kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

kernel - Fix races in kern_dmsg.c (hammer2)

* Fix kdmsg races during shutdown which can assert or panic

* Fixes numerous hammer2 assertions or panics related to unmounting,
including mount failur

kernel - Fix races in kern_dmsg.c (hammer2)

* Fix kdmsg races during shutdown which can assert or panic

* Fixes numerous hammer2 assertions or panics related to unmounting,
including mount failures due to missing labels.

show more ...

kernel - Remove some kdmsg debugging

* Remove '<blah> thread terminating' kdmsg debug messages.

kernel: Fix a -Wundef warning.

kernel - Cleanup gcc warnings

* Cleanup gcc warnings at higher optimization levels. This will allow
us to build kernels -O2 or -O3.

dmsg - Formalize most of the debugging output, cleanup, fix uninit bug

* Macroize and formalize most of the debugging output.

* Add LNK_PING support.

* Fix a bug in kdmsg_iocom_uninit(). The RX t

dmsg - Formalize most of the debugging output, cleanup, fix uninit bug

* Macroize and formalize most of the debugging output.

* Add LNK_PING support.

* Fix a bug in kdmsg_iocom_uninit(). The RX thread can stall reading
from the pipe and never wakeup to see the KILLRX flag if no traffic
comes in.

To deal with this kdmsg_iocom_uninit() sends a LNK_PING over the link,
then gives the threads 10 seconds to shutdown nicely. If they do not
the pipe descriptor is not-so-nicely shutdown().

show more ...

dmsg - Stabilization work

* Refactor the circuit failure handling code. When a connection is lost
circuits running through that connection and all sub-circuits/states
(recursively) are aborted.

dmsg - Stabilization work

* Refactor the circuit failure handling code. When a connection is lost
circuits running through that connection and all sub-circuits/states
(recursively) are aborted. This will propagate through the graph and
there are plenty of edge cases where a failure may be propagating in
one direction and a request in the other direction.

The library is responsible for providing missing transaction closures
when circuits and states fail.

* Add code to handle circuit failure races against newly created messages.
The STATE_DYING flag is now inherited by the newly created message from
its parent.

* The state structure on receive is now updated before the callback is
made so it can be atomic with the lock, instead of after.

* Lots of debugging added and some cleanup.

show more ...

dmsg - Stabilization work

* Add a refs field to dmsg_state and kdmsg_state for retention and
disposal.

* Separate out the tracking of state->subq and the state RB trees.

* Greatly simplify the i

dmsg - Stabilization work

* Add a refs field to dmsg_state and kdmsg_state for retention and
disposal.

* Separate out the tracking of state->subq and the state RB trees.

* Greatly simplify the iocom shutdown code and functions related
to handling communications failures. When iterating states for
shutdown, which requires simulating a received failure message,
we can now simply iterate via state->subq.

* Greatly simplify how the simulated failures are generated and
handled (See dmsg_msg_simulate_failure()). This is probably the
most complex part of the library.

* Fix a memory leak in kern_dmsg.c.

* Replace xdisk's per-softc token with a lockmgr lock. Atomicy
has to be guaranteed across blocking conditions in certain cases
and it was easier to simply use a lock for everything.

Cleanup the locking.

* Ripout the shutdown check in the I/O path, which can deadlock
the disk management threads. This will need to be revisited
as it means that /dev/xa* and /dev/serno* devices remain in
/dev after a link failure even when there are no opens on the
device.

* Add the B_FAILONDIS flag to struct buf. This flag allows the disk
probe code to tell xdisk that it is ok for the I/O to fail, allowing
xdisk to discard I/Os that would otherwise block or deadlock the
disk probe code when the related network connection is lost.

show more ...

kernel - work on dmsg disk exports

* Refactor and clean up the kdmsg thread cleanup code.

* Add a workaround for a possible tx/rx race which can occur due to the
transmit side not retiring the kd

kernel - work on dmsg disk exports

* Refactor and clean up the kdmsg thread cleanup code.

* Add a workaround for a possible tx/rx race which can occur due to the
transmit side not retiring the kdmsg until after writing it. This can
potentially block and allow a received response to be processed before the
related transmitted kdmsg is cleaned up.

* Add sysctls to track operations in progress.

* Code documentation.

show more ...

hammer2 / kern_dmsg - Fix bugs

* Fix header size limt check.

* Do not free the message data out from under a running I/O.
Introduce an API for detaching aux_data from a msg.

* Increase DMSG_AUX_

hammer2 / kern_dmsg - Fix bugs

* Fix header size limt check.

* Do not free the message data out from under a running I/O.
Introduce an API for detaching aux_data from a msg.

* Increase DMSG_AUX_MAX to 1MB to ensure that xdisk (remote disks)
work with any filesystem.

Theoretically we can break up READ and WRITE messages into pieces
in order to allow DMSG_AUX_MAX to be made smaller (which is easier
to manage in-kernel), but for now the implementation just uses a
single message transaction.

