kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel: Remove explicit dependencies on <sys/malloc.h> in headers.

All except <net/if_var.h> for now, it needs decoupling in drm first.
* Include <sys/malloc.h> in foo.c if they have kmalloc()/kfr

kernel: Remove explicit dependencies on <sys/malloc.h> in headers.

All except <net/if_var.h> for now, it needs decoupling in drm first.
* Include <sys/malloc.h> in foo.c if they have kmalloc()/kfree() calls.
* Consistently check if MALLOC_DECLARE was declared before.
* <sys/mountctl.h>: include <sys/thread.h> for _KERNEL_STRUCTURES too
since the "struct journal" embeds "struct thread".
* <sys/tty.h>: Only two kernel sources makes use of M_TTYS.
* <sys/socketvar2.h>: Make it kernel only header.

show more ...

kernel: Minor whitespace cleanup in few sources (part 2).

Separated from next.

route: Add support for route(4) message filtering.

This saves waking up listeners for messages they have no interest in.
It also helps to reduce the chance of a receive buffer overflow.

Taken-from:

route: Add support for route(4) message filtering.

This saves waking up listeners for messages they have no interest in.
It also helps to reduce the chance of a receive buffer overflow.

Taken-from: OpenBSD
Reviewd-by: sephe

show more ...

net/raw: Assert all APIs are called from netisr0.

Remove the raw pcb list lock, since thread serialization is used.

kernel - Fix SMP races in raw socket code

* The raw socket code was not properly dealing with SMP races
in attach/detach verses receive processing. Replace the token
with a lockmgr lock.

The

kernel - Fix SMP races in raw socket code

* The raw socket code was not properly dealing with SMP races
in attach/detach verses receive processing. Replace the token
with a lockmgr lock.

These issues never really caused an issue because raw sockets just
aren't used very often, but they still need to be dealt with.

* SMP performance is not super-critical in this case so I just use a
normal lock and keep it simple.

show more ...

socket: introduce SO_RERROR to detect receive buffer overflow

kernel receive buffers are initially of a limited size and
generally the network protocols that use them don't care
if a packet gets los

socket: introduce SO_RERROR to detect receive buffer overflow

kernel receive buffers are initially of a limited size and
generally the network protocols that use them don't care
if a packet gets lost.

However some users do care about lost messages even if not
baked into the protocol - such as consumers of route(4) to
track state.

POSIX states that read(2) can return an error of ENOBUFS so
return this error code when an overflow is detected.
Guard this with socket option SO_RERROR so that existing
applications which do not care can carry on not caring by
default.

Taken-from: NetBSD
Reviewed-by: sephe

show more ...

kernel: Avoid empty macros.

Suppresses last 11 -Wempty-body warnings.

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD because
it tended to get forgotten and the code would compile anyway with the
wrong constants. And since MB_WAIT and MB_DONTWAIT ended up as ocflags
for an objcache_get() or objcache_reclaimlist call (which use M_WAITOK
and M_NOWAIT), it was just one big converting back and forth with some
sanitization in between.

This commit allows M_* again for the mbuf functions and keeps the
sanitizing as it was before: when M_WAITOK is among the passed flags,
objcache functions will be called with M_WAITOK and when it is absent,
they will be called with M_NOWAIT. All other flags are scrubbed by the
MB_OCFLAG() macro which does the same as the former MBTOM().

Approved-by: dillon

show more ...

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadl

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadler.com>

show more ...

Remove advertising clause from all that isn't contrib or userland bin.

By: Eitan Adler <lists@eitanadler.com>

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

Generally use NULL instead of explicitly casting 0 to some pointer type.

rtsock: Fix !SO_USELOOPBACK support in route_output()

Old BSD code assumes that rts_input() is synchronous, so clear/set
sp_family could be used to skip the current rawcb. However, our
rts_input()

rtsock: Fix !SO_USELOOPBACK support in route_output()

Old BSD code assumes that rts_input() is synchronous, so clear/set
sp_family could be used to skip the current rawcb. However, our
rts_input() is asynchronous, thus the clear/set sp_family trick no
longer takes any effect.

Reimplement the rawcb skipping in the following way:
- Record the address of rawcb to be skipped in netmsg.
- Extend raw_input() interface to accept a 'skip' argument. At the
beginning of the rawcb list iteration, check the address of the
current rawcb against the 'skip'.

show more ...

suser_* to priv_* conversion

Fix rts_input() which is the only procedure which calls raw_input(). As
with other packet input routines, the mbuf must be demuxed and forwarded
to the correct protocol thread so it can be cpu-local

Fix rts_input() which is the only procedure which calls raw_input(). As
with other packet input routines, the mbuf must be demuxed and forwarded
to the correct protocol thread so it can be cpu-localized for processing.

This allow anyone, including interrupt code, to write to the routing
socket.

Reported-by: "Sepherosa Ziehau" <sepherosa@gmail.com>

show more ...

Give the sockbuf structure its own header file and supporting source file.
Move all sockbuf-specific functions from kern/uipc_socket2.c into the new
kern/uipc_sockbuf.c and move all the sockbuf-speci

Give the sockbuf structure its own header file and supporting source file.
Move all sockbuf-specific functions from kern/uipc_socket2.c into the new
kern/uipc_sockbuf.c and move all the sockbuf-specific structures from
sys/socketvar.h to sys/sockbuf.h.

Change the sockbuf structure to only contain those fields required to
properly management a chain of mbufs. Create a signalsockbuf structure
to hold the remaining fields (e.g. selinfo, mbmax, etc).

Change the so_rcv and so_snd structures in the struct socket from
a sockbuf to a signalsockbuf.

Remove the recently added sorecv_direct structure which was being used
to provide a direct mbuf path to consumers for socket I/O. Use the newly
revamped sockbuf base structure instead. This gives mbuf consumers
direct access to the sockbuf API functions for use outside of a struct
socket. This will also allow new API functions to be added to the sockbuf
interface to ease the job of parsing data out of chained mbufs.

show more ...

Convert all pr_usrreqs structure initializations to the .name = data format.

* Remove (void) casts for discarded return values.

* Put function types on separate lines.

* Ansify function definitions.

In-collaboration-with: Alexey Slynko <slynko@tronet.ru>

Code cleanup. Refactor some functions. Push some globals into local scope.

Cosmetic cleanups.

Clean up the routing and networking code before I parallelize routing.

Remove the canwait argument to dup_sockaddr(). Callers of dup_sockaddr()
all assume that it just works, so it really has to work. Since interrupts
are now threads we can use M_INTWAIT. While it is

Remove the canwait argument to dup_sockaddr(). Callers of dup_sockaddr()
all assume that it just works, so it really has to work. Since interrupts
are now threads we can use M_INTWAIT. While it is possible that a memory
deadlock issue exists here (e.g. if swapping over NFS), it isn't likely in
this case.

show more ...

Eliminate the use of curproc in route_output() by passing down the process id
it needs.

Once we distribute socket protocol processing requests to different
processors, we no longer have a process context to refer to, so
eliminate the use of curproc in soreserve() by passing the sockbuf

Once we distribute socket protocol processing requests to different
processors, we no longer have a process context to refer to, so
eliminate the use of curproc in soreserve() by passing the sockbuf
resource limit all the down from the system call code to sbreserve().

Eliminate the use of curproc in unp_attach() by passing down the
fields it needs from the proc structure. Define a pru_attach_info
structure to hold the information the attach usrreq function requires.

The thread argument to in_pcballoc() is unused, so we don't need
to pass a thread structure down to in_pcballoc().

show more ...