Commit Graph

241 Commits

Author SHA1 Message Date
Christian Helmuth
93ab972ddc tool/seccomp: allow sigreturn on x86
Fixes #3799
2020-07-03 11:15:33 +02:00
Norman Feske
4450b37ff5 depot: update recipe hashes 2020-06-29 14:25:28 +02:00
Norman Feske
eb3a81a874 depot: update recipe hashes 2020-06-22 09:39:41 +02:00
Christian Helmuth
6006051fb9 depot: update recipe hashes 2020-05-27 11:56:47 +02:00
Stefan Thöni
78497c03ca base-linux: enabled seccomp
base-linux uses seccomp to reduce the available system calls
to the minimum set needed to run base-linux. There are still
some syscalls that allow accessing global state which should
be further reduced.

The combination of seccomp and socket descriptor caps should
provide an intermediate level of security for base-linux
thereby enabling base-linux as a migration path from using
the Linux kernel to the use of microkernel-based Genode.

Fixes #3581
2020-05-27 11:56:46 +02:00
Pirmin Duss
7f6b6d7e13 core-linux: make RAM quota configurable
Add the option to configure the RAM quota for core on base-linux.
The environment variable GENODE_RAM_QUOTA if it exists is interpreted
as number of bytes to provide to the first init.

Issue #3762
2020-05-27 11:56:46 +02:00
Norman Feske
b078224753 Replace Genode::strncpy by Genode::copy_cstring
- Since Genode::strncpy is not 100% compatible with the POSIX
  strncpy function, better use a distinct name.

- Remove bogus return value from the function, easing the potential
  enforcement of mandatory return-value checks later.

Fixes #3752
2020-05-27 11:56:45 +02:00
Norman Feske
0f27d139bd depot: update recipe hashes 2020-05-18 10:16:59 +02:00
Christian Helmuth
c11d9b7b5c Remove false API dependencies from libc/posix components
Fixes #3720
2020-05-18 10:16:13 +02:00
Christian Helmuth
236e02a2dd linux: remove initramfs from base-linux src archive 2020-05-18 10:16:13 +02:00
Norman Feske
dd899fde29 depot: update recipe hashes 2020-04-24 14:37:57 +02:00
Norman Feske
6f6340644b Hide binary_ready_hook_for_platform from public
The hook is meant to be internal to the framework. So better keep its
declaration in the framework-internal globals.h header.

Issue #3581
2020-04-24 14:37:47 +02:00
Norman Feske
b134867f31 Remove Rpc_entrypoint::Native_context
This patch largely reverts the commit "base: lay groundwork for
base-linux caps change" because the use of 'epoll' instead of 'select'
alleviated the need to allocate large FD sets, which motivated the
introduction of the 'Native_context' hook.

Related to issue #3581
2020-04-21 16:50:37 +02:00
Christian Helmuth
b60b591d06 depot: update recipe hashes 2020-04-17 12:40:13 +02:00
Norman Feske
132569d12b base-linux: socket descriptor caps for RPC
On Linux, Genode used to represent each RPC object by a socket
descriptor of the receiving thread (entrypoint) and a globally-unique
value that identifies the object. Because the latter was transferred as
plain message payload, clients had to be trusted to not forge the
values. For this reason, Linux could not be considered as a productive
Genode base platform but remained merely a development vehicle.

This patch changes the RPC mechanism such that each RPC object is
represented by a dedicated socket pair. Entrypoints wait on a set of
the local ends of the socket pairs of all RPC objects managed by the
respective entrypoint. The epoll kernel interface is used as the
underlying mechanism to wait for a set of socket descriptors at the
server side.

When delegating a capability, the remote end of the socket pair is
transferred to the recipient along with a plaintext copy of the
socket-descriptor value of the local end. The latter value serves as a
hint for re-identifiying a capability whenever it is delegated back to
its origin. Note that the client is not trusted to preserve this
information. The integrity of the hint value is protected by comparing
the inode values of incoming and already present capablities at the
originating site (whenever the capability is invoked or presented to the
owner of the RPC object).

The new mechanism effectively equips base-linux with Genode's capablity
model as described in the Chapter 3 of the Genode Foundations book.
That said, the sandboxing of components cannot be assumed at this point
because each component has still direct access to the Linux system-call
interface.