* Adjust some comments.

show more ...

hammer2 - dmsg stabilization

This is a general stabilization pass testing xdisk resumption on various
communications failures (killing the local or remote hammer2 service demon).

* Simulate failure

hammer2 - dmsg stabilization

This is a general stabilization pass testing xdisk resumption on various
communications failures (killing the local or remote hammer2 service demon).

* Simulate failures on recursive transactions in a bottom-up fashion

* bcmp() does not return an inequality (neg, zero, or positive). It
returns only 0 or 1. Change fs_label RBTREE test to strcmp()

* ref-count the state structure, use dmsg_state_hold()/dmsg_state_drop()
to control it. Fix at least one memory leak.

* Consolidate simulated transaction failure core into a helper
function dmsg_msg_simulate_failure().

* Clean up the tx state on the front-end after the msg has extracted
necessary information from it, instead of in the transmit thread.
This is so the state fields are updated synchronously and not delayed
by the transmit queue.

* Change xdisk's error test to avoid accidently failing a BIO due to
a communications issue (verses an actual IO error on the remote physical
disk).

* Remove some invalid assertions, add assertions.

show more ...

hammer2 - Retool dmsg mechanics to improve virtual circuit design 2/2

* Use transaction stacking to effectively connect resources to consumers.
Issuing a transaction over a received SPAN effective

hammer2 - Retool dmsg mechanics to improve virtual circuit design 2/2

* Use transaction stacking to effectively connect resources to consumers.
Issuing a transaction over a received SPAN effectively creates a virtual
circuit to the originator.

* The hammer2 service demon (userland) is currently being used to route,
but direct kernel<->kernel socket connections are now theoretically
possible for later performance work. Current performance is going
to be low due to layering.

* Get subr_diskiocom and the xdisk driver mostly working again. The
code is a lot cleaner but still needs considerable stability work and
better unwinding during failure conditions.

* Start work on hammer2<->hammer2 communications.

show more ...

hammer2 - Retool dmsg mechanics to improve virtual circuit design 1/2

* Rip-out the circuit structures and forging code. These changes simplify
the DMSG code considerably.

* Retool the core comm

hammer2 - Retool dmsg mechanics to improve virtual circuit design 1/2

* Rip-out the circuit structures and forging code. These changes simplify
the DMSG code considerably.

* Retool the core command/response messaging mechanics to allow either
side of a transaction to initiate commands and receive responses.

This means we cannot use DMSGF_REPLY to determine whether the transmit-side
or receive-side state RBTREE holds the msgid. Instead we add two more
flags DMSGF_REVTRANS and DMSGF_REVCIRC to tell the receiver which RBTREE
holds the msgid and/or circuit id.

* Retool to allow transaction stacking. Sub-transactions can now run under
their parents.

* Retool the transaction code to provide virtual circuit functionality
through the use of transaction stacking.

With these changes, the normal SPAN mechanism which operates using
open transactions can also be used to route messages over the SPAN.
There is no longer a need to forge a return path because sub-transaction
commands can now be initiated 'out' over an active, received SPAN
transaction.

This part is not completely working yet, it needs the actual routing
code and some adjustments to the SPAN mechanism to prevent path ripups
from interfering with any in-progress transactions. Ultimately the
availability of a new path would have two be detected by the end points
so new 'connections' can be forged over the new, better path.

show more ...

hammer2 - more dmsg/separation work

* More separation work in libdmsg, kern_dmsg.c, and kernel dmsg consumers.

* subr_diskiocom.c should no longer need hammer2_disk.h (sys/dmsg.h)
for the kernel

hammer2 - more dmsg/separation work

* More separation work in libdmsg, kern_dmsg.c, and kernel dmsg consumers.

* subr_diskiocom.c should no longer need hammer2_disk.h (sys/dmsg.h)
for the kernel build.

* Add dmsg->tcmd to smooth some switch() use cases.

show more ...

kernel - Adjust impossible conditions in kdmsg_state_*()

* kdmsg_state_reply() and kdmsg_state_result() require a non-NULL state.
Assert the condition and remove the else clause that was broken in

kernel - Adjust impossible conditions in kdmsg_state_*()

* kdmsg_state_reply() and kdmsg_state_result() require a non-NULL state.
Assert the condition and remove the else clause that was broken in the
first place.

Reported-by: Joris giovannang

show more ...

kernel - Fix memory leak on iocom terminaion

* freerd_state was being cleaned up by the reader thread, but during
decomissioning the writer thread can simulate incoming packets
to cleanly shutdo

kernel - Fix memory leak on iocom terminaion

* freerd_state was being cleaned up by the reader thread, but during
decomissioning the writer thread can simulate incoming packets
to cleanly shutdown open transactions, and this can reload
freerd_state.

* Move the cleanup for freerd_state and freewr_state out of the
reader/writer threads and into kdmsg_iocom_uninit() proper.

