2005-07-14 17:26:26 +02:00
|
|
|
#ifndef PRIV_H
|
|
|
|
#define PRIV_H
|
|
|
|
|
|
|
|
/* Declaration of the system privileges structure. It defines flags, system
|
|
|
|
* call masks, an synchronous alarm timer, I/O privileges, pending hardware
|
|
|
|
* interrupts and notifications, and so on.
|
|
|
|
* System processes each get their own structure with properties, whereas all
|
|
|
|
* user processes share one structure. This setup provides a clear separation
|
|
|
|
* between common and privileged process fields and is very space efficient.
|
|
|
|
*
|
2005-08-04 11:26:36 +02:00
|
|
|
* Changes:
|
2009-12-11 01:08:19 +01:00
|
|
|
* Nov 22, 2009 rewrite of privilege management (Cristiano Giuffrida)
|
|
|
|
* Jul 01, 2005 Created. (Jorrit N. Herder)
|
2005-07-14 17:26:26 +02:00
|
|
|
*/
|
|
|
|
#include <minix/com.h>
|
2010-03-09 10:41:14 +01:00
|
|
|
#include <minix/const.h>
|
2005-07-14 17:26:26 +02:00
|
|
|
#include "const.h"
|
|
|
|
#include "type.h"
|
2006-01-27 14:21:12 +01:00
|
|
|
|
|
|
|
/* Max. number of I/O ranges that can be assigned to a process */
|
2010-05-07 00:21:08 +02:00
|
|
|
#define NR_IO_RANGE 64
|
2006-01-27 14:21:12 +01:00
|
|
|
|
|
|
|
/* Max. number of device memory ranges that can be assigned to a process */
|
2010-05-07 00:21:08 +02:00
|
|
|
#define NR_MEM_RANGE 20
|
2006-01-27 14:21:12 +01:00
|
|
|
|
|
|
|
/* Max. number of IRQs that can be assigned to a process */
|
2010-05-07 00:21:08 +02:00
|
|
|
#define NR_IRQ 8
|
2005-07-14 17:26:26 +02:00
|
|
|
|
|
|
|
struct priv {
|
|
|
|
proc_nr_t s_proc_nr; /* number of associated process */
|
|
|
|
sys_id_t s_id; /* index of this system structure */
|
2005-07-26 15:51:21 +02:00
|
|
|
short s_flags; /* PREEMTIBLE, BILLABLE, etc. */
|
2005-07-14 17:26:26 +02:00
|
|
|
|
2007-04-23 15:37:30 +02:00
|
|
|
/* Asynchronous sends */
|
|
|
|
vir_bytes s_asyntab; /* addr. of table in process' address space */
|
|
|
|
size_t s_asynsize; /* number of elements in table. 0 when not in
|
|
|
|
* use
|
|
|
|
*/
|
|
|
|
|
2005-08-04 21:23:03 +02:00
|
|
|
short s_trap_mask; /* allowed system call traps */
|
|
|
|
sys_map_t s_ipc_to; /* allowed destination processes */
|
2006-06-20 11:56:06 +02:00
|
|
|
|
|
|
|
/* allowed kernel calls */
|
New RS and new signal handling for system processes.
UPDATING INFO:
20100317:
/usr/src/etc/system.conf updated to ignore default kernel calls: copy
it (or merge it) to /etc/system.conf.
The hello driver (/dev/hello) added to the distribution:
# cd /usr/src/commands/scripts && make clean install
# cd /dev && MAKEDEV hello
KERNEL CHANGES:
- Generic signal handling support. The kernel no longer assumes PM as a signal
manager for every process. The signal manager of a given process can now be
specified in its privilege slot. When a signal has to be delivered, the kernel
performs the lookup and forwards the signal to the appropriate signal manager.
PM is the default signal manager for user processes, RS is the default signal
manager for system processes. To enable ptrace()ing for system processes, it
is sufficient to change the default signal manager to PM. This will temporarily
disable crash recovery, though.
