1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-22 11:17:19 +00:00
Commit Graph

143 Commits

Author SHA1 Message Date
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Robert Watson
aed5570872 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
Robert Watson
8ab4b32484 Since soisdisconnected() is no longer called in pru_detach(), call it
near consumers of at_pcbdisconnect() (_close, _abort).
2006-08-05 14:14:34 +00:00
Robert Watson
3a6fc39d32 Remove call to soisdisconnected() in at_pcbdetach(): by the time the
socket is being detached, there are no consumers left worth notifying
about the disconnect.
2006-08-02 16:22:34 +00:00
Robert Watson
a152f8a361 Change semantics of socket close and detach. Add a new protocol switch
function, pru_close, to notify protocols that the file descriptor or
other consumer of a socket is closing the socket.  pru_abort is now a
notification of close also, and no longer detaches.  pru_detach is no
longer used to notify of close, and will be called during socket
tear-down by sofree() when all references to a socket evaporate after
an earlier call to abort or close the socket.  This means detach is now
an unconditional teardown of a socket, whereas previously sockets could
persist after detach of the protocol retained a reference.

This faciliates sharing mutexes between layers of the network stack as
the mutex is required during the checking and removal of references at
the head of sofree().  With this change, pru_detach can now assume that
the mutex will no longer be required by the socket layer after
completion, whereas before this was not necessarily true.

Reviewed by:	gnn
2006-07-21 17:11:15 +00:00
Robert Watson
541b10900f Update global copyright statement for netatalk, as I claim copyright
on changes in a number of files in netatalk.

MFC after:	1 week
2006-06-08 22:13:52 +00:00
Robert Watson
76666abc12 White space consistency with kasserts. Minor style tweaks.
MFC after:	3 months
2006-04-01 16:54:37 +00:00
Robert Watson
bc725eafc7 Chance protocol switch method pru_detach() so that it returns void
rather than an error.  Detaches do not "fail", they other occur or
the protocol flags SS_PROTOREF to take ownership of the socket.

soclose() no longer looks at so_pcb to see if it's NULL, relying
entirely on the protocol to decide whether it's time to free the
socket or not using SS_PROTOREF.  so_pcb is now entirely owned and
managed by the protocol code.  Likewise, no longer test so_pcb in
other socket functions, such as soreceive(), which have no business
digging into protocol internals.

Protocol detach routines no longer try to free the socket on detach,
this is performed in the socket code if the protocol permits it.

In rts_detach(), no longer test for rp != NULL in detach, and
likewise in other protocols that don't permit a NULL so_pcb, reduce
the incidence of testing for it during detach.

netinet and netinet6 are not fully updated to this change, which
will be in an upcoming commit.  In their current state they may leak
memory or panic.

MFC after:	3 months
2006-04-01 15:42:02 +00:00
Robert Watson
ac45e92ff2 Change protocol switch pru_abort() API so that it returns void rather
than an int, as an error here is not meaningful.  Modify soabort() to
unconditionally free the socket on the return of pru_abort(), and
modify most protocols to no longer conditionally free the socket,
since the caller will do this.

This commit likely leaves parts of netinet and netinet6 in a situation
where they may panic or leak memory, as they have not are not fully
updated by this commit.  This will be corrected shortly in followup
commits to these components.

MFC after:      3 months
2006-04-01 15:15:05 +00:00
Robert Watson
3c09bd01d8 In at_setsockaddr(), assert that ddp != NULL, rather than returning an
error if it's NULL, as so_pcb != NULL is now an invariant.
2006-03-25 18:54:17 +00:00
Robert Watson
2f60f02dc9 Modify netatalk to ensure, and assert, that pcb's remain attached to
sockets as long as the sockets have not been aborted or detached.  Do
not try to free the socket in pru_detach(), since sofree() will do so,
if needed, once pru_detach() returns.

Annotate a bug in ddp_abort(), which fails to free the socket; this
is probably OK as ddp_abort() should never be called, so should
instead be deleted.
2006-03-17 20:40:17 +00:00
Ruslan Ermilov
4a0d6638b3 - Store pointer to the link-level address right in "struct ifnet"
rather than in ifindex_table[]; all (except one) accesses are
  through ifp anyway.  IF_LLADDR() works faster, and all (except
  one) ifaddr_byindex() users were converted to use ifp->if_addr.

