Commit Graph

139 Commits

Author SHA1 Message Date
Christian Prochaska
8f12e555af lx_hybrid: reserve thread context area for core
core does not use POSIX threads when built for the 'lx_hybrid_x86'
platform, so we need to reserve the thread-context area via a segment in
the program to prevent clashes with vdso and shared libraries.

Fixes #639.
2013-02-12 14:13:16 +01:00
Christian Prochaska
1947d08e78 Use the host c++ for linking hybrid applications
Some shared libraries of the host system contain search paths for finding
other needed shared libraries. These paths get evaluated only by a native
linker. To find all needed shared libraries, with this patch, the host
linker is used to link hybrid applications.

Fixes #645.
2013-02-12 12:53:35 +01:00
Alexander Boettcher
f50d816555 base: fix dangling session pointers in rm_session
If page faults are handled concurrently (as for base-nova) the traverse lookup
call in rm_session_component must be thread safe, which it isn't.
If the faulting area is backed by nested dataspaces which are managed by
various rm_sessions then a race happens under following circumstances
(triggered occasionally by the bomb test).

The traverse lookup may return a pointer to a rm_session of a nested dataspace.
If the rm_session is in parallel subject to destruction it happened that faults
got enqueued to the faulters list of the deleted rm_session and internally to
a list of the current rm_session of the Rm_client.

During destruction of the faulting Rm_client the associated rm_session will
be dissolved from the Rm_client, which leads to dereferencing the
dangling pointer of the already destructed rm_session.

On base-nova the memory of the rm_session object get unmapped eventually, so
that the de-referencing of the dangling pointer caused page faults in core.

The memory on other kernels inside core never get unmapped so that the
bug doesn't trigger visible faults.

The patch replace the keeping of a rm_session pointer by keeping a
capability instead. The rm_session object must be looked up now explicitly in
the Object_pool implementation, which implements proper reference counting on
the rm_session object.

Issue #549
2013-02-11 12:01:26 +01:00
Alexander Boettcher
9453d319cb base: add remove_client to rm_session
Fixes #13
2013-02-11 12:01:25 +01:00
Christian Prochaska
cecfbf2eb4 lx_hybrid_ctors: remove 'soname' link option
This patch removes the 'soname' link option for building the host
library for the 'lx_hybrid_ctors' test. Without this option, the
library's absolute path at build time gets hardcoded into the
application, which should be okay for this simple test case.

Fixes #638.
2013-01-28 11:34:14 +01:00
Christian Prochaska
b4980e8b9f Linux: use 'SYS_wait4' instead of 'SYS_waitpid'
'SYS_waitpid' does not exist on x86_64 Linux, but 'SYS_wait4' does.

Fixes #615.
2013-01-24 11:00:07 +01:00
Norman Feske
bef78dd9f8 Core: Fix registration of CPU exception handler 2013-01-11 22:16:25 +01:00
Norman Feske
73ab30c22c Update copyright headers to 2013 2013-01-10 21:44:47 +01:00
Alexander Boettcher
c2d3543e62 base: replace obj_by_* by lookup_and_lock
Add functionality to lookup an object and lock it. Additional the case is
handled that a object may be already in-destruction and the lookup will deny
returning the object.

The object_pool generalize the lookup and lock functionality of the rpc_server
and serve as base for following up patches to fix dangling pointer issues.
2013-01-10 11:13:13 +01:00
Norman Feske
9f82764316 core: Introduce default CPU exception handler
The CPU session interfaces comes with the ability to install an
exception handler per thread. This patch enhances the feature with the
provision of a default signal handler that is used if no thread-specific
handler is installed. The default signal handler can be set by
specifying an invalid thread capability and a valid signal context
capability.

