kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel - Remove P_SWAPPEDOUT flag and paging mode

* This code basically no longer functions in any worthwhile or
useful manner, remove it.

The code harkens back to a time when machines had very

kernel - Remove P_SWAPPEDOUT flag and paging mode

* This code basically no longer functions in any worthwhile or
useful manner, remove it.

The code harkens back to a time when machines had very little
memory and had to time-share processes by actually descheduling
them for long periods of time (like 20 seconds) and paging out
the related memory.

In modern times the chooser algorithm just doesn't work well
because we can no longer assume that programs with large
memory footprints can be demoted.

* In modern times machines have sufficient memory to rely almost
entirely on the VM fault and pageout scan. The latencies caused
by fault-ins are usually sufficient to demote paging-intensive
processes while allowing the machine to continue to function.

If functionality need to be added back in, it can be added back
in on the fault path and not here.

show more ...

kernel: Remove <sys/mplock2.h> from all files that do not need it.

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them agai

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them again for where crit_*() are
no longer used.

I had to adjust some files that were relying on thread2.h
or headers that it includes coming in via other headers
that it was removed from.

show more ...

kernel - Optimize lwp-specific signaling.

* Optimize the signal code to remove most instances of needing proc->p_token
when lwp-specific signals are sent.

* Add a CURSIG_LCK_TRACE() macro which c

kernel - Optimize lwp-specific signaling.

* Optimize the signal code to remove most instances of needing proc->p_token
when lwp-specific signals are sent.

* Add a CURSIG_LCK_TRACE() macro which can now return with p_token held, and
pass the status to postsig() which then consumes it.

* lwpsignal() now tries very hard to avoid acquiring proc->p_token.

* Significantly improves vkernel operation under heavy (vkernel) IPI loads.

show more ...

kernel - Fix panic during coredump

* multi-threaded coredumps were not stopping all other threads before
attempting to scan the vm_map, resulting in numerous possible panics.

* Add a new process

kernel - Fix panic during coredump

* multi-threaded coredumps were not stopping all other threads before
attempting to scan the vm_map, resulting in numerous possible panics.

* Add a new process state, SCORE, indicating that a core dump is in progress
and adjust proc_stop() and friends as well as any code which tests the
SSTOP state. SCORE overrides SSTOP.

* The coredump code actively waits for all running threads to stop before
proceeding.

* Prevent a deadlock between a SIGKILL and core dump in progress by
temporarily counting the master exit thread as a stopped thread (which
allows the coredump to proceed and finish).

Reported-by: marino

show more ...

kernel - proc_token removal pass stage 1/2

* Remove proc_token use from all subsystems except kern/kern_proc.c.

* The token had become mostly useless in these subsystems now that process
locking

kernel - proc_token removal pass stage 1/2

* Remove proc_token use from all subsystems except kern/kern_proc.c.

* The token had become mostly useless in these subsystems now that process
locking is more fine-grained. Do the final wipe of proc_token except for
allproc/zombproc list use in kern_proc.c

show more ...

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadl

Correct BSD License clause numbering from 1-2-4 to 1-2-3.

Apparently everyone's doing it:
http://svnweb.freebsd.org/base?view=revision&revision=251069

Submitted-by: "Eitan Adler" <lists at eitanadler.com>

show more ...

Remove advertising clause from all that isn't contrib or userland bin.

By: Eitan Adler <lists@eitanadler.com>

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

kernel - Attempt to make procfs MPSAFE (3)

* More fixes to silly bugs. Well, I did say 'attempt' :-)

kernel - Attempt to make procfs MPSAFE

* pfs_pfind() now acquires the p->p_token in addition to its PHOLD().

* Replace PRELE()'s with pfs_pdone() which releases the token along
with PRELE()

* Do

kernel - Attempt to make procfs MPSAFE

* pfs_pfind() now acquires the p->p_token in addition to its PHOLD().

* Replace PRELE()'s with pfs_pdone() which releases the token along
with PRELE()

* Double-check the validity of nch's passed to cache_fullpath(). This
probably still needs work.

