2005-10-14 10:58:59 +02:00
|
|
|
/* The kernel call implemented in this file:
|
2005-07-22 11:20:43 +02:00
|
|
|
* m_type: SYS_PRIVCTL
|
|
|
|
*
|
2005-10-14 10:58:59 +02:00
|
|
|
* The parameters for this kernel call are:
|
'proc number' is process slot, 'endpoint' are generation-aware process
instance numbers, encoded and decoded using macros in <minix/endpoint.h>.
proc number -> endpoint migration
. proc_nr in the interrupt hook is now an endpoint, proc_nr_e.
. m_source for messages and notifies is now an endpoint, instead of
proc number.
. isokendpt() converts an endpoint to a process number, returns
success (but fails if the process number is out of range, the
process slot is not a living process, or the given endpoint
number does not match the endpoint number in the process slot,
indicating an old process).
. okendpt() is the same as isokendpt(), but panic()s if the conversion
fails. This is mainly used for decoding message.m_source endpoints,
and other endpoint numbers in kernel data structures, which should
always be correct.
. if DEBUG_ENABLE_IPC_WARNINGS is enabled, isokendpt() and okendpt()
get passed the __FILE__ and __LINE__ of the calling lines, and
print messages about what is wrong with the endpoint number
(out of range proc, empty proc, or inconsistent endpoint number),
with the caller, making finding where the conversion failed easy
without having to include code for every call to print where things
went wrong. Sometimes this is harmless (wrong arg to a kernel call),
sometimes it's a fatal internal inconsistency (bogus m_source).
. some process table fields have been appended an _e to indicate it's
become and endpoint.
. process endpoint is stored in p_endpoint, without generation number.
it turns out the kernel never needs the generation number, except
when fork()ing, so it's decoded then.
. kernel calls all take endpoints as arguments, not proc numbers.
the one exception is sys_fork(), which needs to know in which slot
to put the child.
2006-03-03 11:00:02 +01:00
|
|
|
* m1_i1: PR_ENDPT (process number of caller)
|
2005-07-22 11:20:43 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "../system.h"
|
|
|
|
#include "../ipc.h"
|
2005-08-02 17:28:09 +02:00
|
|
|
#include <signal.h>
|
2006-10-30 16:53:38 +01:00
|
|
|
#include <string.h>
|
2005-07-22 11:20:43 +02:00
|
|
|
|
|
|
|
#if USE_PRIVCTL
|
|
|
|
|
2005-08-02 17:28:09 +02:00
|
|
|
#define FILLED_MASK (~0)
|
|
|
|
|
2005-07-22 11:20:43 +02:00
|
|
|
/*===========================================================================*
|
|
|
|
* do_privctl *
|
|
|
|
*===========================================================================*/
|
|
|
|
PUBLIC int do_privctl(m_ptr)
|
|
|
|
message *m_ptr; /* pointer to request message */
|
|
|
|
{
|
|
|
|
/* Handle sys_privctl(). Update a process' privileges. If the process is not
|
|
|
|
* yet a system process, make sure it gets its own privilege structure.
|
|
|
|
*/
|
2005-08-02 17:28:09 +02:00
|
|
|
register struct proc *caller_ptr;
|
2005-07-22 11:20:43 +02:00
|
|
|
register struct proc *rp;
|
|
|
|
register struct priv *sp;
|
|
|
|
int proc_nr;
|
2005-08-02 17:28:09 +02:00
|
|
|
int priv_id;
|
2005-07-26 14:48:34 +02:00
|
|
|
int i;
|
2006-01-27 14:21:12 +01:00
|
|
|
phys_bytes caller_phys, kernel_phys;
|
|
|
|
struct io_range io_range;
|
|
|
|
struct mem_range mem_range;
|
2006-10-20 16:42:48 +02:00
|
|
|
struct priv priv;
|
2005-07-22 11:20:43 +02:00
|
|
|
|
2005-08-02 17:28:09 +02:00
|
|
|
/* Check whether caller is allowed to make this call. Privileged proceses
|
|
|
|
* can only update the privileges of processes that are inhibited from
|
|
|
|
* running by the NO_PRIV flag. This flag is set when a privileged process
|
|
|
|
* forks.
|
|
|
|
*/
|
'proc number' is process slot, 'endpoint' are generation-aware process
instance numbers, encoded and decoded using macros in <minix/endpoint.h>.
proc number -> endpoint migration
. proc_nr in the interrupt hook is now an endpoint, proc_nr_e.
. m_source for messages and notifies is now an endpoint, instead of
proc number.
. isokendpt() converts an endpoint to a process number, returns
success (but fails if the process number is out of range, the
process slot is not a living process, or the given endpoint
number does not match the endpoint number in the process slot,
indicating an old process).