- sys_exit() is now split into sys_exit() (i.e. exit() for system processes,
which generates a self-termination signal), and sys_clear() (i.e. used by PM
to ask the kernel to clear a process slot when a process exits).
- Added a new kernel call (i.e. sys_update()) to swap two process slots and
implement live update.
PM CHANGES:
- Posix signal handling is no longer allowed for system processes. System
signals are split into two fixed categories: termination and non-termination
signals. When a non-termination signaled is processed, PM transforms the signal
into an IPC message and delivers the message to the system process. When a
termination signal is processed, PM terminates the process.
- PM no longer assumes itself as the signal manager for system processes. It now
makes sure that every system signal goes through the kernel before being
actually processes. The kernel will then dispatch the signal to the appropriate
signal manager which may or may not be PM.
SYSLIB CHANGES:
- Simplified SEF init and LU callbacks.
- Added additional predefined SEF callbacks to debug crash recovery and
live update.
- Fixed a temporary ack in the SEF init protocol. SEF init reply is now
completely synchronous.
- Added SEF signal event type to provide a uniform interface for system
processes to deal with signals. A sef_cb_signal_handler() callback is
available for system processes to handle every received signal. A
sef_cb_signal_manager() callback is used by signal managers to process
system signals on behalf of the kernel.
- Fixed a few bugs with memory mapping and DS.
VM CHANGES:
- Page faults and memory requests coming from the kernel are now implemented
using signals.
- Added a new VM call to swap two process slots and implement live update.
- The call is used by RS at update time and in turn invokes the kernel call
sys_update().
RS CHANGES:
- RS has been reworked with a better functional decomposition.
- Better kernel call masks. com.h now defines the set of very basic kernel calls
every system service is allowed to use. This makes system.conf simpler and
easier to maintain. In addition, this guarantees a higher level of isolation
for system libraries that use one or more kernel calls internally (e.g. printf).
- RS is the default signal manager for system processes. By default, RS
intercepts every signal delivered to every system process. This makes crash
recovery possible before bringing PM and friends in the loop.
- RS now supports fast rollback when something goes wrong while initializing
the new version during a live update.
- Live update is now implemented by keeping the two versions side-by-side and
swapping the process slots when the old version is ready to update.
- Crash recovery is now implemented by keeping the two versions side-by-side
and cleaning up the old version only when the recovery process is complete.
DS CHANGES:
- Fixed a bug when the process doing ds_publish() or ds_delete() is not known
by DS.
- Fixed the completely broken support for strings. String publishing is now
implemented in the system library and simply wraps publishing of memory ranges.
Ideally, we should adopt a similar approach for other data types as well.
- Test suite fixed.
DRIVER CHANGES:
- The hello driver has been added to the Minix distribution to demonstrate basic
live update and crash recovery functionalities.
- Other drivers have been adapted to conform the new SEF interface.
2010-03-17 02:15:29 +01:00
|
|
|
bitchunk_t s_k_call_mask[SYS_CALL_MASK_SIZE];
|
2005-07-14 17:26:26 +02:00
|
|
|
|
New RS and new signal handling for system processes.
UPDATING INFO:
20100317:
/usr/src/etc/system.conf updated to ignore default kernel calls: copy
it (or merge it) to /etc/system.conf.
The hello driver (/dev/hello) added to the distribution:
# cd /usr/src/commands/scripts && make clean install
# cd /dev && MAKEDEV hello
KERNEL CHANGES:
- Generic signal handling support. The kernel no longer assumes PM as a signal
manager for every process. The signal manager of a given process can now be
specified in its privilege slot. When a signal has to be delivered, the kernel
performs the lookup and forwards the signal to the appropriate signal manager.
PM is the default signal manager for user processes, RS is the default signal
manager for system processes. To enable ptrace()ing for system processes, it
is sufficient to change the default signal manager to PM. This will temporarily
disable crash recovery, though.