Furthermore, this patch relaxes the requirement of the order of the
calls of 'exception_handler' and 'set_pager'. Originally, the exception
handler could be installed not before setting a pager. Now, we remember
the installed exception handler in the 'Cpu_thread' and propagate to to
the platform thread at a later time.
2013-01-04 15:26:16 +01:00
Norman Feske
9b24115c08 base-linux: fix delegation of invalid capabilities
This patch uses a local_name of -1 to encode an invalid capability.
2013-01-04 15:26:16 +01:00
Norman Feske
693d657e6a base-linux: reflect SIGCHLD as Cpu_session signal
With this patch, core responds to SIGCHLD signals of terminating Genode
processes by reflecting these events as exceptions to the CPU session
interface. This way, Genode processes become able to respond to
terminating Genode child processes.
2013-01-04 15:26:16 +01:00
Norman Feske
38272b9172 base-linux: let core catch SIGCHLD signals 2013-01-04 15:26:16 +01:00
Norman Feske
dfaecfb5ab Make quota-upgrading message more clear
Fixes #592
2012-12-22 13:04:04 +01:00
Christian Helmuth
37a6f2a6b8 Linux: Release Rm_session_mmap::_lock during RPCs
Related to #579.
2012-12-21 14:54:21 +01:00
Christian Helmuth
d50996863b Linux: trigger deadlock in rm_session_mmap.cc in core
Related to #579.
2012-12-21 14:54:21 +01:00
Christian Prochaska
522a86e54a base-linux: use the Genode GCC's crt files
With this patch hybrid applications get linked with the Genode GCC's
'crtbegin.o' and 'crtend.o' files instead of the host GCC's versions
to avoid compatibility problems. This only affects the 'linux_x86'
platform, since on the 'lx_hybrid_x86' platform the Genode GCC is the
host GCC.

Fixes #550.
2012-12-21 14:54:21 +01:00
Alexander Boettcher
8c4e1b7eb0 base: extend cap_session with memory allocator
Required to allocate memory to remember per session created capabilities.
During session destruction all capabilities have to be freed up.
2012-12-21 14:54:20 +01:00
Norman Feske
f081733f4b Linux: remove 'some_mem' array in core
The Linux version of core used a part of the BSS to simulate access to
physical memory. All dataspaces would refer to a portion of 'some_mem'.
So every time when core would access the dataspace content, it would
access its local BSS. For all processes outside of core, dataspaces were
represented as files. This patch removes the distinction between core
and non-core processes. Now, core uses the same 'Rm_session_mmap'
implementation as regular processes. This way, the 'some_mem' could be
abandoned. We still use BSS variable for allocating core-local meta
data through.
2012-12-04 20:51:29 +01:00
Christian Prochaska
42cef716e1 CPU session meta data RAM quota upgrade support
Fixes #541.
2012-11-30 16:27:29 +01:00
Alexander Boettcher
fa2cbdc7cb Fix: don't deference stale pager pointer in core
Reset pager pointer in platform_thread if pager object is removed.

Fixes #532
2012-11-29 13:44:07 +01:00
Norman Feske
91e6ab2baf Linux: Robustness of socket life-time management
This patch improves the life-time management of socket descriptors and
addresses several corner cases exposed by the 'bomb' test.

The lookup and association of file descriptors with global IDs have been
turned into an atomic operation. Otherwise, multiple threads interacting
with the singleton 'ep_sd_registry' may override each other's
associations.

Closing the socket pair used for the reply channel has been implemented
via the RAII pattern to capture all corner cases, in particular
exceptions.

If blocking operations are interrupted by signals, we throw a
'Blocking_canceled' exception.

We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid
a corner case where the parent capability is going to dup2'ed to the
same handle.

Support for 'Thread_base::join' within core to enable leaving Genode via
Control-C.
2012-11-26 20:58:09 +01:00
Norman Feske
deb465e442 Improve robustness of chroot-related tests 2012-11-23 12:20:27 +01:00
Martin Stein
05f5999e71 cpu_session: Access thread state by value 2012-11-23 12:20:22 +01:00
Norman Feske
8e831d2224 base-linux: Support customization of UIDs and GIDs
With this patch, custom UIDs and GIDs can be assigned to individual
Genode processes or whole Genode subsystems.