This patch is based on the extensive exploration work conducted by
Stefan Thoeni who strongly motivated the inclusion of this feature into
Genode.

Issue #3581
2020-04-17 12:40:13 +02:00
Norman Feske
7bf47b1982 base-linux: boost max open fds to the hard rlimit
This patch increases the default limit of the maximum number of open
file descriptors to the hard limit of the system. This is needed for
complex scenarios, which require more FDs than the default of 1024
at core.

Related to issue #3581

Fixes #3721
2020-04-17 12:40:12 +02:00
Alexander Boettcher
e87d60ddf7 core: use Mutex/Blockade
Issue #3612
2020-04-17 12:40:12 +02:00
Norman Feske
46fa8197a2 depot: update recipe hashes 2020-03-26 11:39:02 +01:00
Norman Feske
d8bcaa4fa4 base-linux: disable ASLR for child processes
ASLR collides with the libc's fork mechanism on 32-bit. In particular,
the tool_chain_auto.run scenario would sporadically fail while mirroring
the parent's address space.

Fixes #3710
2020-03-26 11:39:02 +01:00
Norman Feske
e2b9308b11 lx_hybrid_errno.run: add missing parent services 2020-03-26 11:38:54 +01:00
Christian Helmuth
5affd51250 depot: update recipe hashes 2020-02-28 08:59:43 +01:00
Stefan Thöni
a7a9855493 base: lay groundwork for base-linux caps change
Include the necessary hooks to introduce file descriptor
based capabilities in base linux.

Issue #3581
2020-02-27 14:46:58 +01:00
Christian Helmuth
4cccf74664 depot: update recipe hashes 2020-02-20 12:11:23 +01:00
Alexander Boettcher
5440cd4b50 base: use blockade in thread
Issue #3612
2020-02-20 12:11:22 +01:00
Alexander Boettcher
00f69bc70d base: add mutex as derivate of lock
The mutex class is more restrictive in usage compared to
Genode::Lock.

- At initialiation time it is ever unlocked.
- No thread is permitted to lock twice. Warn about it
  in case it happens.
- Only the lock onwer is permitted to unlock the mutex.
  Warn about it and don't unlock the mutex in case it happens.

Issue #3612
2020-02-20 12:11:22 +01:00
Norman Feske
57ea1dbdd3 depot: update recipe hashes 2020-02-10 14:29:06 +01:00
Christian Helmuth
90535a1401 depot: update recipe hashes 2020-02-04 15:51:10 +01:00
Stefan Kalkowski
fe899eecc7 base-linux: fix configurable host toolchain
With the '-x' argument of the 'g++' tool the language gets specified,
therefore it has to be 'c++' furthermore, not CUSTOM_HOST_CXX. Moreover,
when import-lx_hybrid.mk gets evaluated first, global.mk is not included
yet, therefore we cannot eagerly evaluate the CXX_LINK_OPT_NO_PIE variable.

Issue #3466
2020-02-04 15:47:27 +01:00
Christian Helmuth
b931b67cba depot: update recipe hashes 2019-12-19 17:01:43 +01:00
Christian Helmuth
23ed5d3936 base-linux: configurable host toolchain
This commit uses CUSTOM_HOST_CC/CUSTOM_HOST_CXX instead of hardcoded
commands and introduces HOST_DEV_PREFIX.

Original patch by Roman Iten and Pirmin Duss.

Issue #3466
2019-12-19 17:01:42 +01:00
Christian Helmuth
4299b85cdb base-linux: support invalid dataspace for RM client
This restores behavior introduced in

  commit cb232891bf
  Author: Norman Feske <norman.feske@genode-labs.com>
  Date:   Tue May 10 11:55:25 2016 +0200

    Fix noux.run on base-linux

but removed by issue #2829.

