ehmry/genode
ehmry/genode
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
132569d12b
genode/repos/base-linux/src/core/include/dataspace_component.h

135 lines
3.8 KiB
C
Raw Normal View History

Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*
* \brief Core-internal dataspace representation on Linux
* \author Norman Feske
* \date 2006-05-19
*
* On Linux userland, we do not deal with physical memory. Instead,
* we create a file for each dataspace that is to be mmapped.
* Therefore, the allocator is not really used for allocating
* memory but only as a container for quota.
*/
/*
Adjust file headers to refer to the AGPLv3
2017-02-20 13:23:52 +01:00
* Copyright (C) 2006-2017 Genode Labs GmbH
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*
* This file is part of the Genode OS framework, which is distributed
Adjust file headers to refer to the AGPLv3
2017-02-20 13:23:52 +01:00
* under the terms of the GNU Affero General Public License version 3.
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*/
base: update include guards This patch cleans up the include guards, assisted by the tool/fix_include_ifndef script.
2016-01-20 20:52:51 +01:00
#ifndef _CORE__INCLUDE__DATASPACE_COMPONENT_H_
#define _CORE__INCLUDE__DATASPACE_COMPONENT_H_
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
#include <linux_dataspace/linux_dataspace.h>
#include <util/string.h>
#include <util/misc_math.h>
#include <base/rpc_server.h>
Unification of native_capability.h This patch establishes the sole use of generic headers across all kernels. The common 'native_capability.h' is based on the version of base-sel4. All traditional L4 kernels and Linux use the same implementation of the capability-lifetime management. On base-hw, NOVA, Fiasco.OC, and seL4, custom implementations (based on their original mechanisms) are used, with the potential to unify them further in the future. This change achieves binary compatibility of dynamically linked programs across all kernels. Furthermore, the patch introduces a Native_capability::print method, which allows the easy output of the kernel-specific capability representation using the base/log.h API. Issue #1993
2016-06-15 15:04:54 +02:00
/* base-internal includes */
#include <base/internal/capability_space_tpl.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
namespace Genode {
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
/**
* Deriving classes can own a dataspace to implement conditional behavior
*/
Follow practices suggested by "Effective C++" The patch adjust the code of the base, base-<kernel>, and os repository. To adapt existing components to fix violations of the best practices suggested by "Effective C++" as reported by the -Weffc++ compiler argument. The changes follow the patterns outlined below: * A class with virtual functions can no longer publicly inherit base classed without a vtable. The inherited object may either be moved to a member variable, or inherited privately. The latter would be used for classes that inherit 'List::Element' or 'Avl_node'. In order to enable the 'List' and 'Avl_tree' to access the meta data, the 'List' must become a friend. * Instead of adding a virtual destructor to abstract base classes, we inherit the new 'Interface' class, which contains a virtual destructor. This way, single-line abstract base classes can stay as compact as they are now. The 'Interface' utility resides in base/include/util/interface.h. * With the new warnings enabled, all member variables must be explicitly initialized. Basic types may be initialized with '='. All other types are initialized with braces '{ ... }' or as class initializers. If basic types and non-basic types appear in a row, it is nice to only use the brace syntax (also for basic types) and align the braces. * If a class contains pointers as members, it must now also provide a copy constructor and assignment operator. In the most cases, one would make them private, effectively disallowing the objects to be copied. Unfortunately, this warning cannot be fixed be inheriting our existing 'Noncopyable' class (the compiler fails to detect that the inheriting class cannot be copied and still gives the error). For now, we have to manually add declarations for both the copy constructor and assignment operator as private class members. Those declarations should be prepended with a comment like this: /* * Noncopyable */ Thread(Thread const &); Thread &operator = (Thread const &); In the future, we should revisit these places and try to replace the pointers with references. In the presence of at least one reference member, the compiler would no longer implicitly generate a copy constructor. So we could remove the manual declaration. Issue #465
2017-12-21 15:42:15 +01:00
class Dataspace_owner : Interface { };
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
class Dataspace_component : public Rpc_object<Linux_dataspace>
{
private:
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
Filename _fname { }; /* filename for mmap */
size_t const _size; /* size of dataspace in bytes */
addr_t const _addr; /* meaningless on linux */
Native_capability _cap; /* capability / file descriptor */
bool const _writable; /* false if read-only */
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
/* Holds the dataspace owner if a distinction between owner and