The new 'base-linux/run/lx_uid.run' script contains an example of how to
use the feature.

Fixes #510
2012-11-22 09:21:48 +01:00
Norman Feske
959df5d46b Generalize handling of PD-session arguments
On Linux, we want to attach additional attributes to processes, i.e.,
the chroot location, the designated UID, and GID. Instead of polluting
the generic code with such Linux-specific platform details, I introduced
the new 'Native_pd_args' type, which can be customized for each
platform. The platform-dependent policy of init is factored out in the
new 'pd_args' library.

The new 'base-linux/run/lx_pd_args.run' script can be used to validate
the propagation of those attributes into core.

Note that this patch does not add the interpretation of the new UID and
PID attributes by core. This will be subject of a follow-up patch.

Related to #510.
2012-11-21 20:04:07 +01:00
Torsten Hilbrich
59eb8bf3a8 base-linux: Add chdir after performing chroot
This ensures that the cwd of the process is within the chroot
environment, improving security for root processes.

The cwd after the chroot is the same as before, this is needed to
start binaries given as relative path name.
2012-11-21 20:03:52 +01:00
Norman Feske
bcabbe2c92 Add 'Thread_base::join()'
Using the new 'join()' function, the caller can explicitly block for the
completion of the thread's 'entry()' function. The test case for this
feature can be found at 'os/src/test/thread_join'. For hybrid
Linux/Genode programs, the 'Thread_base::join()' does not map directly
to 'pthread_join'. The latter function gets already called by the
destructor of 'Thread_base'. According to the documentation, subsequent
calls of 'pthread_join' for one thread may result in undefined behaviour.
So we use a 'Genode::Lock' on this platform, which is in line with the
other platforms.

Related to #194, #501
2012-11-19 12:43:34 +01:00
Christian Helmuth
2995011b34 base-linux: implement IPC server destruction
When an IPC server is finalized two important things should happen:
First, the association of the server socket with a capability must be
invalidated. And finally, the server socket pair (server side and client
side) must be closed.

Related to #38.
2012-11-16 13:55:08 +01:00
Norman Feske
4b140a5202 Define SIGUSR1 for hybrid Linux/Genode programs
This patch fixes the 'lx_hybrid_pthread_ipc.run' test. In order to use
the 'Genode::Lock' we need to set the SIGUSR1 handler to an empty handler.
Normally, this happens when creating a thread via the Genode API. But as
this test creates a thread via the pthread library and thereby bypasses
the Genode API, the signal handler remained unset.
2012-11-06 17:32:30 +01:00
Norman Feske
90395e9428 Linux: Add 'Platform_thread' destructor 2012-11-05 17:31:05 +01:00
Christian Helmuth
d64dea51c0 Linux: Use 'umount2' as it seems more portable
In contrast to the 'umount' syscall, 'umount2' works on 32 bit and 64
bit.
2012-11-05 17:31:05 +01:00
Christian Helmuth
8020462748 Linux: Build hybrid library with Genode tool chain
Using the host compiler in this case seems to be an artifact from an
older change. On x86_64, this approach ended in unsable hybrid binaries
due to incompatible handling of non-trivial return values, i.e.
structures. See '-freg-struct-return' in GCC manual page:

  "[...] If there is no standard convention, GCC defaults to
  -fpcc-struct-return, except on targets where GCC is the principal
  compiler.  In those cases, we can choose the standard, and we chose
  the more efficient register return alternative."

In other words: All x86_64 Linux systems break the ABI standard :-(
2012-11-05 17:31:05 +01:00
Christian Helmuth
2cb604620e Add missing header for snprintf 2012-11-05 17:31:05 +01:00
Norman Feske
087582a964 Linux: Synchronize thread startup
The thread ID reported to core was not always initialized prior the RPC
call. The 'startup_lock' ensures that the thread is completely
initialized before this information gets propagated.
2012-11-05 17:31:05 +01:00
Norman Feske
940a5f1144 Fix narrowing issues reported by gcc-4.7 2012-11-05 17:31:05 +01:00
Norman Feske
b45242c50f Add chroot support to core
Since the recent move of the process creation into core, the original chroot trampoline
mechanism implemented in 'os/src/app/chroot' does not work anymore. A
process could simply escape the chroot environment by spawning a new
process via core's PD service. Therefore, this patch moves the chroot
support into core. So the chroot policy becomes mandatory part of the
process creation.  For each process created by core, core checks for
'root' argument of the PD session. If a path is present, core takes the
precautions needed to execute the new process in the specified chroot
environment.