- sys_exit() is now split into sys_exit() (i.e. exit() for system processes,
which generates a self-termination signal), and sys_clear() (i.e. used by PM
to ask the kernel to clear a process slot when a process exits).
- Added a new kernel call (i.e. sys_update()) to swap two process slots and
implement live update.
PM CHANGES:
- Posix signal handling is no longer allowed for system processes. System
signals are split into two fixed categories: termination and non-termination
signals. When a non-termination signaled is processed, PM transforms the signal
into an IPC message and delivers the message to the system process. When a
termination signal is processed, PM terminates the process.
- PM no longer assumes itself as the signal manager for system processes. It now
makes sure that every system signal goes through the kernel before being
actually processes. The kernel will then dispatch the signal to the appropriate
signal manager which may or may not be PM.
SYSLIB CHANGES:
- Simplified SEF init and LU callbacks.
- Added additional predefined SEF callbacks to debug crash recovery and
live update.
- Fixed a temporary ack in the SEF init protocol. SEF init reply is now
completely synchronous.
- Added SEF signal event type to provide a uniform interface for system
processes to deal with signals. A sef_cb_signal_handler() callback is
available for system processes to handle every received signal. A
sef_cb_signal_manager() callback is used by signal managers to process
system signals on behalf of the kernel.
- Fixed a few bugs with memory mapping and DS.
VM CHANGES:
- Page faults and memory requests coming from the kernel are now implemented
using signals.
- Added a new VM call to swap two process slots and implement live update.
- The call is used by RS at update time and in turn invokes the kernel call
sys_update().
RS CHANGES:
- RS has been reworked with a better functional decomposition.
- Better kernel call masks. com.h now defines the set of very basic kernel calls
every system service is allowed to use. This makes system.conf simpler and
easier to maintain. In addition, this guarantees a higher level of isolation
for system libraries that use one or more kernel calls internally (e.g. printf).
- RS is the default signal manager for system processes. By default, RS
intercepts every signal delivered to every system process. This makes crash
recovery possible before bringing PM and friends in the loop.
- RS now supports fast rollback when something goes wrong while initializing
the new version during a live update.
- Live update is now implemented by keeping the two versions side-by-side and
swapping the process slots when the old version is ready to update.
- Crash recovery is now implemented by keeping the two versions side-by-side
and cleaning up the old version only when the recovery process is complete.
DS CHANGES:
- Fixed a bug when the process doing ds_publish() or ds_delete() is not known
by DS.
- Fixed the completely broken support for strings. String publishing is now
implemented in the system library and simply wraps publishing of memory ranges.
Ideally, we should adopt a similar approach for other data types as well.
- Test suite fixed.
DRIVER CHANGES:
- The hello driver has been added to the Minix distribution to demonstrate basic
live update and crash recovery functionalities.
- Other drivers have been adapted to conform the new SEF interface.
