minix/kernel/priv.h
Cristiano Giuffrida f4574783dc Rewrite of boot process
KERNEL CHANGES:
- The kernel only knows about privileges of kernel tasks and the root system
process (now RS).
- Kernel tasks and the root system process are the only processes that are made
schedulable by the kernel at startup. All the other processes in the boot image
don't get their privileges set at startup and are inhibited from running by the
RTS_NO_PRIV flag.
- Removed the assumption on the ordering of processes in the boot image table.
System processes can now appear in any order in the boot image table.
- Privilege ids can now be assigned both statically or dynamically. The kernel
assigns static privilege ids to kernel tasks and the root system process. Each
id is directly derived from the process number.
- User processes now all share the static privilege id of the root user
process (now INIT).
- sys_privctl split: we have more calls now to let RS set privileges for system
processes. SYS_PRIV_ALLOW / SYS_PRIV_DISALLOW are only used to flip the
RTS_NO_PRIV flag and allow / disallow a process from running. SYS_PRIV_SET_SYS /
SYS_PRIV_SET_USER are used to set privileges for a system / user process.
- boot image table flags split: PROC_FULLVM is the only flag that has been
moved out of the privilege flags and is still maintained in the boot image
table. All the other privilege flags are out of the kernel now.

RS CHANGES:
- RS is the only user-space process who gets to run right after in-kernel
startup.
- RS uses the boot image table from the kernel and three additional boot image
info table (priv table, sys table, dev table) to complete the initialization
of the system.
- RS checks that the entries in the priv table match the entries in the boot
image table to make sure that every process in the boot image gets schedulable.
- RS only uses static privilege ids to set privileges for system services in
the boot image.
- RS includes basic memory management support to allocate the boot image buffer
dynamically during initialization. The buffer shall contain the executable
image of all the system services we would like to restart after a crash.
- First step towards decoupling between resource provisioning and resource
requirements in RS: RS must know what resources it needs to restart a process
and what resources it has currently available. This is useful to tradeoff
reliability and resource consumption. When required resources are missing, the
process cannot be restarted. In that case, in the future, a system flag will
tell RS what to do. For example, if CORE_PROC is set, RS should trigger a
system-wide panic because the system can no longer function correctly without
a core system process.

PM CHANGES:
- The process tree built at initialization time is changed to have INIT as root
with pid 0, RS child of INIT and all the system services children of RS. This
is required to make RS in control of all the system services.
- PM no longer registers labels for system services in the boot image. This is
now part of RS's initialization process.
2009-12-11 00:08:19 +00:00

