Commit Graph

955 Commits

Author SHA1 Message Date
Christian Prochaska
cb8910b40c Update lwip to version STABLE-1_4_1
Fixes #366.
2012-11-07 13:35:36 +01:00
Josef Söntgen
ac3a362fdf Noux: add dup() to libc_noux
This library function is implemented upon SYSCALL_DUP2. Therfor the
syscall was slightly changed. It now returns the new allocated fd in
dup2_out.fd.
2012-11-07 13:34:54 +01:00
Alexander Boettcher
7a619b9ede base-nova: solely revoke unused capabilities
Extend tracking of delegated and of translated items. The additional
information is used to solely free up unused/unwanted mapped capabilities and
to avoid unnecessary revokes on capability indexes where nothing have been
received.

Fixes #430
2012-11-07 13:32:40 +01:00
Josef Söntgen
db9dc3388d Noux: fix resetting fds in unmarshal_fds
Since FD_ZERO() resets a whole fd_set (which is 128 bytes) using it to
reset dst_fds will override otherwise used memory if the memory was
allocated dynamically and is less than sizeof (fd_set). So instead of
using this macro we reset the fd_set manually.
2012-11-07 11:32:26 +01:00
Josef Söntgen
0539c7180b Noux: add Io_receptor to SYSCALL_SELECT + bugfix
The Io_receptor is now used to unblock certain I/O channels from lwip's
callback-function.

There was also a bug in which all ready-to-ready fds were overriden by
the ready-to-write ones.
2012-11-07 11:32:16 +01:00
Josef Söntgen
c74bdbf8d8 Noux: add Io_receptor_registry 2012-11-07 11:32:11 +01:00
Josef Söntgen
082d8d6623 Noux/net: refactoring of Socket_io_channel
The Socket_io_channel class now uses the Io_channel_backend to provide
the network related methods. In addition the Socket_io_channel_registry
was replaced with a simpler implementation which uses Io_receptors to
unblock I/O channels from the callback-function of lwip.
2012-11-07 11:32:06 +01:00
Josef Söntgen
08bd41b1ec Noux: add backend pointer to Io_channel
The backend pointer may be used to provide additional methods in a
Io_channel derived class.
2012-11-07 11:32:01 +01:00
Norman Feske
4b140a5202 Define SIGUSR1 for hybrid Linux/Genode programs
This patch fixes the 'lx_hybrid_pthread_ipc.run' test. In order to use
the 'Genode::Lock' we need to set the SIGUSR1 handler to an empty handler.
Normally, this happens when creating a thread via the Genode API. But as
this test creates a thread via the pthread library and thereby bypasses
the Genode API, the signal handler remained unset.
2012-11-06 17:32:30 +01:00
Norman Feske
21c22b8b5b Black-list 'tar_rom.run' on Linux 2012-11-06 17:16:06 +01:00
Norman Feske
bb8d090922 Resolve possible ambiguity of 'strcmp' 2012-11-06 09:35:47 +01:00
Norman Feske
90395e9428 Linux: Add 'Platform_thread' destructor 2012-11-05 17:31:05 +01:00
Christian Helmuth
d64dea51c0 Linux: Use 'umount2' as it seems more portable
In contrast to the 'umount' syscall, 'umount2' works on 32 bit and 64
bit.
2012-11-05 17:31:05 +01:00
Christian Helmuth
8020462748 Linux: Build hybrid library with Genode tool chain
Using the host compiler in this case seems to be an artifact from an
older change. On x86_64, this approach ended in unsable hybrid binaries
due to incompatible handling of non-trivial return values, i.e.
structures. See '-freg-struct-return' in GCC manual page:

  "[...] If there is no standard convention, GCC defaults to
  -fpcc-struct-return, except on targets where GCC is the principal
  compiler.  In those cases, we can choose the standard, and we chose
  the more efficient register return alternative."

In other words: All x86_64 Linux systems break the ABI standard :-(
2012-11-05 17:31:05 +01:00
Christian Helmuth
2cb604620e Add missing header for snprintf 2012-11-05 17:31:05 +01:00
Norman Feske
087582a964 Linux: Synchronize thread startup
The thread ID reported to core was not always initialized prior the RPC
call. The 'startup_lock' ensures that the thread is completely
initialized before this information gets propagated.
2012-11-05 17:31:05 +01:00
Norman Feske
940a5f1144 Fix narrowing issues reported by gcc-4.7 2012-11-05 17:31:05 +01:00
Norman Feske
b45242c50f Add chroot support to core
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation.  For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.

