Commit graph

80 commits

Author SHA1 Message Date
David van Moolenbroek
b8b8f537bd IPC privileges fixes
Kernel:
o Remove s_ipc_sendrec, instead using s_ipc_to for all send primitives
o Centralize s_ipc_to bit manipulation,
  - disallowing assignment of bits pointing to unused priv structs;
  - preventing send-to-self by not setting bit for own priv struct;
  - preserving send mask matrix symmetry in all cases
o Add IPC send mask checks to SENDA, which were missing entirely somehow
o Slightly improve IPC stats accounting for SENDA
o Remove SYSTEM from user processes' send mask
o Half-fix the dependency between boot image order and process numbers,
  - correcting the table order of the boot processes;
  - documenting the order requirement needed for proper send masks;
  - warning at boot time if the order is violated

RS:
o Add support in /etc/drivers.conf for servers that talk to user processes,
  - disallowing IPC to user processes if no "ipc" field is present
  - adding a special "USER" label to explicitly allow IPC to user processes
o Always apply IPC masks when specified; remove -i flag from service(8)
o Use kernel send mask symmetry to delay adding IPC permissions for labels
  that do not exist yet, adding them to that label's process upon creation
o Add VM to ipc permissions list for rtl8139 and fxp in drivers.conf

Left to future fixes:
o Removal of the table order vs process numbers dependency altogether,
  possibly using per-process send list structures as used for SYSTEM calls
o Proper assignment of send masks to boot processes;
  some of the assigned (~0) masks are much wider than necessary
o Proper assignment of IPC send masks for many more servers in drivers.conf
o Removal of the debugging warning about the now legitimate case where RS's
  add_forward_ipc cannot find the IPC destination's label yet
2009-07-02 16:25:31 +00:00
Ben Gras
8b72765e39 ignore errors of pipe read (can happen with shutdown now,
now that all fd's are closed neatly in vfs), change messaging
in unexpected restarts
2009-05-06 15:38:32 +00:00
Ben Gras
a12113e476 process restarts are pretty rare/serious. 2009-04-27 14:07:47 +00:00
Ben Gras
3cc092ff06 . new kernel call sysctl for generic unprivileged system operations;
now used for printing diagnostic messages through the kernel message
   buffer. this lets processes print diagnostics without sending messages
   to tty and log directly, simplifying the message protocol a lot and
   reducing difficulties with deadlocks and other situations in which
   diagnostics are blackholed (e.g. grants don't work). this makes
   DIAGNOSTICS(_S), ASYN_DIAGNOSTICS and DIAG_REPL obsolete, although tty
   and log still accept the codes for 'old' binaries. This also simplifies
   diagnostics in several servers and drivers - only tty needs its own
   kputc() now.
 . simplifications in vfs, and some effort to get the vnode references
   right (consistent) even during shutdown. m_mounted_on is now NULL
   for root filesystems (!) (the original and new root), a less awkward
   special case than 'm_mounted_on == m_root_node'. root now has exactly
   one reference, to root, if no files are open, just like all other
   filesystems. m_driver_e is unused.
2009-01-26 17:43:59 +00:00
Ben Gras
c078ec0331 Basic VM and other minor improvements.
Not complete, probably not fully debugged or optimized.
2008-11-19 12:26:10 +00:00
Philip Homburg
ca8291c815 Support for restricting limiting IPC to a set of endpoints. Not enabled by
default, pass -i to service. Do not reply to bogus request types. Reply using
sendnb.
2008-02-21 16:20:22 +00:00
Philip Homburg
1f04287b3f Removed dmap table. Publish endpoint in DS before calling mapdriver5. 2007-08-07 12:24:06 +00:00
Philip Homburg
56a68dc32b Hack in service to use RS_START instead of RS_UP. RS reports the use of RS_UP. 2007-05-02 15:20:28 +00:00
Philip Homburg
02a229f14d Publish endpoints in ds. 2007-04-27 13:03:33 +00:00
Philip Homburg
b613f5cb4b Report and detect exec failures using a pipe.
XXX Hardcoded values for s_ipc_to and s_ipc_sendrec.
2007-04-23 14:47:04 +00:00
Ben Gras
b267d42531 removed or optionalized verbose/debugging messages 2007-02-16 15:50:30 +00:00
Ben Gras
73e4e31376 Don't reply to the caller on RS_DOWN until process is actually dead -
otherwise (e.g.) mounts right after an unmount of the same device don't
work (duplicate label).
2007-01-22 16:44:03 +00:00
Ben Gras
2194bc0310 vfs/mount/rs/service changes:
. changed umount() and mount() to call 'service', so that it can include
   a custom label, so that umount() works again (RS slot gets freed now).
   merged umount() and mount() into one file to encode keep this label
   knowledge in one file.
 . removed obsolete RS_PID field and RS_RESCUE rescue command
 . added label to RS_START struct
 . vfs no longer does kill of fs process on unmount (which was failing
   due to RS_PID request not working)
 . don't assume that if error wasn't one of three errors, that no error
   occured in vfs/request.c
mfs changes:
 . added checks to copy statements to truncate copies at buffer sizes
   (left in debug code for now)
 . added checks for null-terminatedness, if less than NAME_MAX was copied
 . added checks for copy function success
is changes: 
 . dump rs label
drivers.conf changes:
 . added acl for mfs so that mfs can be started with 'service start',
   so that a custom label can be provided
2007-01-22 15:25:41 +00:00
Philip Homburg
0c1d433f60 rs changes (also use driver configurations in the image ramdisk) 2006-10-31 13:35:04 +00:00
Ben Gras
fa0ba56bc9 Merge of VFS by Balasz Gerofi with Minix trunk. 2006-10-25 13:40:36 +00:00
Philip Homburg
f9ccfca2a1 (Incomplete) support for access control in PCI (pci_set_acl).
-script argument to service for crash recovery scripts
-config argument to service for driver resource configuration
restart command in service to restart a driver after a crash (for use in
crash recovery scripts).
down and refresh now take labels instead of pids.
verious changes in rs to make this work.
2006-10-20 15:01:32 +00:00
Ben Gras
b888922d62 Added 'service run' to run a service without restart. 2006-08-15 15:54:51 +00:00
Philip Homburg
c3cf4ef460 Fixed off by one error in backoff code. Limit backoff to 1 second for
disk drivers.
2006-05-15 12:08:43 +00:00
Philip Homburg
e4967b06bb Special code for restarting disk drivers (-c flag in service). 2006-05-11 14:58:33 +00:00
Ben Gras
6c2a1bac7b endpoint fixes for RS 2006-03-08 14:38:35 +00:00
Ben Gras
7967177710 endpoint-aware conversion of servers.
'who', indicating caller number in pm and fs and some other servers, has
been removed in favour of 'who_e' (endpoint) and 'who_p' (proc nr.).