* Fixes dangling 112 bytes of memory left allocated after uninit.

show more ...

cluster - Kernel cluster code work

* Major stability work.

* Misc bug fixes and cleanups.

* xdisk/diskiocom links are now relatively stable over a real network.
Still need to deal with reconnect

cluster - Kernel cluster code work

* Major stability work.

* Misc bug fixes and cleanups.

* xdisk/diskiocom links are now relatively stable over a real network.
Still need to deal with reconnects properly.

show more ...

cluster - Major kernel component work (diskiocom, xdisk, kdmsg)

* Major implementation and stabilization work. Fix lots of bugs,
improve the AUTO flags and APIs.

* xdisk and diskiocom are now op

cluster - Major kernel component work (diskiocom, xdisk, kdmsg)

* Major implementation and stabilization work. Fix lots of bugs,
improve the AUTO flags and APIs.

* xdisk and diskiocom are now operational for the first time.

xdisk is a consumer of remote block devices. You pass it one end of
a pipe and use an ioctl to create /dev/xa* devices. The kernel's
nominal disk management subsystem handles /dev/serno/* and will also
probe the /dev/xa* devices to create the slices.

diskiocom is a block device service. An ioctl is used to connect a
raw disk device to the network via a pipe.

* The hammer2 service demon ties the two together over the network.

* Initial testing with a local hammer2 service daemon looping da0 to xa0
succeeded, ~46MB/sec unoptimized using dd.

show more ...

cluster - remote block device work

* xdisk(client) <-> diskiocom(server) now successfully does a full
message transaction over a VC for xa_open(). Still lots to do.

* Fix I/O request deferrals s

cluster - remote block device work

* xdisk(client) <-> diskiocom(server) now successfully does a full
message transaction over a VC for xa_open(). Still lots to do.

* Fix I/O request deferrals since the open can occur before the VC is
fully established. This fixes a deadlock.

* Fix state->msg tracking in kern_dmsg.c. Fixes a double-free.

show more ...

hammer2 - kernel cluster messaging support API work

* Rework the API significantly

* Add circuit tracking and sniffing features

* Add flags to automate the LNK_CONN, LNK_SPAN, and LNK_CIRC state m

hammer2 - kernel cluster messaging support API work

* Rework the API significantly

* Add circuit tracking and sniffing features

* Add flags to automate the LNK_CONN, LNK_SPAN, and LNK_CIRC state machines.

* Misc improvemenets.

show more ...

hammer2 - dmsg blockdev work

* Adjust the LNK_CONN and LNK_SPAN messages to provide a cluster label
and a filesystem label instead of just a filesystem label.

* Change the cluster controller to i

hammer2 - dmsg blockdev work

* Adjust the LNK_CONN and LNK_SPAN messages to provide a cluster label
and a filesystem label instead of just a filesystem label.

* Change the cluster controller to index clusters based on the
peer_type, pfs_clid, and cl_label instead of just the pfs_clid.

HAMMER2 PFS's are primarily identified by pfs_clid and unique nodes
are identified by pfs_fsid. fs_label holds the HAMMER2 super-root
name.

BLOCK devices are primarily identified by cl_label and unique nodes
are identified by pfs_fsid. pfs_clid and fs_label are empty.

* Adjust the cluster controller's matching filters such that, e.g.
BLOCK device clients only have visibility to the BLOCK device server
for the cl_label in question, and do not have visibility to other
BLOCK device clients.

* Flesh out the hammer2 service daemons disk monitoring, have it attach
a pipe to the in-kernel disk via an ioctl().

* Continued work on the skeleton network disk exporter (kern/subr_disk*) and
network disk importer (dev/disk/xdisk/*). xdisk has not been added to the
build yet.

* Move a few more definitions from HAMMER2 to DMSG.

show more ...

hammer2 - Add server-side disk advertisements

* The hammer2 service demon now tracks disks and connects the cluster
controller to each one.

* Add a new ioctl to the subr_disk subsystem and add su

hammer2 - Add server-side disk advertisements

* The hammer2 service demon now tracks disks and connects the cluster
controller to each one.

* Add a new ioctl to the subr_disk subsystem and add subr_diskiocom.c
to implement it, associating a cluster controller messaging descriptor
with a disk device.

* disk device initiates LNK_CONN and LNK_SPAN. Disk block devices now
advertised through the spanning tree. Nothing else implemented yet.

show more ...

hammer2 - Messaging layer separation work part 4

* Cleanup, bug fixes, operations tests successful now.

hammer2 - Messaging layer separation work part 3

* Move more hammer2 vfs message code into kern_dmsg.c, renaming and
implementing callbacks as needed.

* Move hammer2_icrc.c (the iscsi crc support

hammer2 - Messaging layer separation work part 3

* Move more hammer2 vfs message code into kern_dmsg.c, renaming and
implementing callbacks as needed.

* Move hammer2_icrc.c (the iscsi crc support) to libkern/icrc32.c

show more ...