Change NET_LOCK()/NET_UNLOCK() to be simple wrappers around
splsoftnet()/splx() until the known issues are fixed.

In other words, stop using a rwlock since it creates a deadlock when
chrome is used.

Change NET_LOCK()/NET_UNLOCK() to be simple wrappers around
splsoftnet()/splx() until the known issues are fixed.

In other words, stop using a rwlock since it creates a deadlock when
chrome is used.

Issue reported by Dimitris Papastamos and kettenis@

ok visa@

show more ...

Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.

This f

Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.

This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.

Inputs from and ok bluhm@, ok dlg@

show more ...

m_free() and m_freem() test for NULL. Simplify callers which had their own
NULL tests.

ok mpi@

Remove NULL checks before m_free{m,}().

ok reyk@, rzalamena@

Enforce that pr_usrreq functions are called at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@, claudio@

Do not call splsoftnet() recursively, this won't work with a lock.

closef() on a socket will call soclose() which call splsoftnet(). So
make sure we release the IPL level first in error paths.

Fou

Do not call splsoftnet() recursively, this won't work with a lock.

closef() on a socket will call soclose() which call splsoftnet(). So
make sure we release the IPL level first in error paths.

Found by Nils Frohberg while testing another diff.

ok mikeb@, bluhm@

show more ...

unbreak by fixing obvious pastos

handle non-INET6 kernels in some way

dns hijacking must be af specific. move it into the port check function,
and redirect inet6 sockets to the ::1 flavor of localhost.

Add ktracing of the fds returned by pipe() and socketpair()

ok deraadt@

introduce a sysctl to hijack dns sockets. when set to a port number,
all dns socket connections will be redirected to localhost:port.
this could be a sockopt on the listening socket, but sysctl is
an

introduce a sysctl to hijack dns sockets. when set to a port number,
all dns socket connections will be redirected to localhost:port.
this could be a sockopt on the listening socket, but sysctl is
an easier interface to work with right now.
ok deraadt

show more ...

When interrupted, connect() should leave the socket connecting in the
background, similar to a non-blocking socket. Return EALREADY whenever
already connecting, not just for non-blocking sockets. F

When interrupted, connect() should leave the socket connecting in the
background, similar to a non-blocking socket. Return EALREADY whenever
already connecting, not just for non-blocking sockets. Fix from {Free,Net}BSD

Prompted by a report from Michael Reed (m.reed (at) mykolab.com)
ok millert@

show more ...

Remove unnecessary cast of buflen to u_int in sockargs(). This was
missed when buflen was promoted to size_t. OK tedu@

On the recvmsg() side, cmsgs are in mbuf chains, not a contiguous buffer.
ktrace each cmsg instead of reading beyond the end of the first cmsg.

problem report and testing by abieber@
ok millert@ der

On the recvmsg() side, cmsgs are in mbuf chains, not a contiguous buffer.
ktrace each cmsg instead of reading beyond the end of the first cmsg.

problem report and testing by abieber@
ok millert@ deraadt@

show more ...

remove stale lint annotations

remove completely pledge_socket() from listen(2) and accept(2).

with pledge_socket(p, -1, state) we only check for "dns" promise against SS_DNS
socket. But it isn't possible to pass a SS_DNS socket

remove completely pledge_socket() from listen(2) and accept(2).

with pledge_socket(p, -1, state) we only check for "dns" promise against SS_DNS
socket. But it isn't possible to pass a SS_DNS socket to listen(2) or accept(2)
(EINVAL). So this deeper check is a bit useless...

ok deraadt@

show more ...

Neuter the pledge domain checking for listen, getpeername, and getsockname
also. The idea is much like rpath is with files, you get an fd and then
you can play with it somewhat. In the socket space

Neuter the pledge domain checking for listen, getpeername, and getsockname
also. The idea is much like rpath is with files, you get an fd and then
you can play with it somewhat. In the socket space once you have a fd, you
can play with it somewhat. So you cannot bind, but you can accept. You
can listen, getpeername, getsockname, and of course set/getsockopt is
somewhat available.. yes, this makes pledge the anti-capsicum, kind of
like salt from Secovlje.. reasoning due to a conversation with tedu

show more ...

Exempt accept(2) from the pledge_socket() check part of the "domain"
check. You cannot open a socket in a domain unless permitted -- but
you need to be able to accept one if the code flow asks for t

Exempt accept(2) from the pledge_socket() check part of the "domain"
check. You cannot open a socket in a domain unless permitted -- but
you need to be able to accept one if the code flow asks for that to
happen. The most recent check is too tight. We may need to iterate the
policy here until we hit the right vibe...

show more ...

corrects leaks refs to files introduced by my previous commit for pledge_socket.

reported by Mateusz Guzik with a diff.
this one is a slightly modified version.

ok deraadt@

check domain and state of socket against pledge promise.

ok deraadt@

pull initialization up before poosible goto bad, from Mark Latimer

refactor pledge_*_check and pledge_fail functions

- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.

- makes pledge_fail call the responsabil

refactor pledge_*_check and pledge_fail functions

- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.

- makes pledge_fail call the responsability to the _check function. remove it
from caller.

- make proper use of (potential) returned error of _check() functions.

- adds pledge_kill() and pledge_protexec()

with and OK deraadt@

show more ...

more accurate pledge_fail() error and code for sys_socket

- use the error returned by pledge_socket_check()
- make the code to reflect the socket request (set code to PLEDGE_DNS for
dns-scoket, an

more accurate pledge_fail() error and code for sys_socket

- use the error returned by pledge_socket_check()
- make the code to reflect the socket request (set code to PLEDGE_DNS for
dns-scoket, and to PLEDGE_INET else)

show more ...

The short-lived dnssocket/dnsconnect calls are being required because we
suspect everyone has upgraded through the approx week-long window since
SOCK_DNS became available and the libc resolver starte

The short-lived dnssocket/dnsconnect calls are being required because we
suspect everyone has upgraded through the approx week-long window since
SOCK_DNS became available and the libc resolver started using them.

show more ...

dns check needs to be done on the kernel address after copyin