. okendpt() is the same as isokendpt(), but panic()s if the conversion
fails. This is mainly used for decoding message.m_source endpoints,
and other endpoint numbers in kernel data structures, which should
always be correct.
. if DEBUG_ENABLE_IPC_WARNINGS is enabled, isokendpt() and okendpt()
get passed the __FILE__ and __LINE__ of the calling lines, and
print messages about what is wrong with the endpoint number
(out of range proc, empty proc, or inconsistent endpoint number),
with the caller, making finding where the conversion failed easy
without having to include code for every call to print where things
went wrong. Sometimes this is harmless (wrong arg to a kernel call),
sometimes it's a fatal internal inconsistency (bogus m_source).
. some process table fields have been appended an _e to indicate it's
become and endpoint.
. process endpoint is stored in p_endpoint, without generation number.
it turns out the kernel never needs the generation number, except
when fork()ing, so it's decoded then.
. kernel calls all take endpoints as arguments, not proc numbers.
the one exception is sys_fork(), which needs to know in which slot
to put the child.
2006-03-03 11:00:02 +01:00
|
|
|
caller_ptr = proc_addr(who_p);
|
2005-08-02 17:28:09 +02:00
|
|
|
if (! (priv(caller_ptr)->s_flags & SYS_PROC)) return(EPERM);
|
2006-06-20 12:03:10 +02:00
|
|
|
if(m_ptr->PR_ENDPT == SELF) proc_nr = who_p;
|
|
|
|
else if(!isokendpt(m_ptr->PR_ENDPT, &proc_nr)) return(EINVAL);
|
2005-07-22 11:20:43 +02:00
|
|
|
rp = proc_addr(proc_nr);
|
|
|
|
|
2006-01-27 14:21:12 +01:00
|
|
|
switch(m_ptr->CTL_REQUEST)
|
|
|
|
{
|
|
|
|
case SYS_PRIV_INIT:
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
if (! RTS_ISSET(rp, NO_PRIV)) return(EPERM);
|
2005-07-26 14:48:34 +02:00
|
|
|
|
2006-01-27 14:21:12 +01:00
|
|
|
/* Make sure this process has its own privileges structure. This may
|
|
|
|
* fail, since there are only a limited number of system processes.
|
|
|
|
* Then copy the privileges from the caller and restore some defaults.
|
|
|
|
*/
|
|
|
|
if ((i=get_priv(rp, SYS_PROC)) != OK) return(i);
|
|
|
|
priv_id = priv(rp)->s_id; /* backup privilege id */
|
|
|
|
*priv(rp) = *priv(caller_ptr); /* copy from caller */
|
|
|
|
priv(rp)->s_id = priv_id; /* restore privilege id */
|
|
|
|
priv(rp)->s_proc_nr = proc_nr; /* reassociate process nr */
|
|
|
|
|
|
|
|
for (i=0; i< BITMAP_CHUNKS(NR_SYS_PROCS); i++) /* remove pending: */
|
|
|
|
priv(rp)->s_notify_pending.chunk[i] = 0; /* - notifications */
|
|
|
|
priv(rp)->s_int_pending = 0; /* - interrupts */
|
|
|
|
sigemptyset(&priv(rp)->s_sig_pending); /* - signals */
|
|
|
|
|
|
|
|
/* Now update the process' privileges as requested. */
|
|
|
|
rp->p_priv->s_trap_mask = FILLED_MASK;
|
|
|
|
for (i=0; i<BITMAP_CHUNKS(NR_SYS_PROCS); i++) {
|
|
|
|
rp->p_priv->s_ipc_to.chunk[i] = FILLED_MASK;
|
|
|
|
}
|
|
|
|
unset_sys_bit(rp->p_priv->s_ipc_to, USER_PRIV_ID);
|
|
|
|
|
|
|
|
/* All process that this process can send to must be able to reply.
|
|
|
|
* Therefore, their send masks should be updated as well.
