summaryrefslogtreecommitdiffstats
path: root/sys/kern/uipc_usrreq.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-091-3/+3
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* sizes for free(); ok guentherderaadt2015-08-291-4/+4
|
* Rework the UNIX domain socket garbage collector, including ideas fromguenther2015-08-281-115/+145
| | | | | | | | | | | | | {Free,Net}BSD - when a socket is closed with fds in its input, defer closing them to a task to avoid recursing. This eliminates the complicated extra reference taking which had a 37 line(!) comment explanation - move flags, counts, and links only needed for this from struct file to struct unpcb - document the flow of the mark/sweep collector much help from claudio@ who made me explain the GC to him until we trusted it ok claudio@ mpi@ deraadt@
* Move to tame(int flags, char *paths[]) API/ABI.deraadt2015-08-221-1/+3
| | | | | | | | | | | | The pathlist is a whitelist of dirs and files; anything else returns ENOENT. Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which permits explicit change operations against "struct stat" fields. Some other TAME_ flags are refined slightly. Not cranking libc now, since nothing commited in base uses this and the timing is uncomfortable for others. Discussed with many; thanks for a few bug fixes from semarie, doug, guenther. ok guenther
* For unix domain sequenced packet socket pairs the ruby regressionbluhm2015-07-281-23/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | tests reported an EMSGSIZE error although the sent message was not too large. The way backpressure was implemented for unix domain sockets confused the check in sosend(). Unix domain sockets append data only to the recv buffer. To report the amount of content to the sender, the high watermark of the send buffer was reduced. This happend for SOCK_STREAM and SOCK_SEQPACKET. Sosend checks wether atomic chunks could ever fit into the send buffer which is limited by the high watermark. This happens for SOCK_DGRAM and SOCK_SEQPACKET. For SOCK_SEQPACKET the combination of these mechanisms resulted in an EMSGSIZE error when the buffer got filled. This also happened when space could be created by reading from the other end in contradiction to the semantics of EMSGSIZE. Do not emulate a send buffer that has no space. It is better to fill the buffer with fake data than to reduce its size. Thus the high watermark always contains the real value. When disconnecting, reset the counters. Otherwise the socket layer would try to flush non existing data in the send buffer. Tested by jeremy@ with a C program and the ruby tests. OK markus@ jeremy@
* Change unp_scan() and its callbacks to pass the array of struct file **guenther2015-07-181-39/+35
| | | | | | | | and a count instead of calling the callback on each one, while also renders the 'dispose' argument superfluous. Move unp_*() prototypes from <sys/un.h> to <sys/unpcb.h> ok claudio@ mpi@
* Get rid of the undocumented & temporary* m_copy() macro added formpi2015-06-301-2/+2
| | | | | | | | compatibility with 4.3BSD in September 1989. *Pick your own definition for "temporary". ok bluhm@, claudio@, dlg@
* Replace the hand-crafted list of datagram unix domain sockets withbluhm2015-03-281-19/+6
| | | | | a SLIST. OK mpi@ benno@
* convert bcopy to memcpy/memmove. ok krwtedu2014-12-111-6/+6
|
* pass size argument to free()deraadt2014-11-031-4/+4
| | | | ok doug tedu
* Add additional kernel interfaces for setting close-on-exec on fdsguenther2014-08-311-2/+5
| | | | | | | when creating them: pipe2(), dup3(), accept4(), MSG_CMSG_CLOEXEC, SOCK_CLOEXEC. Includes SOCK_NONBLOCK support. ok matthew@
* bzero -> memset. for the speeds.tedu2014-07-131-2/+2
|
* use mallocarray where arguments are multipled. ok deraadttedu2014-07-131-3/+3
|
* add a size argument to free. will be used soon, but for now default to 0.tedu2014-07-121-8/+8
| | | | after discussions with beck deraadt kettenis.
* In prep for killing ps_mainproc, use pr->ps_pid instead ofguenther2014-03-181-3/+3
| | | | | | pr->ps_mainproc->p_pid to get the PID. ok matthew@
* Copy timespecs member by member in fo_stat callback functions, to avoidguenther2014-01-241-10/+15
| | | | | | | leaking values in the padding bytes on LP64. Also, vn_stat() was lacking the zero-fill to clean its padding. ok kettenis@ deraadt@ phessler@
* remove some obsolete caststedu2013-04-051-4/+4
|
* vrele() is a tricky beast. it can sleep if the refcount hits zero,tedu2013-03-301-2/+4
| | | | | | leaving us with a free type function that isn't atomic. deal with this by erasing any reachable pointers to the vnode first, then free it. ok deraadt guenther
* For consistency with other OSes and ease of porting, makeguenther2012-10-121-21/+20
| | | | | | | | get{sock,peer}name() behave like accept() when the involved UNIX-domain socket isn't bound to an address, returning an AF_UNIX sockaddr with zero-length sun_path. Based on diff from robert@ and mikeb@ ok robert@ deraadt@
* Do not need bcopy trickery to update the file descriptorderaadt2012-09-021-4/+2
| | | | | pointer array; we can access it directly. ok guenther
* To protect assumptions inside systrace, don't let systrace fds beguenther2012-08-231-3/+4
| | | | | | shared between processes. ok djm@
* Cleanup unp_bind() a little:matthew2012-04-261-17/+25
| | | | | | | | | | | | | | - Require sun_family to be set to AF_UNIX (also in unp_connect()) - Ensure internal sockaddr_un's always have their length set to sizeof(struct sockaddr_un) regardless of the user specified length, implicitly extending with NUL characters as necessary. - Normalize sun_path to never contain a non-NUL character after a NUL character. Lack of NUL termination on truncated sockaddrs issue pointed out by Michael Kerrisk on the Austin Group mailing list. ok millert