This conceptual change implies minor changes with respect to the Genode
API and the configuration of the init process. The API changes are the
enhancement of the 'Genode::Child' and 'Genode::Process' constructors to
take the root path as argument. Init supports the specification of a
chroot per process by specifying the new 'root' attribute to the
'<start>' node of the process. In line with these changes, the
'Loader::Session::start' function has been enhanced with the additional
(optional) root argument.
2012-11-05 17:31:05 +01:00
Norman Feske
e1e7ab178f Resolve ambigiouties of size_t
When building in hybrid Linux/Genode mode, there exist two definitions
of 'size_t', one in the 'Genode' namespace and one imported from the
glibc headers.
2012-11-05 17:31:04 +01:00
Norman Feske
db2b1a37ae Propagate process labels to PD sessions
On Linux, we use the session label for naming the corresponding Linux
process. When looking up the processes via 'ps', the Genode process
hierarchy becomes immediately visible.
2012-11-05 17:31:04 +01:00
Norman Feske
20d8655a7f Linux: move process creation into core
Genode used to create new processes by directly forking from the
respective Genode parent using the process library. The forking process
created a PD session at core merely for propagating the PID of the new
process into core (for later destruction). This traditional mechanisms
has the following disadvantages:

First, the PID reported by the creating process to core cannot easily be
validated by core. Therefore core has to trust the PD client to not
specify a PID of an existing process, which would happen to be killed
once the PD session gets destructed. This problem is documented by
issue #318. Second, there is no way for a Genode process to detect the
failure of its any grandchildren. The immediate parent of a faulting
process could use the SIGCHLD-and-waitpid mechanism to observe its
children but this mechanism does not work transitively.

By performing the process creation exclusively within core, all Genode
processes become immediate child processes of core. Hence, core can
respond to failures of any of those processes and reflect such
conditions via core's session interfaces. Furthermore, the PID
associated to a PD session is locally known within core and cannot be
forged anymore. In fact, there is actually no need at all to make
processes aware of any PIDs of other processes.

Please note that this patch breaks the 'chroot' mechanism that comes in
the form of the 'os/src/app/chroot' program. Because all processes are
forked from core, a chroot'ed process could sneak outside its chroot
environment by just creating a new Genode process. To address this
issue, the chroot mechanism must be added to core.
2012-11-05 17:31:04 +01:00
Norman Feske
7e23b2d569 Complement linux syscalls for 64 bit 2012-11-05 17:31:04 +01:00
Norman Feske
2612dc14c2 Removed linux-specific 'local_interface.h'
The Linux-specific mechanism has been superseded by the generic support
for local capabilities in 'base/include/capability.h'.
2012-11-05 17:31:04 +01:00
Norman Feske
de69ee2e66 Linux: cleanup system-call bindings
This patch simplifies the system call bindings. The common syscall
bindings in 'src/platform/' have been reduced to the syscalls needed by
non-core programs. The additional syscalls that are needed solely by
core have been moved to 'src/core/include/core_linux_syscalls.h'.
Furthermore, the resource path is not used outside of core anymore.
Hence, we could get rid of the rpath library. The resource-path code has
been moved to 'src/core/include/resource_path.h'. The IPC-related parts
of 'src/platform' have been moved to the IPC library. So there is now a
clean separation between low-level syscall bindings (in 'src/platform')
and higher-level code.