- Stop storing a (pointer to) Ethernet address in "struct arpcom",
  and drop the IFP2ENADDR() macro; all users have been converted
  to use IF_LLADDR() instead.
2005-11-11 16:04:59 +00:00
Ruslan Ermilov
f5071cacb1 Catch up with IFP2ENADDR() type change (array -> pointer). 2005-11-11 12:17:31 +00:00
Ruslan Ermilov
303989a2f3 Use sparse initializers for "struct domain" and "struct protosw",
so they are easier to follow for the human being.
2005-11-09 13:29:16 +00:00
Craig Rodrigues
7b7a19f3c8 Forward declare atalkdomain with static linkage, not extern, since
it is defined with static linkage later in the file.  Eliminates
GCC 4.0 error.
2005-09-11 16:04:56 +00:00
Andre Oppermann
71cb29001b Use the correct mbuf type for MGET(). 2005-08-30 16:28:46 +00:00
Robert Watson
3c308b091f Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is
redundant with respect to existing mbuf copy label routines.  Expose
a new mac_copy_mbuf() routine at the top end of the Framework and
use that; use the existing mpo_copy_mbuf_label() routine on the
bottom end.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
2005-07-05 23:39:51 +00:00
Brooks Davis
fc74a9f93a Stop embedding struct ifnet at the top of driver softcs. Instead the
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.

This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.

Other changes of note:
 - Struct arpcom is no longer referenced in normal interface code.
   Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
   To enforce this ac_enaddr has been renamed to _ac_enaddr.
 - The second argument to ether_ifattach is now always the mac address
   from driver private storage rather than sometimes being ac_enaddr.

Reviewed by:	sobomax, sam
2005-06-10 16:49:24 +00:00
Robert Watson
f5cc6677c1 When generating a phase II ARP lookup from aarpwhohas(), use a
non-sleeping mbuf allocation.

MFC after:	1 week
2005-02-22 14:37:22 +00:00
Robert Watson
311ee468b2 In the ddp_output() path, which can be called in a variety of threading
and locking contexts, use a non-sleeping allocation for mbufs.

MFC after:	1 week
2005-02-22 14:22:09 +00:00
Robert Watson
f386681dbc Convert the aa_ifaddr timeout to a callout, and run the aarprobe callout
MPSAFE.  Acquire the aarptab_mtx to make sure that the callout and msleep
in the ioctl thread don't race.

MFC after:	1 week
2005-02-22 14:20:29 +00:00
Robert Watson
0d0549a245 Run the netatalk netisrs without Giant.
MFC after:	1 week
2005-02-18 10:53:00 +00:00
Warner Losh
ed31b82378 /* -> /*- for license, minor formatting changes, insert COPYRIGHT into files 2005-01-07 02:35:34 +00:00
Robert Watson
dd49efac2f If MALLOC() fails in at_pcballoc(), return ENOBUFS rather than
potentially panicking.

MFC after:	1 week
2005-01-03 00:16:07 +00:00
Robert Watson
f642006ecc Correct a misspelling in a comment. 2004-12-05 13:28:52 +00:00
Robert Watson
627388463a Acquire socket receive buffer mutex before appending and then waking up
a receive socket in DDP.  This reduces the number of mutex operations
required to deliver to a socket by two, and is the model used in other
protocols.
2004-12-05 13:27:30 +00:00
Poul-Henning Kamp
756d52a195 Initialize struct pr_userreqs in new/sparse style and fill in common
default elements in net_init_domain().

This makes it possible to grep these structures and see any bogosities.
2004-11-08 14:44:54 +00:00
Robert Watson
81158452be Push acquisition of the accept mutex out of sofree() into the caller
(sorele()/sotryfree()):

- This permits the caller to acquire the accept mutex before the socket
  mutex, avoiding sofree() having to drop the socket mutex and re-order,
  which could lead to races permitting more than one thread to enter
  sofree() after a socket is ready to be free'd.

- This also covers clearing of the so_pcb weak socket reference from
  the protocol to the socket, preventing races in clearing and
  evaluation of the reference such that sofree() might be called more
  than once on the same socket.

This appears to close a race I was able to easily trigger by repeatedly
opening and resetting TCP connections to a host, in which the
tcp_close() code called as a result of the RST raced with the close()
of the accepted socket in the user process resulting in simultaneous
attempts to de-allocate the same socket.  The new locking increases
the overhead for operations that may potentially free the socket, so we
will want to revise the synchronization strategy here as we normalize
the reference counting model for sockets.  The use of the accept mutex
in freeing of sockets that are not listen sockets is primarily
motivated by the potential need to remove the socket from the
incomplete connection queue on its parent (listen) socket, so cleaning
up the reference model here may allow us to substantially weaken the
synchronization requirements.