* others is necessary on the dataspace, otherwise it is 0 */
base/core: use references instead of pointers This patch replaces the former prominent use of pointers by references wherever feasible. This has the following benefits: * The contract between caller and callee becomes more obvious. When passing a reference, the contract says that the argument cannot be a null pointer. The caller is responsible to ensure that. Therefore, the use of reference eliminates the need to add defensive null-pointer checks at the callee site, which sometimes merely exist to be on the safe side. The bottom line is that the code becomes easier to follow. * Reference members must be initialized via an object initializer, which promotes a programming style that avoids intermediate object- construction states. Within core, there are still a few pointers as member variables left though. E.g., caused by the late association of 'Platform_thread' objects with their 'Platform_pd' objects. * If no pointers are present as member variables, we don't need to manually provide declarations of a private copy constructor and an assignment operator to avoid -Weffc++ errors "class ... has pointer data members [-Werror=effc++]". This patch also changes a few system bindings on NOVA and Fiasco.OC, e.g., the return value of the global 'cap_map' accessor has become a reference. Hence, the patch touches a few places outside of core. Fixes #3135
2019-01-24 22:00:01 +01:00
Dataspace_owner const * const _owner;
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
base-linux: do not copy dataspace components Dataspace components inherit from RPC objects which are non-copyable from now on. Therefore, the Rom_session_component's constructor had to be modified to not construct a dataspace component on the stack and assign it in the following. Ref #1704
2015-09-25 10:50:08 +02:00
static Filename _file_name(const char *args);
size_t _file_size();
Follow practices suggested by "Effective C++" The patch adjust the code of the base, base-<kernel>, and os repository. To adapt existing components to fix violations of the best practices suggested by "Effective C++" as reported by the -Weffc++ compiler argument. The changes follow the patterns outlined below: * A class with virtual functions can no longer publicly inherit base classed without a vtable. The inherited object may either be moved to a member variable, or inherited privately. The latter would be used for classes that inherit 'List::Element' or 'Avl_node'. In order to enable the 'List' and 'Avl_tree' to access the meta data, the 'List' must become a friend. * Instead of adding a virtual destructor to abstract base classes, we inherit the new 'Interface' class, which contains a virtual destructor. This way, single-line abstract base classes can stay as compact as they are now. The 'Interface' utility resides in base/include/util/interface.h. * With the new warnings enabled, all member variables must be explicitly initialized. Basic types may be initialized with '='. All other types are initialized with braces '{ ... }' or as class initializers. If basic types and non-basic types appear in a row, it is nice to only use the brace syntax (also for basic types) and align the braces. * If a class contains pointers as members, it must now also provide a copy constructor and assignment operator. In the most cases, one would make them private, effectively disallowing the objects to be copied. Unfortunately, this warning cannot be fixed be inheriting our existing 'Noncopyable' class (the compiler fails to detect that the inheriting class cannot be copied and still gives the error). For now, we have to manually add declarations for both the copy constructor and assignment operator as private class members. Those declarations should be prepended with a comment like this: /* * Noncopyable */ Thread(Thread const &); Thread &operator = (Thread const &); In the future, we should revisit these places and try to replace the pointers with references. In the presence of at least one reference member, the compiler would no longer implicitly generate a copy constructor. So we could remove the manual declaration. Issue #465
2017-12-21 15:42:15 +01:00
/*
* Noncopyable
*/
Dataspace_component(Dataspace_component const &);
Dataspace_component &operator = (Dataspace_component const &);
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
static Native_capability _fd_to_cap(int const fd)
{
return Capability_space::import(Rpc_destination(Lx_sd{fd}), Rpc_obj_key());
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
public:
/**
* Constructor
*/
Add support for allocating DMA memory This patch extends the RAM session interface with the ability to allocate DMA buffers. The client specifies the type of RAM dataspace to allocate via the new 'cached' argument of the 'Ram_session::alloc()' function. By default, 'cached' is true, which correponds to the common case and the original behavior. When setting 'cached' to 'false', core takes the precautions needed to register the memory as uncached in the page table of each process that has the dataspace attached. Currently, the support for allocating DMA buffers is implemented for Fiasco.OC only. On x86 platforms, it is generally not needed. But on platforms with more relaxed cache coherence (such as ARM), user-level device drivers should always use uncacheable memory for DMA transactions.
