- move from minix/commands to minix/usr.sbin;
- install into /usr/sbin instead of /usr/bin;
- move manual page into source directory;
- resolve compilation warning;
- convert to KNF.
Change-Id: I1206b52e8804a68a3a80f6d7f63916e7fcdc9e3f
- move from minix/commands to minix/usr.sbin;
- install into /usr/sbin instead of /usr/bin;
- move manual page into source directory;
- resolve compilation warning;
- convert to KNF.
Change-Id: Iccb4a8b27ae220254bae19e9198478b40706f542
- move from minix/commands to minix/usr.sbin;
- install into /usr/sbin instead of /usr/bin;
- move manual page into source directory;
- resolve compilation warning;
- convert to KNF.
Change-Id: I08c16998bd499a468799a6587f6fe45f42590461
Various generic file IOCTL calls should be processed by VFS rather
than individual drivers. For this reason, we rewrite them to use
fcntl(2) instead.
Change-Id: I38a5f3c7b21943a897114a51678a800f7e7f0a77
Currently, the userland ABI uses a single field ('user_sp') far
into the very large 'kinfo' structure on the shared kernel
information page. This precludes us from modifying or getting
rid of 'kinfo' in the future without breaking userland. This
patch adds a separate 'kuserinfo' structure to the kernel
information page, with only information that is part of the
userland ABI, in an extensible manner. Userland now uses this
field if it is present, and falls back to the old field if not.
Change-Id: Ib7b24b53a440f40a2edc28cdfa48447ac2179288
This change serves to reduce the clutter inside the top-level kerninfo
structure, and allows other ARM-specific values to be added on the
kernel page in one place.
Change-Id: I36a6aada9dbd1230b25014728be675d389088667
Please note that this information is for use by system services only!
The clock facility is not ready to be used directly by userland, and
thus, this kernel page extension is NOT part of the userland ABI.
For service programmers' convenience, change the prototype of the
getticks(3) to return the uptime clock value directly, since the call
can no longer fail.
Correct the sys_times(2) reply message to use the right field type
for the boot time.
Restructure the kernel internals a bit so as to have all the clock
stuff closer together.
Change-Id: Ifc050b7bd253aecbe46e3bd7d7cc75bd86e45555
Instead of importing an external _minix_kerninfo variable, any code
using the shared kernel page should now call get_minix_kerninfo(3).
Since this is the only logical name for such a function, rename the
previous get_minix_kerninfo call to ipc_minix_kerninfo.
Change-Id: I2e424b6fb55aa55d3da850187f1f7a0b7cbbf910
This commits adds a basic infrastructure to support Address Space
Randomization (ASR). In a nutshell, using the already imported ASR
LLVM pass, multiple versions can be generated for the same system
service, each with a randomized, different address space layout.
Combined with the magic instrumentation for state transfer, a system
service can be live updated into another ASR-randomized version at
runtime, thus providing live rerandomization.
Since MINIX3 is not yet capable of running LLVM linker passes, the
ASR-randomized service binaries have to be pregenerated during
crosscompilation. These pregenerated binaries can then be cycled
through at runtime. This patch provides the basic proof-of-concept
infrastructure for both these parts.
In order to support pregeneration, the clientctl host script has
been extended with a "buildasr" command. It is to be used after
building the entire system with bitcode and magic support, and will
produce a given number of ASR-randomized versions of all system
services. These services are placed in /usr/service/asr in the
image that is generated as final step by the "buildasr" command.
In order to support runtime updating, a new update_asr(8) command
has been added to MINIX3. This command attempts to live-update the
running system services into their next ASR-randomized versions.
For now, this command is not run automatically, and thus must be
invoked manually.
Technical notes:
- For various reasons, magic instrumentation is x86-only for now,
and ASR functionality is therefore to be used on x86 only as well.
- The ASR-randomized binaries are placed in numbered subdirectories
so as not to have to change their actual program names, which are
assumed to be static in various places (system.conf, procfs).
- The root partition is typically too small to contain all the
produced binaries, which is why we introduce /usr/service. There
is a symlink from /service/asr to /usr/service/asr for no other
reason than to let userland continue to assume that all services
are reachable through /service.