|
|
|
|
*/
|
|
|
|
for (i=0; i<NR_SYS_PROCS; i++) {
|
|
|
|
if (get_sys_bit(rp->p_priv->s_ipc_to, i)) {
|
|
|
|
set_sys_bit(priv_addr(i)->s_ipc_to, priv_id(rp));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-04-23 15:30:04 +02:00
|
|
|
for (i=0; i<BITMAP_CHUNKS(NR_SYS_PROCS); i++) {
|
|
|
|
rp->p_priv->s_ipc_sendrec.chunk[i] = FILLED_MASK;
|
|
|
|
}
|
|
|
|
unset_sys_bit(rp->p_priv->s_ipc_sendrec, USER_PRIV_ID);
|
|
|
|
|
2006-06-20 12:03:10 +02:00
|
|
|
/* No I/O resources, no memory resources, no IRQs, no grant table */
|
2006-01-27 14:21:12 +01:00
|
|
|
priv(rp)->s_nr_io_range= 0;
|
|
|
|
priv(rp)->s_nr_mem_range= 0;
|
|
|
|
priv(rp)->s_nr_irq= 0;
|
2006-06-20 12:03:10 +02:00
|
|
|
priv(rp)->s_grant_table= 0;
|
|
|
|
priv(rp)->s_grant_entries= 0;
|
2006-01-27 14:21:12 +01:00
|
|
|
|
2006-10-20 16:42:48 +02:00
|
|
|
if (m_ptr->CTL_ARG_PTR)
|
|
|
|
{
|
|
|
|
/* Copy privilege structure from caller */
|
|
|
|
caller_phys = umap_local(caller_ptr, D,
|
|
|
|
(vir_bytes) m_ptr->CTL_ARG_PTR, sizeof(priv));
|
|
|
|
if (caller_phys == 0)
|
|
|
|
return EFAULT;
|
|
|
|
kernel_phys = vir2phys(&priv);
|
|
|
|
phys_copy(caller_phys, kernel_phys, sizeof(priv));
|
|
|
|
|
|
|
|
/* Copy the call mask */
|
|
|
|
for (i= 0; i<CALL_MASK_SIZE; i++)
|
|
|
|
priv(rp)->s_k_call_mask[i]= priv.s_k_call_mask[i];
|
|
|
|
|
|
|
|
/* Copy IRQs */
|
|
|
|
if (priv.s_nr_irq < 0 || priv.s_nr_irq > NR_IRQ)
|
|
|
|
return EINVAL;
|
|
|
|
priv(rp)->s_nr_irq= priv.s_nr_irq;
|
|
|
|
for (i= 0; i<priv.s_nr_irq; i++)
|
|
|
|
{
|
|
|
|
priv(rp)->s_irq_tab[i]= priv.s_irq_tab[i];
|
2007-02-16 16:53:10 +01:00
|
|
|
#if 0
|
2007-02-21 18:49:35 +01:00
|
|
|
kprintf("do_privctl: adding IRQ %d for %d\n",
|
|
|
|
priv(rp)->s_irq_tab[i], rp->p_endpoint);
|
2007-02-16 16:53:10 +01:00
|
|
|
#endif
|
2006-10-20 16:42:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
priv(rp)->s_flags |= CHECK_IRQ; /* Check requests for IRQs */
|
|
|
|
|
|
|
|
/* Copy I/O ranges */
|
|
|
|
if (priv.s_nr_io_range < 0 || priv.s_nr_io_range > NR_IO_RANGE)
|
|
|
|
return EINVAL;
|
|
|
|
priv(rp)->s_nr_io_range= priv.s_nr_io_range;
|
|
|
|
for (i= 0; i<priv.s_nr_io_range; i++)
|
|
|
|
{
|
|
|
|
priv(rp)->s_io_tab[i]= priv.s_io_tab[i];
|
2007-03-30 17:17:03 +02:00
|
|
|
#if 0
|
2007-02-21 18:49:35 +01:00
|
|
|
kprintf("do_privctl: adding I/O range [%x..%x] for %d\n",
|
2006-10-20 16:42:48 +02:00
|
|
|
priv(rp)->s_io_tab[i].ior_base,
|
2007-02-21 18:49:35 +01:00
|
|
|
priv(rp)->s_io_tab[i].ior_limit,
|
|
|
|
rp->p_endpoint);
|
2007-03-30 17:17:03 +02:00
|
|
|
#endif
|
2006-10-20 16:42:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Check requests for IRQs */
|
|
|
|
priv(rp)->s_flags |= CHECK_IO_PORT;
|
|
|
|
|
|
|
|
memcpy(priv(rp)->s_k_call_mask, priv.s_k_call_mask,
|
|
|
|
sizeof(priv(rp)->s_k_call_mask));
|
2007-04-23 15:30:04 +02:00
|
|
|
memcpy(&priv(rp)->s_ipc_to, &priv.s_ipc_to,
|
|
|
|
sizeof(priv(rp)->s_ipc_to));
|
|
|
|
memcpy(&priv(rp)->s_ipc_sendrec, &priv.s_ipc_sendrec,
|
|
|
|
sizeof(priv(rp)->s_ipc_sendrec));
|
2006-10-20 16:42:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Done. Privileges have been set. Allow process to run again. */
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
RTS_LOCK_UNSET(rp, NO_PRIV);
|
2006-10-20 16:42:48 +02:00
|
|