In both PM and FS, isokendpt() convert endpoints to process slot
numbers, returning OK if it was a valid and consistent endpoint number.
okendpt() does the same but panic()s if it doesn't succeed. (In PM,
this is pm_isok..)

pm and fs keep their own records of process endpoints in their proc tables,
which are needed to make kernel calls about those processes.

message field names have changed.

fs drivers are endpoints.

fs now doesn't try to get out of driver deadlock, as the protocol isn't
supposed to let that happen any more. (A warning is printed if ELOCKED
is detected though.)

fproc[].fp_task (indicating which driver the process is suspended on)
became an int.

PM and FS now get endpoint numbers of initial boot processes from the
kernel. These happen to be the same as the old proc numbers, to let
user processes reach them with the old numbers, but FS and PM don't know
that. All new processes after INIT, even after the generation number
wraps around, get endpoint numbers with generation 1 and higher, so
the first instances of the boot processes are the only processes ever
to have endpoint numbers in the old proc number range.

More return code checks of sys_* functions have been added.

IS has become endpoint-aware. Ditched the 'text' and 'data' fields
in the kernel dump (which show locations, not sizes, so aren't terribly
useful) in favour of the endpoint number. Proc number is still visible.

Some other dumps (e.g. dmap, rs) show endpoint numbers now too which got
the formatting changed.

PM reading segments using rw_seg() has changed - it uses other fields
in the message now instead of encoding the segment and process number and
fd in the fd field. For that it uses _read_pm() and _write_pm() which to
_taskcall()s directly in pm/misc.c.

PM now sys_exit()s itself on panic(), instead of sys_abort().

RS also talks in endpoints instead of process numbers.
2006-03-03 10:20:58 +00:00
Philip Homburg
ee2253ec52 Use the sys_privctl library function. 2006-01-27 13:20:06 +00:00
Jorrit Herder
78f20c3959 Rest ... 2005-10-21 13:46:47 +00:00
Jorrit Herder
9333141704 New rescue functionality. 2005-10-21 13:28:26 +00:00
Ben Gras
1a37474437 . minor formatting fixes (spaces, newlines) of messages
. check pids for being > 0 before kill()ing them (0 and negative
  numbers have special meanings that shouldn't be used)
2005-10-21 11:13:17 +00:00
Jorrit Herder
2a98fed515 New Reincarnation Server functionality.
- service refresh: to cleanly stop and restart a server or driver
- binary exponential backoff: don't restart in a loop
2005-10-20 20:31:18 +00:00
Ben Gras
11146aba3d Newline after startup msg 2005-10-20 18:54:53 +00:00
Jorrit Herder
5a9dec8bd2 New signal handling behaviour at PM (services can be killed).
New Shift-F6 dump for RS server at IS.
New getnpid, getnproc, getpproc library calls at PM.
New reincarnation server (basic functionality is there now).
2005-10-12 15:07:38 +00:00
Ben Gras
42fbd9aced Andy's formatting changes. 2005-09-11 16:45:46 +00:00
Jorrit Herder
7bf400a709 *** empty log message *** 2005-08-23 11:31:32 +00:00
Renamed from servers/sm/manager.c (Browse further)