This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
2012-11-05 17:31:05 +01:00
Norman Feske
e1e7ab178f Resolve ambigiouties of size_t
When building in hybrid Linux/Genode mode, there exist two definitions
of 'size_t', one in the 'Genode' namespace and one imported from the
glibc headers.
2012-11-05 17:31:04 +01:00
Norman Feske
db2b1a37ae Propagate process labels to PD sessions
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
2012-11-05 17:31:04 +01:00
Norman Feske
97162332c9 Whitespace fix 2012-11-05 17:31:04 +01:00
Norman Feske
20d8655a7f Linux: move process creation into core
Genode used to create new processes by directly forking from the
respective Genode parent using the process library. The forking process
created a PD session at core merely for propagating the PID of the new
process into core (for later destruction). This traditional mechanisms
has the following disadvantages:

First, the PID reported by the creating process to core cannot easily be
validated by core. Therefore core has to trust the PD client to not
specify a PID of an existing process, which would happen to be killed
once the PD session gets destructed. This problem is documented by
issue #318. Second, there is no way for a Genode process to detect the
failure of its any grandchildren. The immediate parent of a faulting
process could use the SIGCHLD-and-waitpid mechanism to observe its
children but this mechanism does not work transitively.

By performing the process creation exclusively within core, all Genode
processes become immediate child processes of core. Hence, core can
respond to failures of any of those processes and reflect such
conditions via core's session interfaces. Furthermore, the PID
associated to a PD session is locally known within core and cannot be
forged anymore. In fact, there is actually no need at all to make
processes aware of any PIDs of other processes.

Please note that this patch breaks the 'chroot' mechanism that comes in
the form of the 'os/src/app/chroot' program. Because all processes are
forked from core, a chroot'ed process could sneak outside its chroot
environment by just creating a new Genode process. To address this
issue, the chroot mechanism must be added to core.
2012-11-05 17:31:04 +01:00
Norman Feske
7e23b2d569 Complement linux syscalls for 64 bit 2012-11-05 17:31:04 +01:00
Norman Feske
2612dc14c2 Removed linux-specific 'local_interface.h'
The Linux-specific mechanism has been superseded by the generic support
for local capabilities in 'base/include/capability.h'.
2012-11-05 17:31:04 +01:00
Norman Feske
de69ee2e66 Linux: cleanup system-call bindings
This patch simplifies the system call bindings. The common syscall
bindings in 'src/platform/' have been reduced to the syscalls needed by
non-core programs. The additional syscalls that are needed solely by
core have been moved to 'src/core/include/core_linux_syscalls.h'.
Furthermore, the resource path is not used outside of core anymore.
Hence, we could get rid of the rpath library. The resource-path code has
been moved to 'src/core/include/resource_path.h'. The IPC-related parts
of 'src/platform' have been moved to the IPC library. So there is now a
clean separation between low-level syscall bindings (in 'src/platform')
and higher-level code.

The code for the socket-descriptor registry is now located in the
'src/base/ipc/socket_descriptor_registry.h' header. The interface is
separated from 'ipc.cc' because core needs to access the registry from
outside the ipc library.
2012-11-05 17:31:04 +01:00
Norman Feske
371b8fd12d Remove mirroring of 'lx_rpath' in 'app/chroot'
Thanks to the exclusive use of SCM rights for delegating access rights
to memory objects and RPC entrypoints, Genode processes outside of core
won't need to access any files.
2012-11-05 17:31:04 +01:00
Norman Feske
7cb45e9648 Linux: Don't access file system outside of core
This patch changes the way of how dataspace content is accessed by
processes outside of core. Dataspaces are opened by core only and the
corresponding file descriptors are handed out the other processes via
the 'Linux_dataspace::fd()' RPC function. At the client side, the
returned file descriptor is then used to mmap the file.

