kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

devfs: Change typedef 'cdevpriv_dtr_t' to 'd_priv_dtor_t'

The original 'cdevpriv_dtr_t' typedef was not able to be used in a
function prototype like the other d_xxx_t typedef's, because it declared

devfs: Change typedef 'cdevpriv_dtr_t' to 'd_priv_dtor_t'

The original 'cdevpriv_dtr_t' typedef was not able to be used in a
function prototype like the other d_xxx_t typedef's, because it declared
a function *pointer* rather than a function. This makes it useless
outside the cdevpriv implementation.

Change the typedef to declare a function and rename it to
'd_priv_dtor_t', which is more consistent with other dev_ops methods,
although it's not a direct member in the dev_ops struct.

Obtained-from: FreeBSD (revision 291653)
URL: https://reviews.freebsd.org/D4340

show more ...

kernel - Fix /dev/fd/N and clean up the old dup error-code-driven path

* When opening /dev/fd/N, replicate the file pointer for descriptors
that represent vnodes instead of dup()ing. This ensures

kernel - Fix /dev/fd/N and clean up the old dup error-code-driven path

* When opening /dev/fd/N, replicate the file pointer for descriptors
that represent vnodes instead of dup()ing. This ensures that the seek
offset and other fp-related elements are not shared unexpectedly.

* Refactor the open() path to allow dev_dopen() to replace the
struct file by passing a struct file ** instead of a struct file *.
This removes old error-code-based hacks.

* This fixes the shared seek position that fexecve() was operating with
due to its use of /dev/fd/N for scripts.

Reported-by: aly

show more ...

kernel: Remove <sys/mutex.h> from all files that don't need it (2/2).

98% of these were remains from porting from FreeBSD which could have
been removed after converting to lockmgr(), etc.

Due to an

kernel: Remove <sys/mutex.h> from all files that don't need it (2/2).

98% of these were remains from porting from FreeBSD which could have
been removed after converting to lockmgr(), etc.

Due to an issue in my checking earlier, not everything was cleaned up
correctly.

show more ...

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them agai

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them again for where crit_*() are
no longer used.

I had to adjust some files that were relying on thread2.h
or headers that it includes coming in via other headers
that it was removed from.

show more ...

usb4bsd: Cleanup pass1.

* Uniformly use #if 0 to deactivate code instead of C comments.

* Move MODULE macros after struct declarations.

usb4bsd: Cleanup pass0.

* Adjust indentation, whitespace and typos.

usb - Update bus/u4b

* Update bus/u4b from FreeBSD to commit 3121e258c76aa, 10 March 2015,
with the following commit message:

Lock softc before clearing bits.

* Some bits not updated. Som

usb - Update bus/u4b

* Update bus/u4b from FreeBSD to commit 3121e258c76aa, 10 March 2015,
with the following commit message:

Lock softc before clearing bits.

* Some bits not updated. Some changes around the MSI handling work
differently in DFly so I punted on that. And the serial/tty in FreeBSD
is a bit different, particular this 'pps' stuff.

* Numerous bits of code currently conditionalized out use ABI features
from FreeBSD, particularly RWTUN, which we do not yet have. Currently
non-critical, we can fix these as the related code gets used (if the
related code gets used).

Reviewed-by: Markus Pfeiffer

show more ...

usb4bsd: Sync with FreeBSD r276791

u4b - implement usb_filter_write(), fix issues w/apcupsd

* Implement usb_filter_write() (poll, kqueue).

* This fixes a live loop in apcupsd when it is configured
to talk to the UPS over a usb por

u4b - implement usb_filter_write(), fix issues w/apcupsd

* Implement usb_filter_write() (poll, kqueue).

* This fixes a live loop in apcupsd when it is configured
to talk to the UPS over a usb port.

show more ...

usb4bsd: Fix race condition in usb_dev

The usb_filter_detach was racing the read fifo wakeup notification.

usb4bsd: set D_MPSAFE for usb devices (static)

usb4bsd: set D_MPSAFE for usb devices

usb4bsd: Remove irritating kprintf

usb4bsd - Fix poll/select/kqfilter issues with ums and usb_fifo*() API

* Fix handling of f->flag_isselect. It was being improperly cleared on
event notification. It can only be cleared when the

usb4bsd - Fix poll/select/kqfilter issues with ums and usb_fifo*() API

* Fix handling of f->flag_isselect. It was being improperly cleared on
event notification. It can only be cleared when the knote is removed.