The code for the socket-descriptor registry is now located in the
'src/base/ipc/socket_descriptor_registry.h' header. The interface is
separated from 'ipc.cc' because core needs to access the registry from
outside the ipc library.
2012-11-05 17:31:04 +01:00
Norman Feske
7cb45e9648 Linux: Don't access file system outside of core
This patch changes the way of how dataspace content is accessed by
processes outside of core. Dataspaces are opened by core only and the
corresponding file descriptors are handed out the other processes via
the 'Linux_dataspace::fd()' RPC function. At the client side, the
returned file descriptor is then used to mmap the file.

Consequently, this patch eliminates all files from 'lx_rpath'. The
path is still needed by core to temporarily create dataspaces and
unix domain sockets. However, those files are unlinked immediately
after their creation.
2012-11-05 17:31:04 +01:00
Norman Feske
aee0a2061b Create entrypoint sockets in core only
This patch alleviates the need for any non-core process to create Unix
domain sockets locally. All sockets used for RPC communication are
created by core and subsequently passed to the other processes via RPC
or the parent interface. The immediate benefit is that no process other
than core needs to access the 'rpath' directory in order to communicate.
However, access to 'rpath' is still needed for accessing dataspaces.

Core creates one socket pair per thread on demand on the first call of
the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()'
functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU
session interface. In addition to the socket accessors, the extension
provides a mechanism to register the PID/TID of a thread. Those
information were formerly propagated into core along with the thread
name as argument to 'create_thread()'.

Because core creates socket pairs for entrypoints, it needs to know all
threads that are potential entrypoints. For lx_hybrid programs, we
hadn't had propagated any thread information into core, yet. Hence, this
patch also contains the code for registering threads of hybrid
applications at core.
2012-11-05 17:31:04 +01:00
Norman Feske
f33c7c73bd Delegate access to entrypoints via SCM rights
This patch eliminates the thread ID portion of the 'Native_capability'
type. The access to entrypoints is now exclusively handled by passing
socket descripts over Unix domain sockets and by inheriting the socket
descriptor of the parent entrypoint at process-creation time.

Each entrypoint creates a socket pair. The server-side socket is bound
to a unique name defined by the server. The client-side socket is then
connected to the same name. Whereas the server-side socket is meant to
be exclusively used by the server to wait for incoming requests, the
client-side socket can be delegated to other processes as payload of RPC
messages (via SCM rights). Anyone who receives a capability over RPC
receives the client-side socket of the entrypoint to which the
capability refers. Given this socket descriptor, the unique name (as
defined by the server) can be requested using 'getpeername'. Using this
name, it is possible to compare socket descriptors, which is important
to avoid duplicates from polluting the limited socket-descriptor name
space.

Wheras this patch introduces capability-based delegation of access
rights to entrypoints, it does not cover the protection of the integrity
of RPC objects. RPC objects are still referenced by a global ID passed
as normal message payload.
2012-11-05 17:31:04 +01:00
Norman Feske
64efaf249a Test naming of bound unix domain sockets 2012-11-05 17:31:04 +01:00
Norman Feske
ca4f574f4c Support for socket-descriptor marshalling
This patch adds prinicipal support for transmitting socket descriptors
as RPC payload. Socket descriptors are handled by the linux-specific
implementation of the capability marshalling and unmarshalling functions
in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been
extended to carry multiple descriptors in a single message.

Unfortuately, we hit a problem (and potential show stopper) here:

  lx_sendmsg failed with -109 in lx_call()