* Don't leak mbufs when bind() on a PF_UNIX socket fails.matthew2012-04-231-8/+15
| | | | ok deraadt, miod, guenther
* Do not just return in case the provided control buffer is too short sinceclaudio2012-04-141-5/+8
| | | | | | that leaks all the file pointers. Instead make sure that the exit path via restart: -> out: does not free the uninitialized pointer. OK deraadt@ guenther@
* Free tmp buffer in case the cluster allocation failed. Found by David Hill.claudio2012-04-141-2/+4
|
* Revert rev 1.58, as it frees an uninitialized pointerguenther2012-04-141-5/+3
| | | | ok deraadt@
* gc unused functionderaadt2012-04-131-8/+1
|
* Don't convert a mbuf to a cluster and think the data in the mbuf is stillclaudio2012-04-131-3/+9
| | | | | valid after that. Copy the data into a temp buffer and then copy it back into the shiny new cluster. Problem found by deraadt@. Ok deraadt@
* oops, wrong version of diff in previousderaadt2012-04-131-3/+5
|
* Do not clamp the file descriptors to the buffer size; that leads toderaadt2012-04-131-2/+2
| | | | | losing them. ok claudio
* unneccessary casts to unsigned; ok claudioderaadt2012-04-131-4/+4
|
* In sendmsg() permit at most 10% of maxfiles to be in-flightderaadt2012-04-111-1/+4
| | | | | | during CMSG_DATA SCM_RIGHTS fd transfers. If this is exceeded, return EMFILE. ok claudio guenther gilles
* Implement SOCK_SEQPACKET for UNIX sockets.matthew2011-07-061-9/+30
| | | | ok claudio@
* Correct the check for a sun_path that lacks NUL termination to just requireguenther2011-07-061-7/+12
| | | | | | that *some* char in sun_path is NUL, not necessarily the last. ok claudio@ tedu@
* Enforce that the path to the unix socket fits into struct sockaddr_unclaudio2011-07-051-10/+20
| | | | | and that it is nul terminated. This means the longest path is now 103 char longs. With and OK guenther@
* Rename FMARK to FIF_MARK and FDEFER to FIF_DEFER andthib2011-06-281-13/+11
| | | | | | | | move those flags to f_iflags; This makes rooms in the flag member of struct file for some goodies matthew@ as planned. ok matthew@, deraadt@.
* Ban passing of kqueue descriptors via UNIX domain sockets. Currently,guenther2011-05-171-1/+6
| | | | | | | they're tightly bound to struct filedesc, leading to NULL derefs during exit1(). ok henning@, millert@, kettenis@
* COMPAT_O47 (kernel getpeereid, which was replaced by libc getpeereid)deraadt2011-04-041-12/+1
| | | | | can go away ok guenther
* PRU_PEEREID is only used by code under COMPAT_O47, so put it there tooguenther2010-10-181-1/+3
| | | | | | so that we remember to remove it all at the same time in two years. ok deraadt@
* structure copy the unp_connid to the other socketderaadt2010-07-021-4/+2
|
* SO_PEERCRED should pass out the main pid, not the "pid" of the currentderaadt2010-07-011-3/+3
| | | | thread. Discussion with guenther.
* Add getsockopt SOL_SOCKET SO_PEERCRED support. This behaves similar toderaadt2010-06-301-8/+11
| | | | | | | getpeereid(2), but also supplies the remote pid. This is supplied in a 'struct sockpeercred' (unlike Linux -- they showed how little they know about real unix by calling theirs 'struct ucred'). ok guenther ajacoutot
* fix PR 6082: do not create more fd's than will fit in the message onotto2009-02-221-2/+9
| | | | the receiving side when passing fd's. ok deraadt@ kettenis@
* Switch struct stat's timespec members to the names standardized inguenther2009-01-291-4/+4
| | | | | | | | POSIX 1003.1-2008, with compatibility macros for the names used in previous version of OpenBSD. Update all the references in the kernel to use the new, standard member names. ok'ed by miod@, otto@; ports build test by naddy@
* Deal with the situation when TCP nfs mounts timeout and processesthib2008-05-231-3/+2
| | | | | | | | | | | | | get hung in nfs_reconnect() because they do not have the proper privilages to bind to a socket, by adding a struct proc * argument to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind) and do the sobind() with proc0 in nfs_connect. OK markus@, blambert@. "go ahead" deraadt@. Fixes an issue reported by bernd@ (Tested by bernd@). Fixes PR5135 too.
* describe why fd passing is now so fucked up, and who's fault it isderaadt2008-04-151-8/+4
|
* Make sure the fd passing code only accepts control messages without paddingkettenis2008-04-101-2/+3
| | | | | | and with exactly the right amount of padding. diff actually typed in by deraadt@
* unp_internalize() repaired wrong file structs on error. ok deraadt@, kettenis@stefan2008-04-081-2/+2
|
* repair code which blocks passing fd's for block devices orderaadt2008-04-021-10/+8
| | | | | dir-outside-chroot-directory into a chroot jail ok markus
* We were led astray (like many others before us) to believe thatderaadt2008-03-241-2/+10
| | | | | | | | | | | | | | | msg_controllen should be CMSG_LEN() instead of CMSG_SPACE() because the kernel fd passing code was erroring out when "cm->cmsg_len != control->m_len" instead of "CMSG_ALIGN(cm->cmsg_len) != control->m_len". On machines with 16-byte alignment, when one thinks about how the ALIGN padding happens, it is clear that msg_controllen has to be CMSG_SPACE() or the kernel cannot hope to bounds check the messages correctly. For now, change the check to cm->cmsg_len > control->m_len to permit the old ABI to continue working. Later perhaps when all the old binaries are gone we can stop permitting their use. lots of discussion with kettenis
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.