Reported-by: swildner

show more ...

kernel - Major signal path adjustments to fix races, tsleep race fixes, +more

* Refactor the signal code to properly hold the lp->lwp_token. In
particular the ksignal() and lwp_signotify() paths.

kernel - Major signal path adjustments to fix races, tsleep race fixes, +more

* Refactor the signal code to properly hold the lp->lwp_token. In
particular the ksignal() and lwp_signotify() paths.

* The tsleep() path must also hold lp->lwp_token to properly handle
lp->lwp_stat states and interlocks.

* Refactor the timeout code in tsleep() to ensure that endtsleep() is only
called from the proper context, and fix races between endtsleep() and
lwkt_switch().

* Rename proc->p_flag to proc->p_flags

* Rename lwp->lwp_flag to lwp->lwp_flags

* Add lwp->lwp_mpflags and move flags which require atomic ops (are adjusted
when not the current thread) to the new field.

* Add td->td_mpflags and move flags which require atomic ops (are adjusted
when not the current thread) to the new field.

* Add some freeze testing code to the x86-64 trap code (default disabled).

show more ...

kernel = Fix tsleep(), remove MAILBOX signals, change signalset locks for LWPs

* tsleep() was improperly calling lwkt_gettoken() and potentially blocking
prior to sleeping, which it isn't supposed

kernel = Fix tsleep(), remove MAILBOX signals, change signalset locks for LWPs

* tsleep() was improperly calling lwkt_gettoken() and potentially blocking
prior to sleeping, which it isn't supposed to do.

This may have been the cause of several odd panics and corruption, though
no smoking gun was found.

* Change access to lp->lwp_siglist to use a spinlock instead of a token.
Add a per-LWP spinlock in addition to the per-LWP token.

* Remove MAILBOX signals (which require p->p_token). These are no longer
used.

show more ...

Fix missing includes

Rework stopping of procs.

Before, proc_stop() would sleep until all running lwps stopped. This
break when a stop signal is actually coming from the console and is
executed in the context of the idl

Rework stopping of procs.

Before, proc_stop() would sleep until all running lwps stopped. This
break when a stop signal is actually coming from the console and is
executed in the context of the idle thread.

Now we count all sleeping threads as stopped and also set LWP_WSTOP to
indicate so. These threads will stop before return to userland.
Running threads (including the current one) will eventually stop when
returning to userland and will increase p_nstopped. The last thread
stopping will then send a signal to the parent process.

Discussed-with: Thomas E. Spanjaard <tgen@netphreax.net>

show more ...

Get rid of struct user/UAREA.

Merge procsig with sigacts and replace usage of procsig with
sigacts, like it used to be in 4.4BSD.

Put signal-related inline functions in sys/signal2.h.

Reviewed-by:

Get rid of struct user/UAREA.

Merge procsig with sigacts and replace usage of procsig with
sigacts, like it used to be in 4.4BSD.

Put signal-related inline functions in sys/signal2.h.

Reviewed-by: Thomas E. Spanjaard <tgen@netphreax.net>

show more ...

1:1 Userland threading stage 4.2/4:

Make signal system fully lwp-aware by splitting ksignal() in appropriate
functions. Introduce lwpsignal(), which now contains the logic of
ksignal(), but can be

1:1 Userland threading stage 4.2/4:

Make signal system fully lwp-aware by splitting ksignal() in appropriate
functions. Introduce lwpsignal(), which now contains the logic of
ksignal(), but can be used to deliver a signal to a specific lwp.

Convert consumers of ksignal() to use lwpsignal() when they actually
generate a thread-specific signal.

Fully implement proc_stop() and proc_unstop().

Reviewed-by: Thomas E. Spanjaard <tgen@netphreax.net>

show more ...

1:1 Userland threading stage 2.20/4:

Unify access to pending threads with a new function, lwp_sigpend(), which
returns pending signals for the lwp, which includes both lwp-specific
signals and signa

1:1 Userland threading stage 2.20/4:

Unify access to pending threads with a new function, lwp_sigpend(), which
returns pending signals for the lwp, which includes both lwp-specific
signals and signals pending on the process. The new function lwp_delsig()
is used to remove a certain signal from the pending set of both process and
lwp.

Rework the places which access the pending signal list to either use those
two functions or, where not possibly, to work on both lwp and proc signal
lists.

show more ...