2010-03-17 02:15:29 +01:00
|
|
|
endpoint_t s_sig_mgr; /* signal manager for system signals */
|
2005-07-14 17:26:26 +02:00
|
|
|
sys_map_t s_notify_pending; /* bit map with pending notifications */
|
2005-07-29 14:44:42 +02:00
|
|
|
irq_id_t s_int_pending; /* pending hardware interrupts */
|
2005-07-19 14:21:36 +02:00
|
|
|
sigset_t s_sig_pending; /* pending signals */
|
2005-07-14 17:26:26 +02:00
|
|
|
|
|
|
|
timer_t s_alarm_timer; /* synchronous alarm timer */
|
|
|
|
struct far_mem s_farmem[NR_REMOTE_SEGS]; /* remote memory map */
|
|
|
|
reg_t *s_stack_guard; /* stack guard word for kernel tasks */
|
2006-01-27 14:21:12 +01:00
|
|
|
|
2006-03-10 17:10:05 +01:00
|
|
|
int s_nr_io_range; /* allowed I/O ports */
|
2006-01-27 14:21:12 +01:00
|
|
|
struct io_range s_io_tab[NR_IO_RANGE];
|
|
|
|
|
2006-03-10 17:10:05 +01:00
|
|
|
int s_nr_mem_range; /* allowed memory ranges */
|
2006-01-27 14:21:12 +01:00
|
|
|
struct mem_range s_mem_tab[NR_MEM_RANGE];
|
|
|
|
|
2006-03-10 17:10:05 +01:00
|
|
|
int s_nr_irq; /* allowed IRQ lines */
|
2006-01-27 14:21:12 +01:00
|
|
|
int s_irq_tab[NR_IRQ];
|
2006-06-20 11:56:06 +02:00
|
|
|
vir_bytes s_grant_table; /* grant table address of process, or 0 */
|
|
|
|
int s_grant_entries; /* no. of entries, or 0 */
|
2005-07-14 17:26:26 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Guard word for task stacks. */
|
|
|
|
#define STACK_GUARD ((reg_t) (sizeof(reg_t) == 2 ? 0xBEEF : 0xDEADBEEF))
|
|
|
|
|
2009-12-11 01:08:19 +01:00
|
|
|
/* Static privilege id definitions. */
|
|
|
|
#define NR_STATIC_PRIV_IDS NR_BOOT_PROCS
|
|
|
|
#define is_static_priv_id(id) (id >= 0 && id < NR_STATIC_PRIV_IDS)
|
|
|
|
#define static_priv_id(n) (NR_TASKS + (n))
|
|
|
|
|
2005-07-14 17:26:26 +02:00
|
|
|
/* Magic system structure table addresses. */
|
2009-12-11 01:08:19 +01:00
|
|
|
#define BEG_PRIV_ADDR (&priv[0])
|
|
|
|
#define END_PRIV_ADDR (&priv[NR_SYS_PROCS])
|
|
|
|
#define BEG_STATIC_PRIV_ADDR BEG_PRIV_ADDR
|
|
|
|
#define END_STATIC_PRIV_ADDR (BEG_STATIC_PRIV_ADDR + NR_STATIC_PRIV_IDS)
|
|
|
|
#define BEG_DYN_PRIV_ADDR END_STATIC_PRIV_ADDR
|
|
|
|
#define END_DYN_PRIV_ADDR END_PRIV_ADDR
|
2005-07-14 17:26:26 +02:00
|
|
|
|
|
|
|
#define priv_addr(i) (ppriv_addr)[(i)]
|
|
|
|
#define priv_id(rp) ((rp)->p_priv->s_id)
|
|
|
|
#define priv(rp) ((rp)->p_priv)
|
|
|
|
|
2005-07-26 14:48:34 +02:00
|
|
|
#define id_to_nr(id) priv_addr(id)->s_proc_nr
|
|
|
|
#define nr_to_id(nr) priv(proc_addr(nr))->s_id
|
2005-07-14 17:26:26 +02:00
|
|
|
|
2009-07-02 18:25:31 +02:00
|
|
|
#define may_send_to(rp, nr) (get_sys_bit(priv(rp)->s_ipc_to, nr_to_id(nr)))
|
|
|
|
|
2009-12-11 01:08:19 +01:00
|
|
|
/* Privilege management shorthands. */
|
|
|
|
#define spi_to(n) (1 << (static_priv_id(n)))
|
|
|
|
#define unset_usr_to(m) ((m) & ~(1 << USER_PRIV_ID))
|
|
|
|
|
2005-07-14 17:26:26 +02:00
|
|
|
/* The system structures table and pointers to individual table slots. The
|
|
|
|
* pointers allow faster access because now a process entry can be found by
|
|
|
|
* indexing the psys_addr array, while accessing an element i requires a
|
|
|
|
* multiplication with sizeof(struct sys) to determine the address.