Consequently, this patch eliminates all files from 'lx_rpath'. The
path is still needed by core to temporarily create dataspaces and
unix domain sockets. However, those files are unlinked immediately
after their creation.
2012-11-05 17:31:04 +01:00
Norman Feske
aee0a2061b Create entrypoint sockets in core only
This patch alleviates the need for any non-core process to create Unix
domain sockets locally. All sockets used for RPC communication are
created by core and subsequently passed to the other processes via RPC
or the parent interface. The immediate benefit is that no process other
than core needs to access the 'rpath' directory in order to communicate.
However, access to 'rpath' is still needed for accessing dataspaces.

Core creates one socket pair per thread on demand on the first call of
the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()'
functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU
session interface. In addition to the socket accessors, the extension
provides a mechanism to register the PID/TID of a thread. Those
information were formerly propagated into core along with the thread
name as argument to 'create_thread()'.

Because core creates socket pairs for entrypoints, it needs to know all
threads that are potential entrypoints. For lx_hybrid programs, we
hadn't had propagated any thread information into core, yet. Hence, this
patch also contains the code for registering threads of hybrid
applications at core.
2012-11-05 17:31:04 +01:00
Norman Feske
f33c7c73bd Delegate access to entrypoints via SCM rights
This patch eliminates the thread ID portion of the 'Native_capability'
type. The access to entrypoints is now exclusively handled by passing
socket descripts over Unix domain sockets and by inheriting the socket
descriptor of the parent entrypoint at process-creation time.

Each entrypoint creates a socket pair. The server-side socket is bound
to a unique name defined by the server. The client-side socket is then
connected to the same name. Whereas the server-side socket is meant to
be exclusively used by the server to wait for incoming requests, the
client-side socket can be delegated to other processes as payload of RPC
messages (via SCM rights). Anyone who receives a capability over RPC
receives the client-side socket of the entrypoint to which the
capability refers. Given this socket descriptor, the unique name (as
defined by the server) can be requested using 'getpeername'. Using this
name, it is possible to compare socket descriptors, which is important
to avoid duplicates from polluting the limited socket-descriptor name
space.

Wheras this patch introduces capability-based delegation of access
rights to entrypoints, it does not cover the protection of the integrity
of RPC objects. RPC objects are still referenced by a global ID passed
as normal message payload.
2012-11-05 17:31:04 +01:00
Norman Feske
64efaf249a Test naming of bound unix domain sockets 2012-11-05 17:31:04 +01:00
Norman Feske
ca4f574f4c Support for socket-descriptor marshalling
This patch adds prinicipal support for transmitting socket descriptors
as RPC payload. Socket descriptors are handled by the linux-specific
implementation of the capability marshalling and unmarshalling functions
in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been
extended to carry multiple descriptors in a single message.

Unfortuately, we hit a problem (and potential show stopper) here:

  lx_sendmsg failed with -109 in lx_call()

The error code corresponds to ETOOMANYREFS. There is only one place in
the Linux kernel where this error code is used (net/unix/af_unix.c).
The code for 'unix_attach_fds()' suggests that there is a limit with
regard to the maximum number of references for a given Unix domain
socket. When the error occurs, core and init are running. The socket
of core's server entrypoint is present in the '/proc/pid/fd' of those
processes 8 times. The error occurs when core tries to perform an
RPC to the entrypoint to perform 'Ram_session::transfer_quota()'
(base/include/base/child.h at line 248).
2012-11-05 17:31:04 +01:00
Norman Feske
8b343d7e1a linux: Remove socket member from 'Native_thread'
The only information needed per thread is whether the thread plays the
role of an 'Ipc_server' or not. We encode this information using a bool
value.
2012-11-05 17:31:03 +01:00
Norman Feske
b01a1a92cc Do not pass client tid to server on IPC call
Thanks to the SCM-rights-based reply capability, the server does not
need to know about the client's TID anymore.
2012-11-05 17:31:03 +01:00
Norman Feske
508d2050a6 linux: Fix 'explicit_reply' semantics
By storing the reply socket descriptor inside the 'Ipc_ostream::_dst'
capability instead as part of the connection state object, we can
use the 'explicit_reply' mechanism as usual. Right now, we store
both the tid and socket handle in 'Native_capability::Dst'. In the
final version, the 'tid' member will be gone.
2012-11-05 17:31:03 +01:00
Norman Feske
1c3b9a6f68 Add 'socket' member to 'Native_capability::Dst'
In the final version, the 'socket' will be the only member to remain in
the 'Dst' time. In the transition phase, we store both the old 'tid' and
the 'socket'.
2012-11-05 17:31:03 +01:00
Norman Feske
c09cd2d1a7 Merge of initial SCM rights code
This patch, which was originally created by Christian Helmuth,
represents the first step towards using SCM rights as capability
mechanism on Linux. It employs the SCM rights mechanism for transmitting
a reply capability to the server as argument of each IPC call. The
server will then send its respond to this reply file descriptor. This
way, the reply channel does not need to be globally visible anymore.
2012-11-05 17:31:03 +01:00
Norman Feske
76b60566b7 Whitespace fix 2012-11-05 17:28:51 +01:00
Alexander Boettcher
c1d59e81c2 NOVA: use latest kernel from github
Related to issue #431. Requires toolchain rebuild to bump version to 2.22 !!!

