Let the sandbox library disregard all unknown config sub nodes so that
supplemental information - like the monitor policy configuration - is
not interpreted as a misconfiguration ("unknown config element type ...").
Issue #4917
By default, the sandbox uses the Env::pd() as reference PD session of
the sandbox children.
However, to accomodate use cases where the interplay of the reference
PD session and the child's address space needs to be intercepted, this
patch adds a constructor that takes an interface for the controlled
access of PD intrinsics as argument.
Issue #4917
This patch promotes the event of an exiting child to become immediately
reported, reducing delays for management components that watch the exit
status of children.
Fixes#4814
The `with_sub_node` method is renamed to `with_optional_sub_node` to
better reflect that the non-existence of a sub node with the desired type is
ignored.
At the same time, the new `with_sub_node` now takes a second functor that is
called when no sub node of the desired type exists.
genodelabs/genode#4600
The parent-provides model is destroyed if no <parent-provides> node is
found in the configuration, which resulted in
Warning: list model not empty at destruction time
and leaking memory for the allocated nodes. The commit now explicitly
empties the list model in the destructor of ~Parent_provides_model.
Note, the case is implicitly tested in pkg/test-init by step "denial of
forwarded session request" and <init_config version="empty">.
Thanks to Peter for reporting this issue.
Fixes#4547
The existing assignment of CPU quotas did not anticipate the dynamic
reconfiguration of init. It merely tracked the available CPU quota by
deducing the consumed amount from a global variable but never
replenished the value. This worked for static scenarios but failed in
situations where components are dynamically re-started.
So far this deficiency remained detected because CPU quotas were not
used in highly dynamic systems like Sculpt OS. However, this has
recently changed by commit "sculpt: assign CPU quotas".
The patch improves the accounting by mirroring the existing handling of
RAM and cap quotas. Note that the CPU-quota accounting is still rather
limited. In particular the dynamic rebalancing is not yet supported.
Issue #4445
Fix some trivial cases where the signedness of the constant value does
not match the signedness of type the code expects to see. GCC can be
asked to warn about those by passing Wsign-covnersion flag.
Issue #4354
This patch improves the robustness of the CPU-affinity handling.
- The types in base/affinity.h received the accessors
'Location::within(space)' and 'Affinity::valid', which alleviates
the fiddling with coordinates when sanity checking the values,
in init or core.
- The 'Affinity::Location::valid' method got removed because its
meaning was too vague. For sanity checks of affinity configurations,
the new 'within' method is approriate. In cases where only the x,y
values are used for selecting a physical CPU (during thread creation),
the validity check (width*height > 0) was not meaningful anyway.
- The 'Affinity::Location::from_xml' requires a 'Affinity::Space'
as argument because a location always relates to the bounds of
a specific space. This function now implements the selection of
whole rows or columns, which has previously a feature of the
sandbox library only.
- Whenever the sandbox library (init) encounters an invalid affinity
configuration, it prints a warning message as a diagnostic aid.
- A new 'Affinity::unrestricted' function constructs an affinity that
covers the whole affinity space. The named functions clarifies
the meaning over the previous use of the default constructor.
- Core's CPU service denies session requests with an invalid
affinity parameter. Previously, it would fall back to an
unrestricted affinity.
Issue #4300
* Only give managing_system permission when all parent nodes of the
corresponding component agree in doing so.
* Move the physical memory constrains heuristic from sandbox library to core
Fix#4335
The new 'Env::try_session' method mirrors the existing 'Env::session'
without implicitly handling exceptions of the types 'Out_of_ram',
'Out_of_caps', 'Insufficient_ram_quota', and 'Insufficient_cap_quota'.
It enables runtime environments like init to reflect those exceptions to
their children instead of paying the costs of implicit session-quota
upgrades out of the own pocket.