153 lines
6.2 KiB
C

#ifndef PRIV_H
#define PRIV_H
/* Declaration of the system privileges structure. It defines flags, system
* call masks, an synchronous alarm timer, I/O privileges, pending hardware
* interrupts and notifications, and so on.
* System processes each get their own structure with properties, whereas all
* user processes share one structure. This setup provides a clear separation
* between common and privileged process fields and is very space efficient.
*
* Changes:
* Nov 22, 2009 rewrite of privilege management (Cristiano Giuffrida)
* Jul 01, 2005 Created. (Jorrit N. Herder)
*/
#include <minix/com.h>
#include "const.h"
#include "type.h"
/* Max. number of I/O ranges that can be assigned to a process */
#define NR_IO_RANGE 32
/* Max. number of device memory ranges that can be assigned to a process */
#define NR_MEM_RANGE 10
/* Max. number of IRQs that can be assigned to a process */
#define NR_IRQ 4
struct priv {
proc_nr_t s_proc_nr; /* number of associated process */
sys_id_t s_id; /* index of this system structure */
short s_flags; /* PREEMTIBLE, BILLABLE, etc. */
/* Asynchronous sends */
vir_bytes s_asyntab; /* addr. of table in process' address space */
size_t s_asynsize; /* number of elements in table. 0 when not in
* use
*/
short s_trap_mask; /* allowed system call traps */
sys_map_t s_ipc_to; /* allowed destination processes */
/* allowed kernel calls */
#define CALL_MASK_SIZE BITMAP_CHUNKS(NR_SYS_CALLS)
bitchunk_t s_k_call_mask[CALL_MASK_SIZE];
sys_map_t s_notify_pending; /* bit map with pending notifications */
irq_id_t s_int_pending; /* pending hardware interrupts */
sigset_t s_sig_pending; /* pending signals */
timer_t s_alarm_timer; /* synchronous alarm timer */
struct far_mem s_farmem[NR_REMOTE_SEGS]; /* remote memory map */
reg_t *s_stack_guard; /* stack guard word for kernel tasks */
int s_nr_io_range; /* allowed I/O ports */
struct io_range s_io_tab[NR_IO_RANGE];
int s_nr_mem_range; /* allowed memory ranges */
struct mem_range s_mem_tab[NR_MEM_RANGE];
int s_nr_irq; /* allowed IRQ lines */
int s_irq_tab[NR_IRQ];
vir_bytes s_grant_table; /* grant table address of process, or 0 */
int s_grant_entries; /* no. of entries, or 0 */
};
/* Guard word for task stacks. */
#define STACK_GUARD ((reg_t) (sizeof(reg_t) == 2 ? 0xBEEF : 0xDEADBEEF))
/* Static privilege id definitions. */
#define NR_STATIC_PRIV_IDS NR_BOOT_PROCS
#define is_static_priv_id(id) (id >= 0 && id < NR_STATIC_PRIV_IDS)
#define static_priv_id(n) (NR_TASKS + (n))
/* Magic system structure table addresses. */
#define BEG_PRIV_ADDR (&priv[0])
#define END_PRIV_ADDR (&priv[NR_SYS_PROCS])
#define BEG_STATIC_PRIV_ADDR BEG_PRIV_ADDR
#define END_STATIC_PRIV_ADDR (BEG_STATIC_PRIV_ADDR + NR_STATIC_PRIV_IDS)
#define BEG_DYN_PRIV_ADDR END_STATIC_PRIV_ADDR
#define END_DYN_PRIV_ADDR END_PRIV_ADDR
#define priv_addr(i) (ppriv_addr)[(i)]
#define priv_id(rp) ((rp)->p_priv->s_id)
#define priv(rp) ((rp)->p_priv)
#define id_to_nr(id) priv_addr(id)->s_proc_nr
#define nr_to_id(nr) priv(proc_addr(nr))->s_id
#define may_send_to(rp, nr) (get_sys_bit(priv(rp)->s_ipc_to, nr_to_id(nr)))
/* Privilege management shorthands. */
#define spi_to(n) (1 << (static_priv_id(n)))
#define unset_usr_to(m) ((m) & ~(1 << USER_PRIV_ID))
/* The system structures table and pointers to individual table slots. The
* pointers allow faster access because now a process entry can be found by
* indexing the psys_addr array, while accessing an element i requires a
* multiplication with sizeof(struct sys) to determine the address.
*/
EXTERN struct priv priv[NR_SYS_PROCS]; /* system properties table */
EXTERN struct priv *ppriv_addr[NR_SYS_PROCS]; /* direct slot pointers */
/* Unprivileged user processes all share the privilege structure of the
* root user process.
* This id must be fixed because it is used to check send mask entries.
*/
#define USER_PRIV_ID static_priv_id(ROOT_USR_PROC_NR)
/* Specifies a null privilege id.
*/
#define NULL_PRIV_ID -1
/* Make sure the system can boot. The following sanity check verifies that
* the system privileges table is large enough for the number of processes
* in the boot image.
*/
#if (NR_BOOT_PROCS > NR_SYS_PROCS)
#error NR_SYS_PROCS must be larger than NR_BOOT_PROCS
#endif
/*
* Privileges masks used by the kernel.
*/
#define IDL_F (SYS_PROC | BILLABLE) /* idle task is not preemptible as we
* don't want it to interfere with the
* timer tick interrupt handler code.
* Unlike other processes idle task is
* handled in a special way and is
* preempted always if timer tick occurs
* and there is another runnable process
*/
#define TSK_F (SYS_PROC) /* other kernel tasks */
#define RSYS_F (SYS_PROC | PREEMPTIBLE) /* root system proc */
#define DEF_SYS_F (RSYS_F | DYN_PRIV_ID) /* default sys proc */
/* allowed traps */
#define CSK_T (1 << RECEIVE) /* clock and system */
#define TSK_T 0 /* other kernel tasks */
#define RSYS_T (~0) /* root system proc */
#define DEF_SYS_T RSYS_T /* default sys proc */
/* allowed targets */
#define TSK_M 0 /* all kernel tasks */
#define RSYS_M (~0) /* root system proc */
#define DEF_SYS_M unset_usr_to(RSYS_M) /* default sys proc */
/* allowed kernel calls */
#define NO_C 0 /* no calls allowed */
#define ALL_C 1 /* all calls allowed */
#define TSK_KC NO_C /* all kernel tasks */
#define RSYS_KC ALL_C /* root system proc */
#define DEF_SYS_KC RSYS_KC /* default sys proc */
#endif /* PRIV_H */