2006-06-20 12:03:10 +02:00
|
|
|
/* The kernel call implemented in this file:
|
2006-06-23 17:07:41 +02:00
|
|
|
* m_type: SYS_SAFECOPYFROM or SYS_SAFECOPYTO or SYS_VSAFECOPY
|
2006-06-20 12:03:10 +02:00
|
|
|
*
|
|
|
|
* The parameters for this kernel call are:
|
|
|
|
* SCP_FROM_TO other endpoint
|
|
|
|
* SCP_INFO encoded: caller's own src/dst segment
|
|
|
|
* SCP_GID grant id
|
|
|
|
* SCP_OFFSET offset within granted space
|
|
|
|
* SCP_ADDRESS address in own address space
|
|
|
|
* SCP_BYTES bytes to be copied
|
2006-06-23 13:54:03 +02:00
|
|
|
*
|
|
|
|
* For the vectored variant (do_vsafecopy):
|
|
|
|
* VSCP_VEC_ADDR address of vector
|
|
|
|
* VSCP_VEC_SIZE number of significant elements in vector
|
2006-06-20 12:03:10 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "../system.h"
|
|
|
|
#include <minix/type.h>
|
|
|
|
#include <minix/safecopies.h>
|
|
|
|
|
|
|
|
#define MEM_TOP 0xFFFFFFFFUL
|
|
|
|
|
2006-06-23 13:54:03 +02:00
|
|
|
FORWARD _PROTOTYPE(int safecopy, (endpoint_t, endpoint_t, cp_grant_id_t, int, int, size_t, vir_bytes, vir_bytes, int));
|
|
|
|
|
2006-06-20 12:03:10 +02:00
|
|
|
/*===========================================================================*
|
|
|
|
* verify_grant *
|
|
|
|
*===========================================================================*/
|
|
|
|
PUBLIC int verify_grant(granter, grantee, grant, bytes, access,
|
|
|
|
offset_in, offset_result, e_granter)
|
|
|
|
endpoint_t granter, grantee; /* copyee, copyer */
|
|
|
|
cp_grant_id_t grant; /* grant id */
|
|
|
|
vir_bytes bytes; /* copy size */
|
|
|
|
int access; /* direction (read/write) */
|
|
|
|
vir_bytes offset_in; /* copy offset within grant */
|
|
|
|
vir_bytes *offset_result; /* copy offset within virtual address space */
|
|
|
|
endpoint_t *e_granter; /* new granter (magic grants) */
|
|
|
|
{
|
|
|
|
static cp_grant_t g;
|
|
|
|
static int proc_nr;
|
|
|
|
static struct proc *granter_proc;
|
|
|
|
static phys_bytes phys_grant;
|
|
|
|
|
|
|
|
/* Get granter process slot (if valid), and check range of
|
|
|
|
* grant id.
|
|
|
|
*/
|
|
|
|
if(!isokendpt(granter, &proc_nr) || !GRANT_VALID(grant)) {
|
|
|
|
kprintf("grant verify failed: invalid granter or grant\n");
|
|
|
|
return(EINVAL);
|
|
|
|
}
|
|
|
|
granter_proc = proc_addr(proc_nr);
|
|
|
|
|
|
|
|
/* If there is no priv. structure, or no grant table in the
|
|
|
|
* priv. structure, or the grant table in the priv. structure
|
|
|
|
* is too small for the grant,
|
|
|
|
*
|
|
|
|
* then there exists no such grant, so
|
|
|
|
*
|
|
|
|
* return EPERM.
|
|
|
|
*
|
|
|
|
* (Don't leak how big the grant table is by returning
|
|
|
|
* EINVAL for grant-out-of-range, in case this turns out to be
|
|
|
|
* interesting information.)
|
|
|
|
*/
|
Mostly bugfixes of bugs triggered by the test set.
bugfixes:
SYSTEM:
. removed
rc->p_priv->s_flags = 0;
for the priv struct shared by all user processes in get_priv(). this
should only be done once. doing a SYS_PRIV_USER in sys_privctl()
caused the flags of all user processes to be reset, so they were no
longer PREEMPTIBLE. this happened when RS executed a policy script.
(this broke test1 in the test set)
VFS/MFS:
. chown can change the mode of a file, and chmod arguments are only
part of the full file mode so the full filemode is slightly magic.
changed these calls so that the final modes are returned to VFS, so
that the vnode can be kept up-to-date.
(this broke test11 in the test set)
MFS:
. lookup() checked for sizeof(string) instead of sizeof(user_path),
truncating long path names
(caught by test 23)
. truncate functions neglected to update ctime
(this broke test16)
VFS:
. corner case of an empty filename lookup caused fields of a request
not to be filled in in the lookup functions, not making it clear
that the lookup had failed, causing messages to garbage processes,
causing strange failures.