By changing the 'Parent_service' to use 'try_session', this patch fixes
a resource-exhaustion problem of init in Sculpt OS that occurred when
the GPU multiplexer created a large batch of IO_MEM sessions, with each
session requiring a second attempt with the session quota upgraded by
4 KiB.
Issue #3767
This commit optimizes the 'Child::resolve_session_request'
implementation by introducing an internal 'Route_model' for quickly
traversing routing rules instead of parsing XML on each session request.
Fixes#4068
This commit replaces the hand-crafted config processing by the use of
the 'List_model' utility. This has the following advantages:
- The parsing follows a common formalism that makes the code
easier to maintain and to understand. Several parts of the code
had to be changed (for the better) to make it fit the list model
approach. E.g., the child states have become more expressive
and logical.
- In the common case, the XML data is traversed only once, which
increases the parsing speed in dynamic scenarios.
- The code becomes easier to optimize. In particular, the patch skips
the re-evaluation of the session routing if no service is affected
by the config change.
The patch also revisits the init test by removing overly long sleep
phases and extending a few sleep phases that were too short when
executing the test on Qemu.
Issue #4068
This patch adds the missing destruction of session-state objects of
local services when closing a session. Because of the missing
destruction, those session-state object remained part of the server
ID space. This becomes a problem once the backing store of the session
state object vanishes, that is when the client child gets removed from
the sandbox. Hence, the removal of a child with an open session to a
local service would lead to the corruption of the server ID space.
This patch adds the missing session.destroy() call.
Fixes#4044
During position scaling use the location width/height which is the permitted
dimension within the child space, instead of using the whole possible
child space. (Fixup for "init: scale affinity location" Issue #1412)
Thanks to the report by Peter.
This commit restores the diag feature for selecting diagnostic output of
services provided by core. This feature became unavailable with commit
"base: remove dependency from deprecated APIs", which hard-wired the
diag flag for core services to false.
To control this feature, three possible policies can be expressed in a
routing target of init's configuration:
* Forcing silence by specifying 'diag="no"'
* Enabling diagnostics by specifying 'diag="yes"'
* Forwarding the preference of the client by omitting the 'diag'
attribute
Fixes#3962
When compiling this code, clang complains reference to 'Sandbox' is
ambiguous. It can either mean ::Sandbox namespace from
os/src/lib/sandbox/types.h, or Genode::Sandbox declared in
repos/os/include/os/sandbox.h. Since the code refers to ::Sandbox::Child
and its already in ::Sandbox namespace we can just drop "Sandbox" and
refer to just Child, which makes clang happy.
Issue #3938
Introduce the managing_system privilege for components like the
platform_driver to allow it to call system management functionality
that is reserved by kernel or special firmware, e.g., ARM Trusted Firmware.
The former RAM resource configuration attribute `constrain_phys`,
which enabled to constrain the region of physical RAM to be used,
gets replaced by the new, broader managing_system configuration
attribute of a `start` node. It gets enforced by the sandbox library.
Ref #3816
- Since Genode::strncpy is not 100% compatible with the POSIX
strncpy function, better use a distinct name.
- Remove bogus return value from the function, easing the potential
enforcement of mandatory return-value checks later.
Fixes#3752
The sandbox library supports the forwarding of session requests from the
outside to one of the hosted children according to a policy. This patch
introduces the distinction between two cases, which previously triggered
the denial of the session request.
- There exists no matching policy for the requested session
- There exists a matching policy but the referred server child
does not exist (yet)
Whereas the proper response to the first case is the denial of the
request, the second case can occur in situation where a dynamic init is
used to implement a staged startup, for example via the deploy
mechanism. In such cases, a policy may exist as a static rule while the
server has not been started yet. This patch changes the behavior such
that such requests are stalled.
The patch is accompanied with test cases for exercising both situations.
Fixes#3733
This patch extracts the child-management functionality from the init
component into a new library called "sandbox". The library API is
located at 'os/include/os/sandbox.h'.
The sandbox API allows for the interaction of the component with the
sandboxed children by providing locally implemented services. This
mechanism is illustrated by the new test at os/src/test/sandbox.
Issue #3601