RELENG_5_3 candidate.

MFC after:	3 days
Reviewed by:	dwhite
Discussed with:	gnn, dwhite, green
Reported by:	Marc UBM Bocklet <ubm at u-boot-man dot de>
Reported by:	Vlad <marchenko at gmail dot com>
2004-10-18 22:19:43 +00:00
Robert Watson
1761672b75 Inline umich license from COPYRIGHT to make it clear what license the
umich copyright is asserting.

Clarify that the copyright I'm asserting is the standard Berkeley
license.

Remove Giant assertions from AARP and DDP input routines.
2004-08-10 03:23:05 +00:00
Robert Watson
36dd5f47d9 Further function forward declaration white space tweaks. 2004-07-19 17:18:58 +00:00
Robert Watson
439e36c655 Re-style at_control.c to bring it closer to style(9), primarily with
regard to function prototypes and indentation.  The lack of indentation
in if clauses and case statements made this code extremely difficult
to read.
2004-07-19 17:15:51 +00:00
Robert Watson
8375a14422 Procotol control block locking for netatalk DDP. 2004-07-12 18:39:59 +00:00
Robert Watson
dedfa2fb68 Imperfect synchronization solution to imperfect code: use a static 256
byte buffer in the stack for temporary printf results rather than a
global buffer without synchronization.
2004-07-12 18:37:31 +00:00
Robert Watson
598a1cadf1 Remove 'Not used' comment: at_org_code is used, just not in netatalk/. 2004-07-12 18:35:30 +00:00
Robert Watson
effb15c0c5 Remove spl's from netatalk in preparation to merge locking. 2004-07-12 04:33:58 +00:00
Robert Watson
310e7ceb94 Socket MAC labels so_label and so_peerlabel are now protected by
SOCK_LOCK(so):

- Hold socket lock over calls to MAC entry points reading or
  manipulating socket labels.

- Assert socket lock in MAC entry point implementations.

- When externalizing the socket label, first make a thread-local
  copy while holding the socket lock, then release the socket lock
  to externalize to userspace.
2004-06-13 02:50:07 +00:00
Robert Watson
395a08c904 Extend coverage of SOCK_LOCK(so) to include so_count, the socket
reference count:

- Assert SOCK_LOCK(so) macros that directly manipulate so_count:
  soref(), sorele().

- Assert SOCK_LOCK(so) in macros/functions that rely on the state of
  so_count: sofree(), sotryfree().

- Acquire SOCK_LOCK(so) before calling these functions or macros in
  various contexts in the stack, both at the socket and protocol
  layers.

- In some cases, perform soisdisconnected() before sotryfree(), as
  this could result in frobbing of a non-present socket if
  sotryfree() actually frees the socket.

- Note that sofree()/sotryfree() will release the socket lock even if
  they don't free the socket.

Submitted by:	sam
Sponsored by:	FreeBSD Foundation
Obtained from:	BSD/OS
2004-06-12 20:47:32 +00:00
Robert Watson
bd1004ef9e Remove redundant call to soisdisconnected() from ddp_abort(), as it
calls at_pcbdetach() which also immediately calls soisdisconnected().
2004-05-05 03:34:37 +00:00
Luigi Rizzo
cd46a114fc This commit does two things:
1. rt_check() cleanup:
    rt_check() is only necessary for some address families to gain access
    to the corresponding arp entry, so call it only in/near the *resolve()
    routines where it is actually used -- at the moment this is
    arpresolve(), nd6_storelladdr() (the call is embedded here),
    and atmresolve() (the call is just before atmresolve to reduce
    the number of changes).
    This change will make it a lot easier to decouple the arp table
    from the routing table.

    There is an extra call to rt_check() in if_iso88025subr.c to
    determine the routing info length. I have left it alone for
    the time being.

    The interface of arpresolve() and nd6_storelladdr() now changes slightly:
     + the 'rtentry' parameter (really a hint from the upper level layer)
       is now passed unchanged from *_output(), so it becomes the route
       to the final destination and not to the gateway.
     + the routines will return 0 if resolution is possible, non-zero
       otherwise.
     + arpresolve() returns EWOULDBLOCK in case the mbuf is being held
       waiting for an arp reply -- in this case the error code is masked
       in the caller so the upper layer protocol will not see a failure.