The error code corresponds to ETOOMANYREFS. There is only one place in
the Linux kernel where this error code is used (net/unix/af_unix.c).
The code for 'unix_attach_fds()' suggests that there is a limit with
regard to the maximum number of references for a given Unix domain
socket. When the error occurs, core and init are running. The socket
of core's server entrypoint is present in the '/proc/pid/fd' of those
processes 8 times. The error occurs when core tries to perform an
RPC to the entrypoint to perform 'Ram_session::transfer_quota()'
(base/include/base/child.h at line 248).
2012-11-05 17:31:04 +01:00
Norman Feske
8b343d7e1a linux: Remove socket member from 'Native_thread'
The only information needed per thread is whether the thread plays the
role of an 'Ipc_server' or not. We encode this information using a bool
value.
2012-11-05 17:31:03 +01:00
Norman Feske
b01a1a92cc Do not pass client tid to server on IPC call
Thanks to the SCM-rights-based reply capability, the server does not
need to know about the client's TID anymore.
2012-11-05 17:31:03 +01:00
Norman Feske
508d2050a6 linux: Fix 'explicit_reply' semantics
By storing the reply socket descriptor inside the 'Ipc_ostream::_dst'
capability instead as part of the connection state object, we can
use the 'explicit_reply' mechanism as usual. Right now, we store
both the tid and socket handle in 'Native_capability::Dst'. In the
final version, the 'tid' member will be gone.
2012-11-05 17:31:03 +01:00
Norman Feske
1c3b9a6f68 Add 'socket' member to 'Native_capability::Dst'
In the final version, the 'socket' will be the only member to remain in
the 'Dst' time. In the transition phase, we store both the old 'tid' and
the 'socket'.
2012-11-05 17:31:03 +01:00
Norman Feske
c09cd2d1a7 Merge of initial SCM rights code
This patch, which was originally created by Christian Helmuth,
represents the first step towards using SCM rights as capability
mechanism on Linux. It employs the SCM rights mechanism for transmitting
a reply capability to the server as argument of each IPC call. The
server will then send its respond to this reply file descriptor. This
way, the reply channel does not need to be globally visible anymore.
2012-11-05 17:31:03 +01:00
Christian Helmuth
7c77d0ee5f Prevent compiler warnings
Fixes #464.
2012-11-05 10:57:29 +01:00
Christian Helmuth
fef2551af4 lx_hybrid: revive missing errno test 2012-10-29 10:08:30 +01:00
Stefan Kalkowski
dc3d784e6d Introduce platform-specific services for core
By now all services in core where created, and registered in the generic
main routine. Although there exists already a x86-specific service (I/O ports)
there was no possibility to announce core-services for certain platforms only.
This commit introduces a hook function in the 'Platform' class, that enables
registration of platform-specific services. Moreover, the io-port service
is offered on x86 platforms only now.
2012-10-29 10:08:29 +01:00
Alexander Boettcher
664e0dc7cd Provide cpu_session_cap via environment object
Preparation to solve issue #10
2012-10-24 11:34:33 +02:00
Norman Feske
4a1b545770 Move 'Child' API implementation to library 2012-10-09 13:45:33 +02:00
Norman Feske
64245dde3a Avoid superfluous compiler warnings
GCC warns about uninitialized local variables in cases where no
initialization is needed, in particular in the overloads of the
'Capability::call()' function. Prior this patch, we dealt with those
warnings by using an (unreliable) GCC pragma or by disabling the
particular warning altogether (which is a bad idea). This patch removes
the superfluous warnings by telling the compiler that the variable in
question is volatile.
2012-10-08 15:08:21 +02:00
Alexander Boettcher
ea38aad30e Move context area definition to native_type 2012-09-24 09:17:54 +02:00
Norman Feske
83bdfea9b0 Extend Cpu_session with thread-affinity API
This patch introduces the functions 'affinity' and 'num_cpus' to the CPU
session interface. The interface extension will allow the assignment of
individual threads to CPUs. At this point, it is just a stub with no
actual platform support.
2012-09-05 10:25:04 +02:00
Martin Stein
9369057f90 Extend RAM/CPU session for base-hw context-areas. 2012-08-02 16:41:21 +02:00
Christian Helmuth
f730a9c343 Linux: prevent zombie state for child processes
Setting the handler for SIGCHLD to SIG_IGN (ignore) informs the kernel
not to enter the zombie state: (man 2 wait)

  POSIX.1-2001 specifies that if the disposition of SIGCHLD is set to
  SIG_IGN or the SA_NOCLDWAIT flag is set for SIGCHLD (see
  sigaction(2)), then children that terminate do not become zombies
  [...]