Fixes #429
2012-11-05 17:28:51 +01:00
Christian Helmuth
7c77d0ee5f Prevent compiler warnings
Fixes #464.
2012-11-05 10:57:29 +01:00
Christian Prochaska
c99dd8fdf8 Use 'CURDIR' make variable in Genode make files
The bash-builtin 'pwd' command uses the 'st_dev' and 'st_ino' members of
the 'stat' struct to compare the path from the 'PWD' environment variable
with the path returned by 'getcwd()'. These members don't get set
correctly in Noux and therefore the 'pwd' command sometimes returns wrong
results when building Genode in Noux. With this patch the 'CURDIR' make
variable gets used instead of calling 'pwd'.

Fixes #454.
2012-11-03 09:54:14 +01:00
Christian Prochaska
22cc867234 'Allocator_avl_base::free()': print error message
With this patch an error message gets printed in
'Allocator_avl_base::free()' if the given address is not the start address
of the allocated block.

Fixes #459.
2012-11-03 09:53:34 +01:00
Christian Prochaska
a48942bffc Fix warning in QPluginWidget test
Create the signal context object before the signal receiver object to get the
signal receiver destroyed before the signal context. This avoids a 'specified
signal-context capability has wrong type' warning when the signal receiver
tries to free its managed context on destruction.

Part of #448.
2012-11-03 09:52:19 +01:00
Christian Prochaska
d46c79b428 libc_lock_pipe: match alloc. and dealloc. funcs
Fixes #460.
2012-11-03 09:51:56 +01:00
Christian Prochaska
abf3867d39 Arora: add 'stdcxx.lib.so' to boot modules
Fixes #461.
2012-11-03 09:51:14 +01:00
Stefan Kalkowski
70dfe4fcd7 Fiasco.OC: forward CC, and CXX variables (fix #462)
When building the Fiasco.OC kernel, and L4Linux within the Genode build system,
forward the CC, and CXX variables. It might contain useful tools like ccache,
or distcc to speed up compilation. Moreover, don't delete the MAKEFLAGS when
building Fiasco.OC. It hinders parallel builds.
2012-11-03 09:50:37 +01:00
Stefan Kalkowski
518cbc5a5f L4Linux: no linux-kernel memcpy in cxx (fix #446)
Certain symbols from the libgcc_eh library in cxx that is linked with the
L4Linux kernel were resolved by using kernel internal implementations.
This lead to errors because the complete Linux kernel is built regparm=3.
This patch prefixes the appropriate symbols in the Linux Kernel and its
modules. Moreover, it fixes some warnings introduced by the latest update
to gcc 4.7.
2012-11-03 09:49:04 +01:00
Christian Helmuth
20ddd1bcdc lwip: setup static IP if provided
Fixes #349.
2012-11-02 14:57:47 +01:00
Christian Helmuth
4d36c12d19 Reduce LOG noise to due disappeared clients
The message is disarmed in release mode (SPECS += release).

Fixes #310.
2012-11-02 13:35:45 +01:00
Norman Feske
d28b34b1fe Return value of correct type, reported by gcc-4.7 2012-11-01 17:06:05 +01:00
Norman Feske
19a996bcb9 Follow gcc's suggestions about using braces 2012-11-01 17:04:06 +01:00