Related to issue #1938
2019-12-19 17:00:47 +01:00
Johannes Kliemann
93639532f0 base-linux: core session support (IO_PORT, IO_MEM, IRQ) 2019-12-19 16:59:02 +01:00
Christian Helmuth
11ef8e1ff2 depot: update recipe hashes 2019-11-28 09:06:39 +01:00
Christian Helmuth
7ed1d7f11d depot: update recipe hashes 2019-11-19 14:54:14 +01:00
Christian Helmuth
4a7b0e99a6 depot: update recipe hashes 2019-09-20 14:14:16 +02:00
Christian Helmuth
b2c59576ae depot: update recipe hashes 2019-08-28 14:36:56 +02:00
Christian Helmuth
312f801f8a depot: update recipe hashes 2019-08-21 13:25:26 +02:00
Sebastian Sumpf
2fc6cedcc0 ld: load dynamic linker at static address on Linux
* move stack area to static address at beginning of binary
* set ELF type of linker from shared to executable

fixes #3479
2019-08-21 13:25:25 +02:00
Christian Helmuth
17d32b3e15 depot: update recipe hashes 2019-07-09 09:06:54 +02:00
Christian Helmuth
3c4c460f82 depot: update recipe hashes 2019-06-13 13:40:37 +02:00
Christian Helmuth
2b183f9497 depot: update recipe hashes 2019-05-29 10:20:52 +02:00
Christian Helmuth
e60b597af5 linux: 32-bit compatibility with GCC versions before 7
GCC version 7 and above generate calls to __divmoddi for 64bit integer
division on 32-bit. Unfortunately, libgcc liberaries of older compilers
lack this symbol and are still in use by Debian/Ubuntu LTS at least.
2019-05-27 14:52:52 +02:00
Christian Helmuth
ba51800b31 depot: update recipe hashes 2019-05-06 16:15:27 +02:00
Martin Stein
181c78d482 timeout: use uint64_t for all plain time values
This enforces the use of unsigned 64-bit values for time in the duration type,
the timeout framework, the timer session, the userland timer-drivers, and the
alarm framework on all platforms. The commit also adapts the code that uses
these tools accross all basic repositories (base, base-*, os. gems, libports,
ports, dde_*) to use unsigned 64-bit values for time as well as far as this
does not imply profound modifications.

Fixes #3208
2019-05-06 16:15:26 +02:00
Christian Helmuth
6ea1179145 depot: update recipe hashes 2019-04-09 12:30:35 +02:00
Alexander Boettcher
ae16edf1d6 trace: support more facets of execution time
- execution time per thread context
- execution time per scheduling context
- quantum and priority

Issue #3192
2019-04-09 12:30:34 +02:00
Norman Feske
d027f12764 depot: update recipe hashes 2019-04-02 09:36:39 +02:00
Christian Helmuth
ebe71a12ed depot: update recipe hashes 2019-03-19 11:12:36 +01:00
Christian Helmuth
46a29532a9 depot: update recipe hashes 2019-02-26 14:47:02 +01:00
Norman Feske
5ed5fddb7c base/os: remove deprecated APIs
This commit removes APIs that were previously marked as deprecated. This
change has the following implications:

- The use of the global 'env()' accessor is not possible anymore.
- Boolean accessor methods are no longer prefixed with 'is_'. E.g.,
  instead of 'is_valid()', use 'valid()'.
- The last traces of 'Ram_session' are gone now. The 'Env::ram()'
  accessor returns the 'Ram_allocator' interface, which is a subset of
  the 'Pd_session' interface.
- All connection constructors need the 'Env' as argument.
- The 'Reporter' constructor needs an 'Env' argument now because the
  reporter creates a report connection.
- The old overload 'Child_policy::resolve_session_request' that returned
  a 'Service' does not exist anymore.
- The base/printf.h header has been removed, use base/log.h instead.
- The old notion of 'Signal_dispatcher' is gone. Use 'Signal_handler'.
- Transitional headers like os/server.h, cap_session/,
  volatile_object.h, os/attached*_dataspace.h, signal_rpc_dispatcher.h
  have been removed.
- The distinction between 'Thread_state' and 'Thread_state_base' does
  not exist anymore.
- The header cpu_thread/capability.h along with the type definition of
  'Cpu_thread_capability' has been removed. Use the type
  'Thread_capability' define in cpu_session/cpu_session.h instead.
- Several XML utilities (i.e., at os/include/decorator) could be removed
  because their functionality is nowadays covered by util/xml_node.h.
- The 'os/ram_session_guard.h' has been removed.
  Use 'Constrained_ram_allocator' provided by base/ram_allocator.h instead.

Issue #1987
2019-02-26 14:44:15 +01:00