- The ASR count field (r_asr_count/ASRcount) maintained by RS is not
used within RS in any way; it is only passed through procfs to
userland in order to allow update_asr(8) to keep track of which
version is currently loaded without having to maintain own state.
- Ideally, pre-instrumentation linking of a service would remove all
its randomized versions. Currently, the user is assumed not to
perform ASR instrumentation and then recompile system services
without performing ASR instrumentation again, as the randomized
binaries included in the image would then be stale. This aspect
has to be improved later.
- Various other issues are flagged in the comments of the various
parts of this patch.
Change-Id: I093ad57f31c18305591f64b2d491272288aa0937
The code could not decide whether to apply the padding to the start
or the end of the region, resulting in strange behavior because part
of the returned range might not have the right properties. With this
patch, padding is now consistently applied at the end of the region,
since virtual mmap addresses are allocated from high to low.
Also fix a few small related bugs in error handling code.
Change-Id: I327814bb3921d7982ffc1296a5bf365d9c79c1d9
Lack of alignment causes minix_stack_fill to produce an incorrect
frame layout, subsequently resulting in a crash of the started
process. For now, we assume that the other callers of
minix_stack_fill do get an aligned buffer through sbrk(3), but this
may have to be changed later as well.
Change-Id: I1575bd62b050749d1a1aae7417310c91713462c3
The libexec ELF parser expects to be given a word-aligned buffer,
but the ASR pass may cause VM and VFS to pass it an arbitrarily
aligned buffer, causing libexec to refuse loading the executable.
This patch aligns the buffers explicitly.
Change-Id: Ic2d5fd3a8f204c3e4f000cffdb7ac71c8339257a
- do not allow live update for request and protocol free states if
there are any worker threads that have pending or active work;
- destroy all worker threads before such live updates and recreate
them afterwards, because transferring (the contents of) the
thread stacks is not an option at this time;
- recreate worker threads in the new instance only if they were
shut down before the state transfer, by letting RS provide the
original preparation state as initialization information.
Change-Id: I846225f5b7281f19e69175485f2c88a4b4891dc2
The bitcode file given to the instrumentation pass does not include
certain weak symbols, in particular regcomp and regfree, which are
required to be visible to the magic pass for state transfer to work
correctly. This patch forces DS to make the calls using their actual
symbol names (with leading underscore), thus resolving the issue, but
this issue should really be solved in a cleaner and more generic way.
Change-Id: Iebee4341cc30ddabcf7593afb5c49d41c0839863
This patch is a first step towards working around the larger problem of
LLVM 3.x's use of bitcasting between structures and their elements to
deal with opaque types, replacing LLVM 2.x's actual unification. The
patch allows the pass to register a larger number of compatible types,
in particular for structure pointers passed through function calls.
A skeleton is provided for dealing with structure elements as well, but
that part requires much more work. It remains to be seen whether a
more structural approach to dealing with this problem may be warranted.
For now, this change is necessary to allow instrumented state transfer
of various "minix_timer" structures and pointers in PM and VFS.
Change-Id: Ib717d86ccfced53387e72a92750d22ae980c3466
Due to the current linker command line ordering, parts of lib(min)c
that are used exclusively by libmagic end up not being instrumented,
which then causes problems transferring pointers such as _ctype_tab_
and _tolower_tab_. As a temporary workaround, we redefine the macros
that use those pointers. A better long-term solution should
eventually render this patch obsolete.
Change-Id: Ice1d125ff6fb2f65ac6dcc6cf6eec7cd6176bee1
- test multicomponent live update with and without rs and/or vm;
- retry the update a few times if the failure code suggests it might
be a transient failure.
Change-Id: I5fce256bb418be257353ed21428f672d851d974d
That way, these pages are transferred during live update, as they
should. This resolves a mfs crash after a number of live updates.