2. arpcom untangling
    Where possible, use 'struct ifnet' instead of 'struct arpcom' variables,
    and use the IFP2AC macro to access arpcom fields.
    This mostly affects the netatalk code.

=== Detailed changes: ===
net/if_arcsubr.c
   rt_check() cleanup, remove a useless variable

net/if_atmsubr.c
   rt_check() cleanup

net/if_ethersubr.c
   rt_check() cleanup, arpcom untangling

net/if_fddisubr.c
   rt_check() cleanup, arpcom untangling

net/if_iso88025subr.c
   rt_check() cleanup

netatalk/aarp.c
   arpcom untangling, remove a block of duplicated code

netatalk/at_extern.h
   arpcom untangling

netinet/if_ether.c
   rt_check() cleanup (change arpresolve)

netinet6/nd6.c
   rt_check() cleanup (change nd6_storelladdr)
2004-04-25 09:24:52 +00:00
Robert Watson
8e9013b4c4 Lock down the netatalk AARP code, which is responsible for appletalk
address discovery and caching (similar to inet ARP).  Use a single
global mutex, aarptab_mtx, to protect the table.  Remove spl/spx.

Tested by:	Bob Bishop <rb@gid.co.uk>
2004-04-09 01:40:12 +00:00
Robert Watson
3280e5dc69 Rename 'ddpcb' variable to 'ddpcb_list' to better distinguish it from
'struct ddpcb'.
2004-03-22 04:54:36 +00:00
Robert Watson
4ddd6a81e0 Rename 'at_ifaddr' list to 'at_ifaddr_list' so that the variable is
more easily mechanically distinguished from 'struct at_ifaddr'.
2004-03-22 04:50:36 +00:00
Robert Watson
f2aa178725 Compare pointers with NULL rather than 0, or treating them as boolans in
if statements.

at_rmx gets a $FreeBSD$ out of the deal also (this code appears to be
unused).
2004-03-22 03:57:01 +00:00
Robert Watson
e0af0ab104 Also modify ddp_input.c with the following changes previously applied
to other files in netatalk:

  Log:
  Since I have my hands all over netatalk adding locking and restructuring
  it, cinch the file's style closer to style(9) with regard to parenthesis:

    s/( /(/g
    s/ )/)/g
    s/return(/return (/g
    s/return 0/return (0)/
    s/return 1/return (1)/
2004-03-22 03:48:31 +00:00
Robert Watson
b8e3da4a83 Since I have my hands all over netatalk adding locking and restructuring
it, cinch the file's style closer to style(9) with regard to parenthesis:

  s/( /(/g
  s/ )/)/g
  s/return(/return (/g
  s/return 0/return (0)/
  s/return 1/return (1)/
2004-03-22 03:24:10 +00:00
Robert Watson
97cb84c481 Spell "(struct foo *)0" as "NULL". 2004-03-21 03:28:08 +00:00
Robert Watson
909d5c6308 Isolate PCB-specific ethertalk DDP functions in ddp_pcb.c, removing them
from ddp_usrreq.c.  Functions moved are:

  at_pcballoc()
  at_pcbconnect()
  at_pcbdetach()
  at_pcbdisconnect()
  at_pcbsetaddr()
  at_sockaddr()

Also moved are ddp_ports and ddpcb, global variables associated with DDP
pcbs.  This makes PCB implementation more parallel to inet, inet6, and
ipx.
2004-03-19 07:21:22 +00:00
Robert Watson
34f74e1ed8 Make ddp_ports static, as it's not used outside of ddp_usrreq.c.
Inspired by:	Day spent hiking to hot springs in Taiwan
Powered by:	Asia BSDCon 2004
2004-03-17 12:54:21 +00:00
Robert Watson
2d3b3d66b4 Const-poison atmulticastaddr, which should be read but not modified.
While there, remove (caddr_t) casting of ethernet addresses, which
among other things discards the qualifier.  This makes it clear that
atmulticastaddr does not require synchronization.
2004-03-13 05:27:17 +00:00
Robert Watson
746e5bf09b Rename dup_sockaddr() to sodupsockaddr() for consistency with other
functions in kern_socket.c.

Rename the "canwait" field to "mflags" and pass M_WAITOK and M_NOWAIT
in from the caller context rather than "1" or "0".

Correct mflags pass into mac_init_socket() from previous commit to not
include M_ZERO.

Submitted by:	sam
2004-03-01 03:14:23 +00:00