minix/kernel/system/do_privctl.c

260 lines
7 KiB
C
Raw Normal View History

/* The kernel call implemented in this file:
2005-07-22 11:20:43 +02:00
* m_type: SYS_PRIVCTL
*
* The parameters for this kernel call are:
* m2_i1: CTL_ENDPT (process endpoint of target)
* m2_i2: CTL_REQUEST (privilege control request)
* m2_p1: CTL_ARG_PTR (pointer to request data)
2005-07-22 11:20:43 +02:00
*/
#include "../system.h"
#include "../ipc.h"
#include <signal.h>
#include <string.h>
2005-07-22 11:20:43 +02:00
#if USE_PRIVCTL
#define FILLED_MASK (~0)
2005-07-22 11:20:43 +02:00
/*===========================================================================*
* do_privctl *
*===========================================================================*/
PUBLIC int do_privctl(m_ptr)
message *m_ptr; /* pointer to request message */
{
/* Handle sys_privctl(). Update a process' privileges. If the process is not
* yet a system process, make sure it gets its own privilege structure.
*/
register struct proc *caller_ptr;
2005-07-22 11:20:43 +02:00
register struct proc *rp;
int proc_nr;
int priv_id;
int i, r;
struct io_range io_range;
struct mem_range mem_range;
struct priv priv;
int irq;
2005-07-22 11:20:43 +02:00
/* Check whether caller is allowed to make this call. Privileged proceses
* can only update the privileges of processes that are inhibited from
* running by the RTS_NO_PRIV flag. This flag is set when a privileged process
* forks.
*/
'proc number' is process slot, 'endpoint' are generation-aware process instance numbers, encoded and decoded using macros in <minix/endpoint.h>. proc number -> endpoint migration . proc_nr in the interrupt hook is now an endpoint, proc_nr_e. . m_source for messages and notifies is now an endpoint, instead of proc number. . isokendpt() converts an endpoint to a process number, returns success (but fails if the process number is out of range, the process slot is not a living process, or the given endpoint number does not match the endpoint number in the process slot, indicating an old process). . okendpt() is the same as isokendpt(), but panic()s if the conversion fails. This is mainly used for decoding message.m_source endpoints, and other endpoint numbers in kernel data structures, which should always be correct. . if DEBUG_ENABLE_IPC_WARNINGS is enabled, isokendpt() and okendpt() get passed the __FILE__ and __LINE__ of the calling lines, and print messages about what is wrong with the endpoint number (out of range proc, empty proc, or inconsistent endpoint number), with the caller, making finding where the conversion failed easy without having to include code for every call to print where things went wrong. Sometimes this is harmless (wrong arg to a kernel call), sometimes it's a fatal internal inconsistency (bogus m_source). . some process table fields have been appended an _e to indicate it's become and endpoint. . process endpoint is stored in p_endpoint, without generation number. it turns out the kernel never needs the generation number, except when fork()ing, so it's decoded then. . kernel calls all take endpoints as arguments, not proc numbers. the one exception is sys_fork(), which needs to know in which slot to put the child.
2006-03-03 11:00:02 +01:00
caller_ptr = proc_addr(who_p);
if (! (priv(caller_ptr)->s_flags & SYS_PROC)) return(EPERM);
if(m_ptr->CTL_ENDPT == SELF) proc_nr = who_p;
else if(!isokendpt(m_ptr->CTL_ENDPT, &proc_nr)) return(EINVAL);
2005-07-22 11:20:43 +02:00
rp = proc_addr(proc_nr);
switch(m_ptr->CTL_REQUEST)
{
case SYS_PRIV_INIT:
if (! RTS_ISSET(rp, RTS_NO_PRIV)) return(EPERM);
/* Make sure this process has its own privileges structure. This may
* fail, since there are only a limited number of system processes.
* Then copy the privileges from the caller and restore some defaults.