Fixes #271.
2012-07-11 12:12:41 +02:00
Torsten Hilbrich
ae41acec27 Hardening compilation support for 64bit Linux
Without this patch the compilation failed with:

/usr/bin/ld: main.o: relocation R_X86_64_32S against
`vtable for Genode::Dataspace' can not be used when making a shared object;
recompile with -fPIC
main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[6]: *** [init] Error 1

For this patch the use of the hardening tool chain must be indicated
using the "hardening_tool_chain" SPECS entry within the file
<build>/etc/specs.conf

Fixes #79
2012-06-21 00:50:18 +02:00
Norman Feske
288fd4e56e Add support for allocating DMA memory
This patch extends the RAM session interface with the ability to
allocate DMA buffers. The client specifies the type of RAM dataspace to
allocate via the new 'cached' argument of the 'Ram_session::alloc()'
function. By default, 'cached' is true, which correponds to the common
case and the original behavior. When setting 'cached' to 'false', core
takes the precautions needed to register the memory as uncached in the
page table of each process that has the dataspace attached.

Currently, the support for allocating DMA buffers is implemented for
Fiasco.OC only. On x86 platforms, it is generally not needed. But on
platforms with more relaxed cache coherence (such as ARM), user-level
device drivers should always use uncacheable memory for DMA transactions.
2012-06-20 09:17:48 +02:00
Martin Stein
3236395e6a Check ownership when freeing RAM dataspaces 2012-04-20 18:39:48 +02:00
Christian Prochaska
7a369bc74d Add an 'executable' flag to 'Rm_session::attach()'
With this patch clients of the RM service can state if they want a mapping
to be executable or not. This allows dataspaces to be mapped as
non-executable on Linux by default and as executable only if needed.

Partially fixes #176.
2012-04-20 11:21:19 +02:00
Christian Prochaska
de92956220 Read 'main()' function arguments from config file
This patch reads program arguments from the config file and makes them
available to the application via the 'argc' and 'argv' arguments of the
'main()' function. The configuration syntax looks like this:

<config>
	<arg value="...">
	<arg value="...">
        ...
</config>

The 'value' attribute of the first <arg> node becomes 'argv[0]' and so on.

Fixes #184.
2012-04-20 08:31:40 +02:00
Christian Prochaska
dd0ef3403f Limit core's ROM fs to current directory on Linux
This patch limits core's ROM file system to the current working directory
on Linux by rejecting file names which contain forward slashes.