|
|
|
|
*/
|
|
|
|
EXTERN struct priv priv[NR_SYS_PROCS]; /* system properties table */
|
|
|
|
EXTERN struct priv *ppriv_addr[NR_SYS_PROCS]; /* direct slot pointers */
|
|
|
|
|
2009-12-11 01:08:19 +01:00
|
|
|
/* Unprivileged user processes all share the privilege structure of the
|
|
|
|
* root user process.
|
2005-07-20 17:25:38 +02:00
|
|
|
* This id must be fixed because it is used to check send mask entries.
|
|
|
|
*/
|
2009-12-11 01:08:19 +01:00
|
|
|
#define USER_PRIV_ID static_priv_id(ROOT_USR_PROC_NR)
|
|
|
|
/* Specifies a null privilege id.
|
|
|
|
*/
|
2010-01-06 09:23:14 +01:00
|
|
|
#define NULL_PRIV_ID (-1)
|
2005-07-19 14:21:36 +02:00
|
|
|
|
2005-07-14 17:26:26 +02:00
|
|
|
/* Make sure the system can boot. The following sanity check verifies that
|
|
|
|
* the system privileges table is large enough for the number of processes
|
|
|
|
* in the boot image.
|
|
|
|
*/
|
|
|
|
#if (NR_BOOT_PROCS > NR_SYS_PROCS)
|
|
|
|
#error NR_SYS_PROCS must be larger than NR_BOOT_PROCS
|
|
|
|
#endif
|
|
|
|
|
2009-12-11 01:08:19 +01:00
|
|
|
/*
|
|
|
|
* Privileges masks used by the kernel.
|
|
|
|
*/
|
|
|
|
#define IDL_F (SYS_PROC | BILLABLE) /* idle task is not preemptible as we
|
|
|
|
* don't want it to interfere with the
|
|
|
|
* timer tick interrupt handler code.
|
|
|
|
* Unlike other processes idle task is
|
|
|
|
* handled in a special way and is
|
|
|
|
* preempted always if timer tick occurs
|
|
|
|
* and there is another runnable process
|
|
|
|
*/
|
|
|
|
#define TSK_F (SYS_PROC) /* other kernel tasks */
|
|
|
|
#define RSYS_F (SYS_PROC | PREEMPTIBLE) /* root system proc */
|
|
|
|
#define DEF_SYS_F (RSYS_F | DYN_PRIV_ID) /* default sys proc */
|
|
|
|
|
|
|
|
/* allowed traps */
|
|
|
|
#define CSK_T (1 << RECEIVE) /* clock and system */
|
|
|
|
#define TSK_T 0 /* other kernel tasks */
|
|
|
|
#define RSYS_T (~0) /* root system proc */
|
|
|
|
#define DEF_SYS_T RSYS_T /* default sys proc */
|
|
|
|
|
|
|
|
/* allowed targets */
|
|
|
|
#define TSK_M 0 /* all kernel tasks */
|
|
|
|
#define RSYS_M (~0) /* root system proc */
|
|
|
|
#define DEF_SYS_M unset_usr_to(RSYS_M) /* default sys proc */
|
|
|
|
|
|
|
|
/* allowed kernel calls */
|
|
|
|
#define NO_C 0 /* no calls allowed */
|
|
|
|
#define ALL_C 1 /* all calls allowed */
|
|
|
|
#define TSK_KC NO_C /* all kernel tasks */
|
|
|
|
#define RSYS_KC ALL_C /* root system proc */
|
|
|
|
#define DEF_SYS_KC RSYS_KC /* default sys proc */
|
|
|
|
|
New RS and new signal handling for system processes.
UPDATING INFO:
20100317:
/usr/src/etc/system.conf updated to ignore default kernel calls: copy
it (or merge it) to /etc/system.conf.