*/
2008-02-22 11:58:27 +01:00
if ((i=get_priv(rp, SYS_PROC)) != OK)
{
kprintf("do_privctl: out of priv structures\n");
return(i);
}
priv_id = priv(rp)->s_id; /* backup privilege id */
*priv(rp) = *priv(caller_ptr); /* copy from caller */
priv(rp)->s_id = priv_id; /* restore privilege id */
priv(rp)->s_proc_nr = proc_nr; /* reassociate process nr */
for (i=0; i< BITMAP_CHUNKS(NR_SYS_PROCS); i++) /* remove pending: */
priv(rp)->s_notify_pending.chunk[i] = 0; /* - notifications */
priv(rp)->s_int_pending = 0; /* - interrupts */
sigemptyset(&priv(rp)->s_sig_pending); /* - signals */
/* Now update the process' privileges as requested. */
rp->p_priv->s_trap_mask = FILLED_MASK;
IPC privileges fixes Kernel: o Remove s_ipc_sendrec, instead using s_ipc_to for all send primitives o Centralize s_ipc_to bit manipulation, - disallowing assignment of bits pointing to unused priv structs; - preventing send-to-self by not setting bit for own priv struct; - preserving send mask matrix symmetry in all cases o Add IPC send mask checks to SENDA, which were missing entirely somehow o Slightly improve IPC stats accounting for SENDA o Remove SYSTEM from user processes' send mask o Half-fix the dependency between boot image order and process numbers, - correcting the table order of the boot processes; - documenting the order requirement needed for proper send masks; - warning at boot time if the order is violated RS: o Add support in /etc/drivers.conf for servers that talk to user processes, - disallowing IPC to user processes if no "ipc" field is present - adding a special "USER" label to explicitly allow IPC to user processes o Always apply IPC masks when specified; remove -i flag from service(8) o Use kernel send mask symmetry to delay adding IPC permissions for labels that do not exist yet, adding them to that label's process upon creation o Add VM to ipc permissions list for rtl8139 and fxp in drivers.conf Left to future fixes: o Removal of the table order vs process numbers dependency altogether, possibly using per-process send list structures as used for SYSTEM calls o Proper assignment of send masks to boot processes; some of the assigned (~0) masks are much wider than necessary o Proper assignment of IPC send masks for many more servers in drivers.conf o Removal of the debugging warning about the now legitimate case where RS's add_forward_ipc cannot find the IPC destination's label yet
2009-07-02 18:25:31 +02:00
/* Set a default send mask. */
for (i=0; i < NR_SYS_PROCS; i++) {
if (i != USER_PRIV_ID)
set_sendto_bit(rp, i);
else
unset_sendto_bit(rp, i);
}
/* No I/O resources, no memory resources, no IRQs, no grant table */
priv(rp)->s_nr_io_range= 0;
priv(rp)->s_nr_mem_range= 0;
priv(rp)->s_nr_irq= 0;
priv(rp)->s_grant_table= 0;
priv(rp)->s_grant_entries= 0;
if (m_ptr->CTL_ARG_PTR)
{
/* Copy privilege structure from caller */
if((r=data_copy(who_e, (vir_bytes) m_ptr->CTL_ARG_PTR,
SYSTEM, (vir_bytes) &priv, sizeof(priv))) != OK)
return r;
/* Copy the call mask */
for (i= 0; i<CALL_MASK_SIZE; i++)
priv(rp)->s_k_call_mask[i]= priv.s_k_call_mask[i];
/* Copy IRQs */
if (priv.s_nr_irq < 0 || priv.s_nr_irq > NR_IRQ)
return EINVAL;
priv(rp)->s_nr_irq= priv.s_nr_irq;
for (i= 0; i<priv.s_nr_irq; i++)
{
priv(rp)->s_irq_tab[i]= priv.s_irq_tab[i];
2007-02-16 16:53:10 +01:00
#if 0
2007-02-21 18:49:35 +01:00
kprintf("do_privctl: adding IRQ %d for %d\n",
priv(rp)->s_irq_tab[i], rp->p_endpoint);
2007-02-16 16:53:10 +01:00
#endif
}
priv(rp)->s_flags |= CHECK_IRQ; /* Check requests for IRQs */
/* Copy I/O ranges */
if (priv.s_nr_io_range < 0 || priv.s_nr_io_range > NR_IO_RANGE)
return EINVAL;
priv(rp)->s_nr_io_range= priv.s_nr_io_range;
for (i= 0; i<priv.s_nr_io_range; i++)
{
priv(rp)->s_io_tab[i]= priv.s_io_tab[i];
2007-03-30 17:17:03 +02:00
#if 0
2007-02-21 18:49:35 +01:00
kprintf("do_privctl: adding I/O range [%x..%x] for %d\n",
