summaryrefslogtreecommitdiffstats
path: root/sys/kern/uipc_usrreq.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* AF_UNIX connect is a "unix" operation, not "rpath wpath"deraadt2015-11-031-2/+2
|
* move the pledgenote annotation from `struct proc' to `struct nameidata'semarie2015-11-021-3/+3
| | | | | | | | | | pledgenote is used for annotate the policy for a namei context. So make it tracking the nameidata. It is expected for the caller to explicitly define the policy. It is a kernel bug to not do so. ok deraadt@
* refactor pledge_*_check and pledge_fail functionssemarie2015-11-011-3/+3
| | | | | | | | | | | | | | - rename _check function without suffix: a "pledge" function called from anywhere is a "check" function. - makes pledge_fail call the responsability to the _check function. remove it from caller. - make proper use of (potential) returned error of _check() functions. - adds pledge_kill() and pledge_protexec() with and OK deraadt@
* bind() on AF_UNIX should set PLEDGE_UNIX not PLEDGE_CPATH; ok semariederaadt2015-11-011-2/+2
|
* Fold "malloc" into "stdio" and -- recognizing that no program so far hasderaadt2015-10-251-3/+3
| | | | | | | | | | | | | | | used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
* Instead of fragile CMSG parsing, control pledge "sendfd" and "recvfd"deraadt2015-10-181-1/+10
| | | | | in unp_internalize and unp_externalize. ok kettenis guenther
* connect() to an AF_UNIX socket is really read/write, so tell pledge thisderaadt2015-10-171-2/+2
| | | | | is a RPATH|WPATH operation. Discussed with doug and millert
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-091-3/+3
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* sizes for free(); ok guentherderaadt2015-08-291-4/+4
|
* Rework the UNIX domain socket garbage collector, including ideas fromguenther2015-08-281-115/+145
| | | | | | | | | | | | | {Free,Net}BSD - when a socket is closed with fds in its input, defer closing them to a task to avoid recursing. This eliminates the complicated extra reference taking which had a 37 line(!) comment explanation - move flags, counts, and links only needed for this from struct file to struct unpcb - document the flow of the mark/sweep collector much help from claudio@ who made me explain the GC to him until we trusted it ok claudio@ mpi@ deraadt@
* Move to tame(int flags, char *paths[]) API/ABI.deraadt2015-08-221-1/+3
| | | | | | | | | | | | The pathlist is a whitelist of dirs and files; anything else returns ENOENT. Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which permits explicit change operations against "struct stat" fields. Some other TAME_ flags are refined slightly. Not cranking libc now, since nothing commited in base uses this and the timing is uncomfortable for others. Discussed with many; thanks for a few bug fixes from semarie, doug, guenther. ok guenther
* For unix domain sequenced packet socket pairs the ruby regressionbluhm2015-07-281-23/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | tests reported an EMSGSIZE error although the sent message was not too large. The way backpressure was implemented for unix domain sockets confused the check in sosend(). Unix domain sockets append data only to the recv buffer. To report the amount of content to the sender, the high watermark of the send buffer was reduced. This happend for SOCK_STREAM and SOCK_SEQPACKET. Sosend checks wether atomic chunks could ever fit into the send buffer which is limited by the high watermark. This happens for SOCK_DGRAM and SOCK_SEQPACKET. For SOCK_SEQPACKET the combination of these mechanisms resulted in an EMSGSIZE error when the buffer got filled. This also happened when space could be created by reading from the other end in contradiction to the semantics of EMSGSIZE. Do not emulate a send buffer that has no space. It is better to fill the buffer with fake data than to reduce its size. Thus the high watermark always contains the real value. When disconnecting, reset the counters. Otherwise the socket layer would try to flush non existing data in the send buffer. Tested by jeremy@ with a C program and the ruby tests. OK markus@ jeremy@
* Change unp_scan() and its callbacks to pass the array of struct file **guenther2015-07-181-39/+35
| | | | | | | | and a count instead of calling the callback on each one, while also renders the 'dispose' argument superfluous. Move unp_*() prototypes from <sys/un.h> to <sys/unpcb.h> ok claudio@ mpi@
* Get rid of the undocumented & temporary* m_copy() macro added formpi2015-06-301-2/+2
| | | | | | | | compatibility with 4.3BSD in September 1989. *Pick your own definition for "temporary". ok bluhm@, claudio@, dlg@
* Replace the hand-crafted list of datagram unix domain sockets withbluhm2015-03-281-19/+6
| | | | | a SLIST. OK mpi@ benno@
* convert bcopy to memcpy/memmove. ok krwtedu2014-12-111-6/+6
|
* pass size argument to free()deraadt2014-11-031-4/+4
| | | | ok doug tedu
* Add additional kernel interfaces for setting close-on-exec on fdsguenther2014-08-311-2/+5
| | | | | | | when creating them: pipe2(), dup3(), accept4(), MSG_CMSG_CLOEXEC, SOCK_CLOEXEC. Includes SOCK_NONBLOCK support. ok matthew@
* bzero -> memset. for the speeds.tedu2014-07-131-2/+2
|
* use mallocarray where arguments are multipled. ok deraadttedu2014-07-131-3/+3
|
* add a size argument to free. will be used soon, but for now default to 0.tedu2014-07-121-8/+8
| | | | after discussions with beck deraadt kettenis.