|
return(OK);
|
|
|
|
case SYS_PRIV_USER:
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
/* Make this process an ordinary user process. */
|
|
|
|
if (!RTS_ISSET(rp, NO_PRIV)) return(EPERM);
|
2006-10-20 16:42:48 +02:00
|
|
|
if ((i=get_priv(rp, 0)) != OK) return(i);
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
RTS_LOCK_UNSET(rp, NO_PRIV);
|
2006-01-27 14:21:12 +01:00
|
|
|
return(OK);
|
2006-10-20 16:42:48 +02:00
|
|
|
|
2006-01-27 14:21:12 +01:00
|
|
|
case SYS_PRIV_ADD_IO:
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
if (RTS_ISSET(rp, NO_PRIV))
|
2006-01-27 14:21:12 +01:00
|
|
|
return(EPERM);
|
|
|
|
|
|
|
|
/* Only system processes get I/O resources? */
|
|
|
|
if (!(priv(rp)->s_flags & SYS_PROC))
|
|
|
|
return EPERM;
|
|
|
|
|
|
|
|
/* Get the I/O range */
|
|
|
|
caller_phys = umap_local(caller_ptr, D, (vir_bytes) m_ptr->CTL_ARG_PTR,
|
|
|
|
sizeof(io_range));
|
|
|
|
if (caller_phys == 0)
|
|
|
|
return EFAULT;
|
|
|
|
kernel_phys = vir2phys(&io_range);
|
|
|
|
phys_copy(caller_phys, kernel_phys, sizeof(io_range));
|
|
|
|
priv(rp)->s_flags |= CHECK_IO_PORT; /* Check I/O accesses */
|
|
|
|
i= priv(rp)->s_nr_io_range;
|
|
|
|
if (i >= NR_IO_RANGE)
|
|
|
|
return ENOMEM;
|
|
|
|
|
|
|
|
priv(rp)->s_io_tab[i].ior_base= io_range.ior_base;
|
|
|
|
priv(rp)->s_io_tab[i].ior_limit= io_range.ior_limit;
|
|
|
|
priv(rp)->s_nr_io_range++;
|
|
|
|
|
|
|
|
return OK;
|
2005-08-02 17:28:09 +02:00
|
|
|
|
2006-01-27 14:21:12 +01:00
|
|
|
case SYS_PRIV_ADD_MEM:
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
if (RTS_ISSET(rp, NO_PRIV))
|
2006-01-27 14:21:12 +01:00
|
|
|
return(EPERM);
|
|
|
|
|
|
|
|
/* Only system processes get memory resources? */
|
|
|
|
if (!(priv(rp)->s_flags & SYS_PROC))
|
|
|
|
return EPERM;
|
|
|
|
|
|
|
|
/* Get the memory range */
|
|
|
|
caller_phys = umap_local(caller_ptr, D, (vir_bytes) m_ptr->CTL_ARG_PTR,
|
|
|
|
sizeof(mem_range));
|
|
|
|
if (caller_phys == 0)
|
|
|
|
return EFAULT;
|
|
|
|
kernel_phys = vir2phys(&mem_range);
|
|
|
|
phys_copy(caller_phys, kernel_phys, sizeof(mem_range));
|
|
|
|
priv(rp)->s_flags |= CHECK_MEM; /* Check I/O accesses */
|
|
|
|
i= priv(rp)->s_nr_mem_range;
|
|
|
|
if (i >= NR_MEM_RANGE)
|
|
|
|
return ENOMEM;
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
priv(rp)->s_mem_tab[i].mr_base= mem_range.mr_base;
|
|
|
|
priv(rp)->s_mem_tab[i].mr_limit= mem_range.mr_limit;
|
|
|
|
priv(rp)->s_nr_mem_range++;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
|
|
|
|
case SYS_PRIV_ADD_IRQ:
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
if (RTS_ISSET(rp, NO_PRIV))
|
2006-01-27 14:21:12 +01:00
|
|
|
return(EPERM);
|
|
|
|
|
|
|
|
/* Only system processes get IRQs? */
|
|
|
|
if (!(priv(rp)->s_flags & SYS_PROC))
|
|
|
|
return EPERM;
|
|
|
|
|
|
|
|
priv(rp)->s_flags |= CHECK_IRQ; /* Check IRQs */
|
|
|
|
|
|
|
|
i= priv(rp)->s_nr_irq;
|
|
|
|
if (i >= NR_IRQ)
|
|
|
|
return ENOMEM;
|
|
|
|
priv(rp)->s_irq_tab[i]= m_ptr->CTL_MM_PRIV;
|
|
|
|
priv(rp)->s_nr_irq++;
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
default:
|
|
|
|
kprintf("do_privctl: bad request %d\n", m_ptr->CTL_REQUEST);
|
|
|
|
return EINVAL;
|
|
|
|
}
|
2005-07-22 11:20:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* USE_PRIVCTL */
|
|
|
|
|