(caught by test 30)
. trust v_size in vnode when doing reads or writes on non-special
files, truncating i/o where necessary; this is necessary for pipes,
as MFS can't tell when a pipe has been truncated without it being
told explicitly each time.
when the last reader/writer on a pipe closes, tell FS about
the new size using truncate_vn().
(this broke test 25, among others)
. permission check for chdir() had disappeared; added a
forbidden() call
(caught by test 23)
new code, shouldn't change anything:
. introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their
LOCK variants. These macros set and clear the p_rts_flags field,
causing a lot of duplicated logic like
old_flags = rp->p_rts_flags; /* save value of the flags */
rp->p_rts_flags &= ~NO_PRIV;
if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp);
to change into the simpler
RTS_LOCK_UNSET(rp, NO_PRIV);
so the macros take care of calling dequeue() and enqueue() (or lock_*()),
as the case may be). This makes the code a bit more readable and a
bit less fragile.
. removed return code from do_clocktick in CLOCK as it currently
never replies
. removed some debug code from VFS
. fixed grant debug message in device.c
preemptive checks, tests, changes:
. added return code checks of receive() to SYSTEM and CLOCK
. O_TRUNC should never arrive at MFS (added sanity check and removed
O_TRUNC code)
. user_path declared with PATH_MAX+1 to let it be null-terminated
. checks in MFS to see if strings passed by VFS are null-terminated
IS:
. static irq name table thrown out
2007-02-01 18:50:02 +01:00
|
|
|
if(RTS_ISSET(granter_proc, NO_PRIV) || !(priv(granter_proc)) ||
|
2006-06-20 12:03:10 +02:00
|
|
|
priv(granter_proc)->s_grant_table < 1) {
|
|
|
|
kprintf("grant verify failed in ep %d proc %d: "
|
|
|
|
"no priv table, or no grant table\n",
|
|
|
|
granter, proc_nr);
|
|
|
|
return(EPERM);
|
|
|
|
}
|
|
|
|
|
|
|
|
if(priv(granter_proc)->s_grant_entries <= grant) {
|
|
|
|
kprintf("grant verify failed in ep %d proc %d: "
|
|
|
|
"grant %d out of range for table size %d\n",
|
|
|
|
granter, proc_nr, grant, priv(granter_proc)->s_grant_entries);
|
|
|
|
return(EPERM);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Copy the grant entry corresponding to this id to see what it
|
|
|
|
* looks like. If it fails, hide the fact that granter has
|
|
|
|
* (presumably) set an invalid grant table entry by returning
|
|
|
|
* EPERM, just like with an invalid grant id.
|
|
|
|
*/
|
|
|
|
if(!(phys_grant = umap_local(granter_proc, D,
|
|
|
|
priv(granter_proc)->s_grant_table + sizeof(g)*grant, sizeof(g)))) {
|
|
|
|
kprintf("grant verify failed: umap failed\n");
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
phys_copy(phys_grant, vir2phys(&g), sizeof(g));
|
|
|
|
|
|
|
|
/* Check validity. */
|
2006-06-27 14:19:45 +02:00
|
|
|
if((g.cp_flags & (CPF_USED | CPF_VALID)) != (CPF_USED | CPF_VALID)) {
|
|
|
|
kprintf("grant verify failed: unused or invalid\n");
|
2006-06-20 12:03:10 +02:00
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check access of grant. */
|
|
|
|
if(((g.cp_flags & access) != access)) {
|
|
|
|
kprintf("grant verify failed: access invalid; want %x, have %x\n",
|
|
|
|
access, g.cp_flags);
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
if((g.cp_flags & CPF_DIRECT)) {
|
|
|
|
/* Don't fiddle around with grants that wrap, arithmetic
|
|
|
|
* below may be confused.
|
|
|
|
*/
|
|
|
|
if(MEM_TOP - g.cp_u.cp_direct.cp_len <
|
|
|
|
g.cp_u.cp_direct.cp_start - 1) {
|
|
|
|
kprintf("direct grant verify failed: len too long\n");
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify actual grantee. */
|
|
|
|
if(g.cp_u.cp_direct.cp_who_to != grantee && grantee != ANY) {
|
|
|
|
kprintf("direct grant verify failed: bad grantee\n");
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify actual copy range. */
|
|
|
|
if((offset_in+bytes < offset_in) ||
|
|
|
|
offset_in+bytes > g.cp_u.cp_direct.cp_len) {
|
|
|
|
kprintf("direct grant verify failed: bad size or range. "
|
|
|
|
"granted %d bytes @ 0x%lx; wanted %d bytes @ 0x%lx\n",
|
|
|
|
g.cp_u.cp_direct.cp_len, g.cp_u.cp_direct.cp_start,
|
|
|
|
bytes, offset_in);
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify successful - tell caller what address it is. */
|
|
|
|
*offset_result = g.cp_u.cp_direct.cp_start + offset_in;
|
|
|
|
*e_granter = granter;
|
|
|
|
} else if(g.cp_flags & CPF_MAGIC) {
|
|
|
|
/* Currently, it is hardcoded that only FS may do
|
|
|
|
* magic grants.