* In prep for killing ps_mainproc, use pr->ps_pid instead ofguenther2014-03-181-3/+3
| | | | | | pr->ps_mainproc->p_pid to get the PID. ok matthew@
* Copy timespecs member by member in fo_stat callback functions, to avoidguenther2014-01-241-10/+15
| | | | | | | leaking values in the padding bytes on LP64. Also, vn_stat() was lacking the zero-fill to clean its padding. ok kettenis@ deraadt@ phessler@
* remove some obsolete caststedu2013-04-051-4/+4
|
* vrele() is a tricky beast. it can sleep if the refcount hits zero,tedu2013-03-301-2/+4
| | | | | | leaving us with a free type function that isn't atomic. deal with this by erasing any reachable pointers to the vnode first, then free it. ok deraadt guenther
* For consistency with other OSes and ease of porting, makeguenther2012-10-121-21/+20
| | | | | | | | get{sock,peer}name() behave like accept() when the involved UNIX-domain socket isn't bound to an address, returning an AF_UNIX sockaddr with zero-length sun_path. Based on diff from robert@ and mikeb@ ok robert@ deraadt@
* Do not need bcopy trickery to update the file descriptorderaadt2012-09-021-4/+2
| | | | | pointer array; we can access it directly. ok guenther
* To protect assumptions inside systrace, don't let systrace fds beguenther2012-08-231-3/+4
| | | | | | shared between processes. ok djm@
* Cleanup unp_bind() a little:matthew2012-04-261-17/+25
| | | | | | | | | | | | | | - Require sun_family to be set to AF_UNIX (also in unp_connect()) - Ensure internal sockaddr_un's always have their length set to sizeof(struct sockaddr_un) regardless of the user specified length, implicitly extending with NUL characters as necessary. - Normalize sun_path to never contain a non-NUL character after a NUL character. Lack of NUL termination on truncated sockaddrs issue pointed out by Michael Kerrisk on the Austin Group mailing list. ok millert
* Don't leak mbufs when bind() on a PF_UNIX socket fails.matthew2012-04-231-8/+15
| | | | ok deraadt, miod, guenther
* Do not just return in case the provided control buffer is too short sinceclaudio2012-04-141-5/+8
| | | | | | that leaks all the file pointers. Instead make sure that the exit path via restart: -> out: does not free the uninitialized pointer. OK deraadt@ guenther@
* Free tmp buffer in case the cluster allocation failed. Found by David Hill.claudio2012-04-141-2/+4
|
* Revert rev 1.58, as it frees an uninitialized pointerguenther2012-04-141-5/+3
| | | | ok deraadt@
* gc unused functionderaadt2012-04-131-8/+1
|
* Don't convert a mbuf to a cluster and think the data in the mbuf is stillclaudio2012-04-131-3/+9
| | | | | valid after that. Copy the data into a temp buffer and then copy it back into the shiny new cluster. Problem found by deraadt@. Ok deraadt@
* oops, wrong version of diff in previousderaadt2012-04-131-3/+5
|
* Do not clamp the file descriptors to the buffer size; that leads toderaadt2012-04-131-2/+2
| | | | | losing them. ok claudio
* unneccessary casts to unsigned; ok claudioderaadt2012-04-131-4/+4
|
* In sendmsg() permit at most 10% of maxfiles to be in-flightderaadt2012-04-111-1/+4
| | | | | | during CMSG_DATA SCM_RIGHTS fd transfers. If this is exceeded, return EMFILE. ok claudio guenther gilles
* Implement SOCK_SEQPACKET for UNIX sockets.matthew2011-07-061-9/+30
| | | | ok claudio@
* Correct the check for a sun_path that lacks NUL termination to just requireguenther2011-07-061-7/+12
| | | | | | that *some* char in sun_path is NUL, not necessarily the last. ok claudio@ tedu@
* Enforce that the path to the unix socket fits into struct sockaddr_unclaudio2011-07-051-10/+20
| | | | | and that it is nul terminated. This means the longest path is now 103 char longs. With and OK guenther@
* Rename FMARK to FIF_MARK and FDEFER to FIF_DEFER andthib2011-06-281-13/+11
| | | | | | | | move those flags to f_iflags; This makes rooms in the flag member of struct file for some goodies matthew@ as planned. ok matthew@, deraadt@.
* Ban passing of kqueue descriptors via UNIX domain sockets. Currently,guenther2011-05-171-1/+6
| | | | | | | they're tightly bound to struct filedesc, leading to NULL derefs during exit1(). ok henning@, millert@, kettenis@
* COMPAT_O47 (kernel getpeereid, which was replaced by libc getpeereid)deraadt2011-04-041-12/+1
| | | | | can go away ok guenther
* PRU_PEEREID is only used by code under COMPAT_O47, so put it there tooguenther2010-10-181-1/+3
| | | | | | so that we remember to remove it all at the same time in two years. ok deraadt@
* structure copy the unp_connid to the other socketderaadt2010-07-021-4/+2
|
* SO_PEERCRED should pass out the main pid, not the "pid" of the currentderaadt2010-07-011-3/+3
| | | | thread. Discussion with guenther.
* Add getsockopt SOL_SOCKET SO_PEERCRED support. This behaves similar toderaadt2010-06-301-8/+11
| | | | | | | getpeereid(2), but also supplies the remote pid. This is supplied in a 'struct sockpeercred' (unlike Linux -- they showed how little they know about real unix by calling theirs 'struct ucred'). ok guenther ajacoutot
* fix PR 6082: do not create more fd's than will fit in the message onotto2009-02-221-2/+9
| | | | the receiving side when passing fd's. ok deraadt@ kettenis@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.