priv(rp)->s_io_tab[i].ior_base,
2007-02-21 18:49:35 +01:00
priv(rp)->s_io_tab[i].ior_limit,
rp->p_endpoint);
2007-03-30 17:17:03 +02:00
#endif
}
/* Check requests for IRQs */
priv(rp)->s_flags |= CHECK_IO_PORT;
memcpy(priv(rp)->s_k_call_mask, priv.s_k_call_mask,
sizeof(priv(rp)->s_k_call_mask));
IPC privileges fixes Kernel: o Remove s_ipc_sendrec, instead using s_ipc_to for all send primitives o Centralize s_ipc_to bit manipulation, - disallowing assignment of bits pointing to unused priv structs; - preventing send-to-self by not setting bit for own priv struct; - preserving send mask matrix symmetry in all cases o Add IPC send mask checks to SENDA, which were missing entirely somehow o Slightly improve IPC stats accounting for SENDA o Remove SYSTEM from user processes' send mask o Half-fix the dependency between boot image order and process numbers, - correcting the table order of the boot processes; - documenting the order requirement needed for proper send masks; - warning at boot time if the order is violated RS: o Add support in /etc/drivers.conf for servers that talk to user processes, - disallowing IPC to user processes if no "ipc" field is present - adding a special "USER" label to explicitly allow IPC to user processes o Always apply IPC masks when specified; remove -i flag from service(8) o Use kernel send mask symmetry to delay adding IPC permissions for labels that do not exist yet, adding them to that label's process upon creation o Add VM to ipc permissions list for rtl8139 and fxp in drivers.conf Left to future fixes: o Removal of the table order vs process numbers dependency altogether, possibly using per-process send list structures as used for SYSTEM calls o Proper assignment of send masks to boot processes; some of the assigned (~0) masks are much wider than necessary o Proper assignment of IPC send masks for many more servers in drivers.conf o Removal of the debugging warning about the now legitimate case where RS's add_forward_ipc cannot find the IPC destination's label yet
2009-07-02 18:25:31 +02:00
/* Set a custom send mask. */
for (i=0; i < NR_SYS_PROCS; i++) {
if (get_sys_bit(priv.s_ipc_to, i))
set_sendto_bit(rp, i);
else
unset_sendto_bit(rp, i);
}
}
/* Done. Privileges have been set. Allow process to run again. */
RTS_LOCK_UNSET(rp, RTS_NO_PRIV);
return(OK);
case SYS_PRIV_USER:
Mostly bugfixes of bugs triggered by the test set. bugfixes: SYSTEM: . removed rc->p_priv->s_flags = 0; for the priv struct shared by all user processes in get_priv(). this should only be done once. doing a SYS_PRIV_USER in sys_privctl() caused the flags of all user processes to be reset, so they were no longer PREEMPTIBLE. this happened when RS executed a policy script. (this broke test1 in the test set) VFS/MFS: . chown can change the mode of a file, and chmod arguments are only part of the full file mode so the full filemode is slightly magic. changed these calls so that the final modes are returned to VFS, so that the vnode can be kept up-to-date. (this broke test11 in the test set) MFS: . lookup() checked for sizeof(string) instead of sizeof(user_path), truncating long path names (caught by test 23) . truncate functions neglected to update ctime (this broke test16) VFS: . corner case of an empty filename lookup caused fields of a request not to be filled in in the lookup functions, not making it clear that the lookup had failed, causing messages to garbage processes, causing strange failures. (caught by test 30) . trust v_size in vnode when doing reads or writes on non-special files, truncating i/o where necessary; this is necessary for pipes, as MFS can't tell when a pipe has been truncated without it being told explicitly each time. when the last reader/writer on a pipe closes, tell FS about the new size using truncate_vn(). (this broke test 25, among