|
|
|
|
*/
|
|
|
|
if(granter != FS_PROC_NR) {
|
|
|
|
kprintf("magic grant verify failed: granter (%d) "
|
|
|
|
"is not FS (%d)\n", granter, FS_PROC_NR);
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify actual grantee. */
|
|
|
|
if(g.cp_u.cp_magic.cp_who_to != grantee && grantee != ANY) {
|
|
|
|
kprintf("magic grant verify failed: bad grantee\n");
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify actual copy range. */
|
|
|
|
if((offset_in+bytes < offset_in) ||
|
|
|
|
offset_in+bytes > g.cp_u.cp_magic.cp_len) {
|
|
|
|
kprintf("magic grant verify failed: bad size or range. "
|
|
|
|
"granted %d bytes @ 0x%lx; wanted %d bytes @ 0x%lx\n",
|
|
|
|
g.cp_u.cp_magic.cp_len, g.cp_u.cp_magic.cp_start,
|
|
|
|
bytes, offset_in);
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify successful - tell caller what address it is. */
|
|
|
|
*offset_result = g.cp_u.cp_magic.cp_start + offset_in;
|
|
|
|
*e_granter = g.cp_u.cp_magic.cp_who_from;
|
|
|
|
} else {
|
|
|
|
kprintf("grant verify failed: unknown grant type\n");
|
|
|
|
return EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
return OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*===========================================================================*
|
2006-06-23 13:54:03 +02:00
|
|
|
* safecopy *
|
2006-06-20 12:03:10 +02:00
|
|
|
*===========================================================================*/
|
2006-06-23 13:54:03 +02:00
|
|
|
PRIVATE int safecopy(granter, grantee, grantid, src_seg, dst_seg, bytes,
|
|
|
|
g_offset, addr, access)
|
|
|
|
endpoint_t granter, grantee;
|
|
|
|
cp_grant_id_t grantid;
|
|
|
|
int src_seg, dst_seg;
|
|
|
|
size_t bytes;
|
|
|
|
vir_bytes g_offset, addr;
|
|
|
|
int access; /* CPF_READ for a copy from granter to grantee, CPF_WRITE
|
|
|
|
* for a copy from grantee to granter.
|
|
|
|
*/
|
2006-06-20 12:03:10 +02:00
|
|
|
{
|
|
|
|
static struct vir_addr v_src, v_dst;
|
2006-06-23 13:54:03 +02:00
|
|
|
static vir_bytes v_offset;
|
|
|
|
int r;
|
|
|
|
endpoint_t new_granter, *src, *dst;
|
2006-06-20 12:03:10 +02:00
|
|
|
|
2006-06-23 13:54:03 +02:00
|
|
|
/* Decide who is src and who is dst. */
|
|
|
|
if(access & CPF_READ) {
|
2006-06-20 12:03:10 +02:00
|
|
|
src = &granter;
|
|
|
|
dst = &grantee;
|
2006-06-23 13:54:03 +02:00
|
|
|
} else {
|
2006-06-20 12:03:10 +02:00
|
|
|
src = &grantee;
|
|
|
|
dst = &granter;
|
2006-06-23 13:54:03 +02:00
|
|
|
}
|
2006-06-20 12:03:10 +02:00
|
|
|
|
|
|
|
/* Verify permission exists. */
|
2006-06-23 13:54:03 +02:00
|
|
|
if((r=verify_grant(granter, grantee, grantid, bytes, access,
|
|
|
|
g_offset, &v_offset, &new_granter)) != OK) {
|
2006-06-20 12:03:10 +02:00
|
|
|
kprintf("grant %d verify to copy %d->%d by %d failed: err %d\n",
|
2006-06-23 13:54:03 +02:00
|
|
|
grantid, *src, *dst, grantee, r);
|
2006-06-20 12:03:10 +02:00
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* verify_grant() can redirect the grantee to someone else,
|
|
|
|
* meaning the source or destination changes.
|
|
|
|
*/
|
|
|
|
granter = new_granter;
|
|
|
|
|
|
|
|
/* Now it's a regular copy. */
|
|
|
|
v_src.segment = src_seg;
|
|
|
|
v_dst.segment = dst_seg;
|
|
|
|
v_src.proc_nr_e = *src;
|
|
|
|
v_dst.proc_nr_e = *dst;
|
|
|
|
|
|
|
|
/* Now the offset in virtual addressing is known in 'offset'.