1:1 Userland threading stage 2.18/4:

Push lwp use a bit further by making some places lwp aware.
This commit deals with ddb, procfs/ptrace and various consumers of
allproc_scan.

1:1 Userland threading stage 2.13/4:

Move P_SINTR and P_BREAKTSLEEP into lwp_flag.

Introduce proc_stop and proc_unstop to handle the transition of a complete proc
to and from stopped state. This i

1:1 Userland threading stage 2.13/4:

Move P_SINTR and P_BREAKTSLEEP into lwp_flag.

Introduce proc_stop and proc_unstop to handle the transition of a complete proc
to and from stopped state. This is influenced by NetBSD.

show more ...

1:1 Userland threading stage 2.12/4:

Factor out lwp_stat and move P_STOPPED into p_stat.

Reviewed-by: Thomas E. Spanjaard <tgen@netphreax.net>

Rename functions to avoid conflicts with libc.

Make tsleep/wakeup() MP SAFE for kernel threads and get us closer to
making it MP SAFE for user processes. Currently the code is operating
under the rule that access to a thread structure requires c

Make tsleep/wakeup() MP SAFE for kernel threads and get us closer to
making it MP SAFE for user processes. Currently the code is operating
under the rule that access to a thread structure requires cpu locality of
reference, and access to a proc structure requires the Big Giant Lock. The
two are not mutually exclusive so, for example, tsleep/wakeup on a proc
needs both cpu locality of reference *AND* the BGL. This was true with the
old tsleep/wakeup and has now been documented.

The new tsleep/wakeup algorithm is quite simple in concept. Each cpu has its
own ident based hash table and each hash slot has a cpu mask which tells
wakeup() which cpu's might have the ident. A wakeup iterates through all
candidate cpus simply by chaining the IPI message through them until either
all candidate cpus have been serviced, or (with wakeup_one()) the requested
number of threads have been woken up.

Other changes made in this patch set:

* The sense of P_INMEM has been reversed. It is now P_SWAPPEDOUT. Also,
P_SWAPPING, P_SWAPINREQ are not longer relevant and have been removed.

* The swapping code has been cleaned up and seriously revamped. The new
swapin code staggers swapins to give the VM system a chance to respond
to new conditions. Also some lwp-related fixes were made (more
p_rtprio vs lwp_rtprio confusion).

* As mentioned above, tsleep/wakeup have been rewritten. The process
p_stat no longer does crazy transitions from SSLEEP to SSTOP. There is
now only SSLEEP and SSTOP is synthesized from P_SWAPPEDOUT for userland
consumpion. Additionally, tsleep() with PCATCH will NO LONGER STOP THE
PROCESS IN THE TSLEEP CALL. Instead, the actual stop is deferred until
the process tries to return to userland. This removes all remaining cases
where a stopped process can hold a locked kernel resource.

* A P_BREAKTSLEEP flag has been added. This flag indicates when an event
occurs that is allowed to break a tsleep with PCATCH. All the weird
undocumented setrunnable() rules have been removed and replaced with a
very simple algorithm based on this flag.

* Since the UAREA is no longer swapped, we no longer faultin() on PHOLD().
This also incidently fixes the 'ps' command's tendancy to try to swap
all processes back into memory.

* speedup_syncer() no longer does hackish checks on proc0's tsleep channel
(td_wchan).

* Userland scheduler acquisition and release has now been tightened up and
KKASSERT's have been added (one of the bugs Stefan found was related
to an improper lwkt_schedule() that was found by one of the new assertions).
We also have added other assertions related to expected conditions.

* A serious race in pmap_release_free_page() has been corrected. We
no longer couple the object generation check with a failed
pmap_release_free_page() call. Instead the two conditions are checked
independantly. We no longer loop when pmap_release_free_page() succeeds
(it is unclear how that could ever have worked properly).

Major testing by: Stefan Krueger <skrueger@meinberlikomm.de>

show more ...

Style(9) cleanup to src/sys/vfs, stage 15/21: procfs.

- Convert K&R-style function definitions to ANSI style.

Submitted-by: Andre Nathan <andre@digirati.com.br>
Additional-reformatting-by: cpressey