Change-Id: Ia53bec2692b2114c29b96a453beb0f915f56453a
When the malloc code is instrumented, the global _brksize variable
should not be transferred. However, when the malloc code is not
instrumented, failing to transfer _brksize would reset the heap
upon state transfer. In this patch, the magic pass stores the flag
indicating whether memory function instrumentation is disabled, in
the target process. This allows libmagic to check this flag during
state transfer, to see whether it should transfer _brksize or not.
Change-Id: Ia004651e21e08b0ed3f5305865c53c6659e18f38
This patch changes the VM makefile to specify that the magic pass is
to skip memory function instrumentation, and to transfer the data
variables of the malloc code (thus overriding the exception we made
for all other system services). We add two magic pass flags to
achieve this. Since the magic pass is a big bowl of spaghetti code,
ignoring whitespace changes while viewing this patch is recommended.
Change-Id: I5ab83b23d8437b37c44dea99537bc202469c9df6
The NetBSD libc malloc implementation uses a memory-mapped area for
its page directory. Since the process heap is reconstructed upon
state transfer for live update, this memory-mapped area must not be
transferred to the new process. However, as the new instance of the
process being updated inherits all memory-mapped areas of the old
instance, it also automatically inherits the malloc implementation's
page directory. Thus, we must explicitly free this area in order to
avoid a memory leak.
The magic pass already detects (de)allocation functions called from
within other (de)allocation functions, which is why the mmap(2) and
munmap(2) calls of the malloc code are not instrumented as it is.
This patch changes that particular case to allow a different hook
function to be called for such "nested" allocation calls, for a
particular set of nested calls. In particular, the malloc(3) code's
mmap(2) and munmap(2) calls are replaced with magic_nested_mmap and
magic_nested_munmap calls, respectively. The magic library then
tracks memory mapping allocations of the malloc code by providing an
implementation for these two wrappers, and frees the allocations upon
state transfer.
This approach was chosen over various alternatives:
- While it appears that nesting could be established by setting a
flag while the malloc(3) wrapper is active, and testing the flag in
the mmap(2)/munmap(2) wrappers, this approach would fail to detect
memory-mapped allocations made from uninstrumented malloc(3) calls,
and therefore not a viable option.
- It would be possible to obtain the value of the variables that
store the information about the memory-mapped area in the malloc
code. However, this is rather difficult in practice due to the way
the libc malloc implementation stores the size of the are, and it
would make the solution more dependent on the specific libc malloc
implementation.
- It would be possible to use the special "nested" instrumentation
for allocations made from certain marked sections. Since we mark
the data section of the malloc code already, this would not be hard
to do. Switching to this alternative would change very little, and
if for any reason this approach yields more advantages in the
future, we can still choose to do so.
Change-Id: Id977405da86a72458dd10f18e076d8460fd2fb75
Since the heap is reconstructed upon state transfer, the old malloc
state is discarded. In order to avoid state transfer errors, we can
and in fact must discard the internal state of the malloc
implementation. This patch achieves this by using the sectionify
pass to mark the variables in the libminc malloc object as state that
must be skipped during state transfer.
Change-Id: Ie330f582c8bd45f37a878ea41fa0f9d4a18045e1
Due to changed VM internals, more elaborate preparation is required
before a live update with multiple components including VM can take
place. This patch adds the essential preparation infrastructure to
VM and adapts RS to make use of it. As a side effect, it is no
longer necessary to supply RS as the last component (if at all)
during the set-up of a multicomponent live update operation.
Change-Id: If069fd3f93f96f9d5433998e4615f861465ef448
During live update, the new instance of VM may make changes that,
after a rollback, have to be undone by the old instance of VM, in
particular because both instances share (read-write) all dynamically
allocated pages.
Change-Id: I2bcfa8e627ca6084b1991e0af7cccecc683894a2
This resolves an infinite loop during boot, in libblockdriver freeing
DMA memory at the end of a partition(3) call.
Change-Id: I0757aa48f769ea79eab7160f23ee4c97cf58e055
Make the passes we have so far, hello and WeakAliasModuleOverride,
use settings from a Makefile include file in the parent directory.
This change is in preparation of adding other passes.
Change-Id: Ib195ee7f5c7626f4975368b02c944382e87e3814