Fixes #175.
2012-04-16 12:16:12 +02:00
Norman Feske
92cd9e57b9 Fix compile warning 2012-04-04 11:07:15 +02:00
Norman Feske
d6e30c19de Replace 'Native_capability::copy_to' by accessor
The 'copy_to' function turned out to be not flexible enough to
accommodate the Noux fork mechanism. This patch removes the function,
adds an accessor for the capability destination and a compound type
'Native_capability::Raw' to be used wherever plain capability
information must be communicated.
2012-03-28 09:58:51 +02:00
Stefan Kalkowski
ae8cf5f44d Rename tid() to dst() in Native_capability.
As suggested by Norman in the discussion of issue #145, this commit
renames the tid() accessor in Native_capability to dst().
2012-03-10 15:52:19 +01:00
Stefan Kalkowski
42b7c01685 Unify policy name for Native_capability_tpl.
This commit unifies the policy name for the template argument for
Native_capability_tpl to Cap_dst_policy, like suggested by Norman in the
discussion resulting from issue #145. Moreover, it takes the memcpy
operation for copying a Native_capability out of the template, which is
included by a significant bunch of files, and separates it in a library,
analog to the suggestion in issue #145.
2012-03-10 15:52:13 +01:00
Norman Feske
35384faa7a Follow-up tweaks for issue #145
Because we use to pass a policy class to 'Native_capability_tpl'
we can pass the dst type as part of the policy instead of as
a separate template argument. This patch also adds documentation
of the POLICY interface as expected by 'Native_capability_tpl'.
2012-03-08 19:28:32 +01:00
Stefan Kalkowski
c9c21ad39c Merge Native_capability implementations (fix #145).
This patch unifies the Native_capability classes for the different kernel
platforms by introducing an appropriate template, and eliminating naming
differences. Please refer issue #145.
2012-03-08 18:42:39 +01:00
Stefan Kalkowski
9992efed03 Don't memcpy the parent capability. Fix #144.
To give the platform developer more freedom in how the Native_capability
class is internally implemented (e.g. turning it into a smart-pointer),
this patch removes the memcpy operation, when transfering the parent-capability
to a new process from the generic code, and let the implementation of the
platform-specific Native_capability decide how the transfer has to be done.
Please refer to issue #144.
2012-03-08 18:41:38 +01:00
Stefan Kalkowski
fa377f0df5 Make local capability interface explicit. Fix #139.
Introduce a factory-, and dereference method for local capabilities. These are
capabilities that reference objects of services, which are known to be used
protection-domain internally only. To support the new Capability class methods
a protected constructor and accessor to the local object's pointer is needed
in the platform's capability base-classes. For further discussion details please
refer issue #139.
2012-03-08 18:40:48 +01:00
Christian Prochaska
c29b5f7da3 Fix lx_hybrid_ctors test for Ubuntu 11.10
On Ubuntu 11.10 the host library created for the 'lx_hybrid_ctors' test
doesn't get loaded, because the test object in the library is not being
used by the application. This commit fixes the problem by having the
application call a dummy function in the library.

Fixes #120.
2012-02-27 16:05:03 +01:00
Norman Feske
3ddf7d2b1b Let reload_parent_cap take the new cap as agument 2012-02-23 10:42:03 +01:00
Christian Prochaska
06f155a644 Add 'Native_capability::dst()' accessor for Linux
This patch fixes #118.
2012-02-15 09:26:21 +01:00
Norman Feske
b11bbd30c2 Work-around of running Genode with PaX enabled
Thanks to Torsten Hilbrich for reporting. Fixes #91.
2012-02-08 19:30:55 +01:00
Christian Helmuth
5ca9f16ff0 Refactor Linux socket handling into platform header
Besides the IPC framework, the daemon bridge will be the second user of
these functions.
2012-01-17 17:19:30 +01:00
Norman Feske
90e36f23af Consider CC_MARCH to find lx_hybrid crtn, fix #82
Patch by Christian Prochaska. This patch fixes problems with building
the 32-bit variant of 'fb_sdl' on a 64-bit host system.
2012-01-13 19:29:30 +01:00
Norman Feske
08ce32215d Bump year in copyright headers to 2012 2012-01-03 15:35:05 +01:00
Norman Feske
7a8ad10ffd Define _GNU_SOURCE for all users of syscall lib
Move the definition of '_GNU_SOURCE' from 'import-lx_hybrid.mk' to
'import-syscall.mk' because this definition may (potentially) affect all
programs that include Linux headers installed on the host - not only
hybrid Linux/Genode programs. Fixes #52
2011-12-24 06:14:54 +08:00
Genode Labs
d1891e8a27 Merge final fixes from internal repositories 2011-12-23 14:04:29 +01:00
Norman Feske
6ce4e47c1c Do not rely on '/sbin/' in PATH
Do not rely on '/sbin/' being present in the PATH variable. This patch
fixes build problems of hybrid Linux/Genode programs on Debian.
2011-12-22 17:23:09 +01:00
Norman Feske
defd6a9b58 Use POSIX threads in Linux/Genode hybrids
- Let hybrid Linux/Genode programs use POSIX threads for the
  implementation of the Thread API.
- Prevent linkage of cxx library to hybrid Linux/Genode programs because
  the cxx functionality is covered by glibc.
2011-12-22 17:17:44 +01:00
Genode Labs
da4e1feaa5 Imported Genode release 11.11 2011-12-22 16:19:25 +01:00