others) . permission check for chdir() had disappeared; added a forbidden() call (caught by test 23) new code, shouldn't change anything: . introduced RTS_SET, RTS_UNSET, and RTS_ISSET macro's, and their LOCK variants. These macros set and clear the p_rts_flags field, causing a lot of duplicated logic like old_flags = rp->p_rts_flags; /* save value of the flags */ rp->p_rts_flags &= ~NO_PRIV; if (old_flags != 0 && rp->p_rts_flags == 0) lock_enqueue(rp); to change into the simpler RTS_LOCK_UNSET(rp, NO_PRIV); so the macros take care of calling dequeue() and enqueue() (or lock_*()), as the case may be). This makes the code a bit more readable and a bit less fragile. . removed return code from do_clocktick in CLOCK as it currently never replies . removed some debug code from VFS . fixed grant debug message in device.c preemptive checks, tests, changes: . added return code checks of receive() to SYSTEM and CLOCK . O_TRUNC should never arrive at MFS (added sanity check and removed O_TRUNC code) . user_path declared with PATH_MAX+1 to let it be null-terminated . checks in MFS to see if strings passed by VFS are null-terminated IS: . static irq name table thrown out
2007-02-01 18:50:02 +01:00
/* Make this process an ordinary user process. */
if (!RTS_ISSET(rp, RTS_NO_PRIV)) return(EPERM);
if ((i=get_priv(rp, 0)) != OK) return(i);
RTS_LOCK_UNSET(rp, RTS_NO_PRIV);
return(OK);
case SYS_PRIV_ADD_IO:
if (RTS_ISSET(rp, RTS_NO_PRIV))
return(EPERM);
/* Only system processes get I/O resources? */
if (!(priv(rp)->s_flags & SYS_PROC))
return EPERM;
2008-02-22 11:58:27 +01:00
#if 0 /* XXX -- do we need a call for this? */
if (strcmp(rp->p_name, "fxp") == 0 ||
strcmp(rp->p_name, "rtl8139") == 0)
{
kprintf("setting ipc_stats_target to %d\n", rp->p_endpoint);
ipc_stats_target= rp->p_endpoint;
}
#endif
/* Get the I/O range */
data_copy(who_e, (vir_bytes) m_ptr->CTL_ARG_PTR,
SYSTEM, (vir_bytes) &io_range, sizeof(io_range));
priv(rp)->s_flags |= CHECK_IO_PORT; /* Check I/O accesses */
i= priv(rp)->s_nr_io_range;
if (i >= NR_IO_RANGE)
return ENOMEM;
priv(rp)->s_io_tab[i].ior_base= io_range.ior_base;
priv(rp)->s_io_tab[i].ior_limit= io_range.ior_limit;
priv(rp)->s_nr_io_range++;
return OK;
case SYS_PRIV_ADD_MEM:
if (RTS_ISSET(rp, RTS_NO_PRIV))
return(EPERM);
/* Only system processes get memory resources? */
if (!(priv(rp)->s_flags & SYS_PROC))
return EPERM;
/* Get the memory range */
if((r=data_copy(who_e, (vir_bytes) m_ptr->CTL_ARG_PTR,
SYSTEM, (vir_bytes) &mem_range, sizeof(mem_range))) != OK)
return r;
priv(rp)->s_flags |= CHECK_MEM; /* Check memory mappings */
i= priv(rp)->s_nr_mem_range;
if (i >= NR_MEM_RANGE)
return ENOMEM;
priv(rp)->s_mem_tab[i].mr_base= mem_range.mr_base;
priv(rp)->s_mem_tab[i].mr_limit= mem_range.mr_limit;
priv(rp)->s_nr_mem_range++;
return OK;
case SYS_PRIV_ADD_IRQ:
if (RTS_ISSET(rp, RTS_NO_PRIV))
return(EPERM);
/* Only system processes get IRQs? */
if (!(priv(rp)->s_flags & SYS_PROC))
return EPERM;
data_copy(who_e, (vir_bytes) m_ptr->CTL_ARG_PTR,
SYSTEM, (vir_bytes) &irq, sizeof(irq));
priv(rp)->s_flags |= CHECK_IRQ; /* Check IRQs */
i= priv(rp)->s_nr_irq;
if (i >= NR_IRQ)
return ENOMEM;
priv(rp)->s_irq_tab[i]= irq;
priv(rp)->s_nr_irq++;
return OK;
case SYS_PRIV_QUERY_MEM:
{
phys_bytes addr, limit;
struct priv *sp;
/* See if a certain process is allowed to map in certain physical
* memory.
*/
addr = (phys_bytes) m_ptr->CTL_PHYSSTART;
limit = addr + (phys_bytes) m_ptr->CTL_PHYSLEN - 1;
if(limit < addr)
return EPERM;
if(!(sp = priv(rp)))
return EPERM;
if (!(sp->s_flags & SYS_PROC))
return EPERM;
for(i = 0; i < sp->s_nr_mem_range; i++) {
if(addr >= sp->s_mem_tab[i].mr_base &&
limit <= sp->s_mem_tab[i].mr_limit)
return OK;
}
return EPERM;
}
default:
kprintf("do_privctl: bad request %d\n", m_ptr->CTL_REQUEST);
return EINVAL;
}
2005-07-22 11:20:43 +02:00
}
#endif /* USE_PRIVCTL */