* Call f->methods->f_start_read() unconditionally in usb_filter_read().
Conditionalizing on f->queue_data will fail with devices (aka ums) which
allocate the buffer independantly of starting the interrupt xfer.

* Call usb_fifo_wakeup() in mbuf re-queue cases to handle races when
the read() code pulls an mbuf off the queue and then puts it back on.

* Fix bugs in UMS - Keep track of whether the interrupt transfer is running
or not and do not re-submit or re-stop the transfer unconditionally.

show more ...

usb4bsd: usb_dev kqfilter

* implement a working kqfilter
* integrate some FreeBSD patches

usb4bsd: Implement kqfilter for usb_dev

kernel/usb4bsd: Use the standard __func__ for function names.

usb4bsd: make u4b compile with USB_DEBUG

kern/usb4bsd: update usb_dev.c kqfilter code

usb4bsd: remove debug kprintfs

usb4bsd: remove merge artifact

Apply patches to enable get/set_cdevpriv

kernel - Hack fixes for EHCI issues in U4B

* These changes fix several issues with the U4B EHCI. Insertion and Removal
events through hubs no longer crash the controller and/or the machine.
And

kernel - Hack fixes for EHCI issues in U4B

* These changes fix several issues with the U4B EHCI. Insertion and Removal
events through hubs no longer crash the controller and/or the machine.
And heavy bulk traffic no longer crashes the controller or has weird
failures. Probing works more reliably as well.

* The main problem is the U4B design for QH/TD descriptors. It allocates
and frees them with the xfer. For the EHCI controller it rips out the
QH's from the chain and doesn't do the right interactions with the
controller to ensure that the controller is not still iterating through
the chain.

It is possible for the controller to wind up iterating through a long
chain of removed (finished or timed-out) QH's. If any of them are
kfree()'d or free/reallocated/reused before their time, BOOM! The
controller can chain right through into random memory and blow up.

* The first hack is to delay kfree()ing the xfer rollup buffer. I just
threw in a 256-slot delay. I'm not even doing it right (it isn't time-based
or doorbell-based). Note that linux uses the doorbell-based method,
where the structures are left intact until the next doorbell interrupt.

* The second hack is to issue doorbells (EHCI_CMD_IAAD) after every new
transfer is queued and after each transfer is removed. The doorbell is
PARTICULARLY important after a removal, because the controller can
wind up sitting on a removed QH indefinitely otherwise.

Removed chains can cause the controller to miss newly added chains, thus
the doorbell is needed for that reason as well.

Also reorder the cpu flushes a little when coding the above.

* Add numerous new structural fields and assertions to ensure that the
EHCI code doesn't try to remove requests from HW that were never queued
to HW. The U4B API's are *VERY* loose in this regard so I added a
double check.

* DragonFly: The ugen*.* devices need a dev d_open and d_close routine.
Our default d_open/d_close is not the same as FreeBSD's.

* Fix a major bug in usb_open() where the 'cpd' structure can get lost
if multiple open()'s occur on the same ugen device.

Allow multiple opens as long as the permissions are the same. This
is really a hack to fix an issue where 'usbconfig list' opens ugen0.1
twice (i.e. has two open descriptors on the same device).

Also properly NULL-out dev->si_drv2 on (last) close.

* Replace two cv_signal/cv_wait calls with wakeup/lksleep, and place a
timeout on the lksleep loop because the two places in question have
a SMP race which the locks don't handle. Basically the callback is
made BEFORE all the conditions potentially preventing an xfer from
being flagged as completed are met, so the cv_signal() was waking up
the waiter potentially before its time (and the lock is not held through
the whole thing so it doesn't interlock the race).

* In usbd_req_get_desc() reload the req fresh on each loop.

* In usbd_req_get_desc() increase the timeout from 0.5 seconds to 1 second.

show more ...

Fix some spillage from the sync