3/+3
|
* drop "abort" promise, and make it the default behaviour.semarie2016-01-091-2/+1
| | | | | | | | | The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
* remove stale lint annotationstedu2015-12-051-5/+1
|
* Split the intra-thread functionality from kill(2) into its own syscallguenther2015-11-101-5/+82
| | | | | | | | | | | | thrkill(2), rolling the kill(2) syscall number with the ABI change to avoid breaking binaries during during the transition. thrkill(2) includes a 'tcb' argument that eliminates the need for locking in pthread_kill() and simplifies pthread_cancel(). Switch __stack_smash_handler() to use thrkill(2) and explicitly unblock SIGABRT. Minor bump to both libc and libpthread: make sure you install a new kernel! ok semarie@
* move the pledgenote annotation from `struct proc' to `struct nameidata'semarie2015-11-021-2/+2
| | | | | | | | | | pledgenote is used for annotate the policy for a namei context. So make it tracking the nameidata. It is expected for the caller to explicitly define the policy. It is a kernel bug to not do so. ok deraadt@
* refactor pledge_*_check and pledge_fail functionssemarie2015-11-011-10/+4
| | | | | | | | | | | | | | - rename _check function without suffix: a "pledge" function called from anywhere is a "check" function. - makes pledge_fail call the responsability to the _check function. remove it from caller. - make proper use of (potential) returned error of _check() functions. - adds pledge_kill() and pledge_protexec() with and OK deraadt@
* Fold "malloc" into "stdio" and -- recognizing that no program so far hasderaadt2015-10-251-3/+3
| | | | | | | | | | | | | | | used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
* pid 0 also implies self, so allow that for the pledge case. Found inderaadt2015-10-101-2/+3
| | | | a refactoring being done for the bc/dc relationship with otto.
* Allow kill(self, sig) in pledge SELF also. the stack protector, abort(),deraadt2015-10-091-1/+10
| | | | | and readpassphrase() in particular use this. ok millert tedu semarie
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-091-2/+2
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* Rather than disabling tame to coredump, leave it enabled but flag thatderaadt2015-07-271-2/+2
| | | | | a coredump is happening. This improves behaviour while threaded. ok semarie
* Fix annoying console spew when we can't write the core file. use log instead.beck2015-07-201-6/+8
| | | | ok krw@ sthen@ comments from deraadt@, miod@
* tame(2) is a subsystem which restricts programs into a "reduced featurederaadt2015-07-191-1/+2
| | | | | | operating model". This is the kernel component; various changes should proceed in-tree for a while before userland programs start using it. ok miod, discussions and help from many
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.