The hello driver (/dev/hello) added to the distribution:
# cd /usr/src/commands/scripts && make clean install
# cd /dev && MAKEDEV hello
KERNEL CHANGES:
- Generic signal handling support. The kernel no longer assumes PM as a signal
manager for every process. The signal manager of a given process can now be
specified in its privilege slot. When a signal has to be delivered, the kernel
performs the lookup and forwards the signal to the appropriate signal manager.
PM is the default signal manager for user processes, RS is the default signal
manager for system processes. To enable ptrace()ing for system processes, it
is sufficient to change the default signal manager to PM. This will temporarily
disable crash recovery, though.
- sys_exit() is now split into sys_exit() (i.e. exit() for system processes,
which generates a self-termination signal), and sys_clear() (i.e. used by PM
to ask the kernel to clear a process slot when a process exits).
- Added a new kernel call (i.e. sys_update()) to swap two process slots and
implement live update.
PM CHANGES:
- Posix signal handling is no longer allowed for system processes. System
signals are split into two fixed categories: termination and non-termination
signals. When a non-termination signaled is processed, PM transforms the signal
into an IPC message and delivers the message to the system process. When a
termination signal is processed, PM terminates the process.
- PM no longer assumes itself as the signal manager for system processes. It now
makes sure that every system signal goes through the kernel before being
actually processes. The kernel will then dispatch the signal to the appropriate
signal manager which may or may not be PM.
SYSLIB CHANGES:
- Simplified SEF init and LU callbacks.
- Added additional predefined SEF callbacks to debug crash recovery and
live update.
- Fixed a temporary ack in the SEF init protocol. SEF init reply is now
completely synchronous.
- Added SEF signal event type to provide a uniform interface for system
processes to deal with signals. A sef_cb_signal_handler() callback is
available for system processes to handle every received signal. A
sef_cb_signal_manager() callback is used by signal managers to process
system signals on behalf of the kernel.
- Fixed a few bugs with memory mapping and DS.
VM CHANGES:
- Page faults and memory requests coming from the kernel are now implemented
using signals.
- Added a new VM call to swap two process slots and implement live update.
- The call is used by RS at update time and in turn invokes the kernel call
sys_update().
RS CHANGES:
- RS has been reworked with a better functional decomposition.
- Better kernel call masks. com.h now defines the set of very basic kernel calls
every system service is allowed to use. This makes system.conf simpler and
easier to maintain. In addition, this guarantees a higher level of isolation
for system libraries that use one or more kernel calls internally (e.g. printf).
- RS is the default signal manager for system processes. By default, RS
intercepts every signal delivered to every system process. This makes crash
recovery possible before bringing PM and friends in the loop.
- RS now supports fast rollback when something goes wrong while initializing
the new version during a live update.
- Live update is now implemented by keeping the two versions side-by-side and
swapping the process slots when the old version is ready to update.
- Crash recovery is now implemented by keeping the two versions side-by-side
and cleaning up the old version only when the recovery process is complete.
DS CHANGES:
- Fixed a bug when the process doing ds_publish() or ds_delete() is not known
by DS.
- Fixed the completely broken support for strings. String publishing is now
implemented in the system library and simply wraps publishing of memory ranges.
Ideally, we should adopt a similar approach for other data types as well.
- Test suite fixed.
DRIVER CHANGES:
- The hello driver has been added to the Minix distribution to demonstrate basic
live update and crash recovery functionalities.
- Other drivers have been adapted to conform the new SEF interface.
2010-03-17 02:15:29 +01:00
|
|
|
/* signal manager */
|
|
|
|
#define RSYS_SM ROOT_SYS_PROC_NR /* root system proc */
|
|
|
|
#define DEF_SYS_SM ROOT_SYS_PROC_NR /* default sys proc */
|
|
|
|
|
2005-07-14 17:26:26 +02:00
|
|
|
#endif /* PRIV_H */
|