|
2006-06-23 13:54:03 +02:00
|
|
|
* Depending on the access, this is the source or destination
|
2006-06-20 12:03:10 +02:00
|
|
|
* address.
|
|
|
|
*/
|
2006-06-23 13:54:03 +02:00
|
|
|
if(access & CPF_READ) {
|
|
|
|
v_src.offset = v_offset;
|
|
|
|
v_dst.offset = (vir_bytes) addr;
|
2006-06-20 12:03:10 +02:00
|
|
|
} else {
|
2006-06-23 13:54:03 +02:00
|
|
|
v_src.offset = (vir_bytes) addr;
|
|
|
|
v_dst.offset = v_offset;
|
2006-06-20 12:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Do the regular copy. */
|
|
|
|
return virtual_copy(&v_src, &v_dst, bytes);
|
2006-06-23 13:54:03 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/*===========================================================================*
|
|
|
|
* do_safecopy *
|
|
|
|
*===========================================================================*/
|
|
|
|
PUBLIC int do_safecopy(m_ptr)
|
|
|
|
register message *m_ptr; /* pointer to request message */
|
|
|
|
{
|
|
|
|
static int access, src_seg, dst_seg;
|
|
|
|
|
|
|
|
/* Set src and dst parameters.
|
|
|
|
* The caller's seg is encoded in the SCP_INFO field.
|
|
|
|
*/
|
|
|
|
if(sys_call_code == SYS_SAFECOPYFROM) {
|
|
|
|
src_seg = D;
|
|
|
|
dst_seg = SCP_INFO2SEG(m_ptr->SCP_INFO);
|
|
|
|
access = CPF_READ;
|
|
|
|
} else if(sys_call_code == SYS_SAFECOPYTO) {
|
|
|
|
src_seg = SCP_INFO2SEG(m_ptr->SCP_INFO);
|
|
|
|
dst_seg = D;
|
|
|
|
access = CPF_WRITE;
|
|
|
|
} else panic("Impossible system call nr. ", sys_call_code);
|
|
|
|
|
|
|
|
return safecopy(m_ptr->SCP_FROM_TO, who_e, m_ptr->SCP_GID,
|
|
|
|
src_seg, dst_seg, m_ptr->SCP_BYTES, m_ptr->SCP_OFFSET,
|
|
|
|
(vir_bytes) m_ptr->SCP_ADDRESS, access);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*===========================================================================*
|
|
|
|
* do_vsafecopy *
|
|
|
|
*===========================================================================*/
|
|
|
|
PUBLIC int do_vsafecopy(m_ptr)
|
|
|
|
register message *m_ptr; /* pointer to request message */
|
|
|
|
{
|
|
|
|
static struct vscp_vec vec[SCPVEC_NR];
|
|
|
|
static struct vir_addr src, dst;
|
|
|
|
int r, i, els;
|
|
|
|
|
|
|
|
/* Set vector copy parameters. */
|
|
|
|
src.proc_nr_e = who_e;
|
|
|
|
src.offset = (vir_bytes) m_ptr->VSCP_VEC_ADDR;
|
|
|
|
src.segment = dst.segment = D;
|
|
|
|
dst.proc_nr_e = SYSTEM;
|
|
|
|
dst.offset = (vir_bytes) vec;
|
|
|
|
|
|
|
|
/* No. of vector elements. */
|
|
|
|
els = m_ptr->VSCP_VEC_SIZE;
|
|
|
|
|
|
|
|
/* Obtain vector of copies. */
|
|
|
|
if((r=virtual_copy(&src, &dst, els * sizeof(struct vscp_vec))) != OK)
|
|
|
|
return r;
|
|
|
|
|
|
|
|
/* Perform safecopies. */
|
|
|
|
for(i = 0; i < els; i++) {
|
|
|
|
int access;
|
|
|
|
endpoint_t granter;
|
|
|
|
if(vec[i].v_from == SELF) {
|
|
|
|
access = CPF_WRITE;
|
|
|
|
granter = vec[i].v_to;
|
|
|
|
} else if(vec[i].v_to == SELF) {
|
|
|
|
access = CPF_READ;
|
|
|
|
granter = vec[i].v_from;
|
|
|
|
} else {
|
|
|
|
kprintf("vsafecopy: %d: element %d/%d: no SELF found\n",
|
|
|
|
who_e, i, els);
|
|
|
|
return EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Do safecopy for this element. */
|
|
|
|
if((r=safecopy(granter, who_e, vec[i].v_gid, D, D,
|
|
|
|
vec[i].v_bytes, vec[i].v_offset,
|
|
|
|
vec[i].v_addr, access)) != OK) {
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return OK;
|
2006-06-20 12:03:10 +02:00
|
|
|
}
|
|
|
|
|