2012-06-18 15:20:31 +02:00
Dataspace_component(size_t size, addr_t addr,
base: introduce caching attributes (fix #1184) On ARM it's relevant to not only distinguish between ordinary cached memory and write-combined one, but also having non-cached memory too. To insert the appropriated page table entries e.g.: in the base-hw kernel, we need to preserve the information about the kind of memory from allocation until the pager resolves a page fault. Therefore, this commit introduces a new Cache_attribute type, and replaces the write_combined boolean with the new type where necessary.
2014-06-19 16:37:31 +02:00
Cache_attribute, bool writable,
Add support for allocating DMA memory This patch extends the RAM session interface with the ability to allocate DMA buffers. The client specifies the type of RAM dataspace to allocate via the new 'cached' argument of the 'Ram_session::alloc()' function. By default, 'cached' is true, which correponds to the common case and the original behavior. When setting 'cached' to 'false', core takes the precautions needed to register the memory as uncached in the page table of each process that has the dataspace attached. Currently, the support for allocating DMA buffers is implemented for Fiasco.OC only. On x86 platforms, it is generally not needed. But on platforms with more relaxed cache coherence (such as ARM), user-level device drivers should always use uncacheable memory for DMA transactions.
2012-06-18 15:20:31 +02:00
Dataspace_owner * owner)
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
: _size(size), _addr(addr), _cap(), _writable(writable),
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
_owner(owner) { }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/**
* Default constructor returns invalid dataspace
*/
Linux: Don't access file system outside of core This patch changes the way of how dataspace content is accessed by processes outside of core. Dataspaces are opened by core only and the corresponding file descriptors are handed out the other processes via the 'Linux_dataspace::fd()' RPC function. At the client side, the returned file descriptor is then used to mmap the file. Consequently, this patch eliminates all files from 'lx_rpath'. The path is still needed by core to temporarily create dataspaces and unix domain sockets. However, those files are unlinked immediately after their creation.
2012-08-10 14:21:26 +02:00
Dataspace_component()
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
: _size(0), _addr(0), _cap(), _writable(false), _owner(nullptr) { }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/**
* This constructor is only provided for compatibility
* reasons and should not be used.
*/
Follow practices suggested by "Effective C++" The patch adjust the code of the base, base-<kernel>, and os repository. To adapt existing components to fix violations of the best practices suggested by "Effective C++" as reported by the -Weffc++ compiler argument. The changes follow the patterns outlined below: * A class with virtual functions can no longer publicly inherit base classed without a vtable. The inherited object may either be moved to a member variable, or inherited privately. The latter would be used for classes that inherit 'List::Element' or 'Avl_node'. In order to enable the 'List' and 'Avl_tree' to access the meta data, the 'List' must become a friend. * Instead of adding a virtual destructor to abstract base classes, we inherit the new 'Interface' class, which contains a virtual destructor. This way, single-line abstract base classes can stay as compact as they are now. The 'Interface' utility resides in base/include/util/interface.h. * With the new warnings enabled, all member variables must be explicitly initialized. Basic types may be initialized with '='. All other types are initialized with braces '{ ... }' or as class initializers. If basic types and non-basic types appear in a row, it is nice to only use the brace syntax (also for basic types) and align the braces. * If a class contains pointers as members, it must now also provide a copy constructor and assignment operator. In the most cases, one would make them private, effectively disallowing the objects to be copied. Unfortunately, this warning cannot be fixed be inheriting our existing 'Noncopyable' class (the compiler fails to detect that the inheriting class cannot be copied and still gives the error). For now, we have to manually add declarations for both the copy constructor and assignment operator as private class members. Those declarations should be prepended with a comment like this: /* * Noncopyable */ Thread(Thread const &); Thread &operator = (Thread const &); In the future, we should revisit these places and try to replace the pointers with references. In the presence of at least one reference member, the compiler would no longer implicitly generate a copy constructor. So we could remove the manual declaration. Issue #465
2017-12-21 15:42:15 +01:00
Dataspace_component(size_t size, addr_t, addr_t phys_addr,
base-linux: core session support (IO_PORT, IO_MEM, IRQ)
2017-10-27 14:07:09 +02:00
Cache_attribute, bool writable, Dataspace_owner *_owner);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/**
base-linux: do not copy dataspace components Dataspace components inherit from RPC objects which are non-copyable from now on. Therefore, the Rom_session_component's constructor had to be modified to not construct a dataspace component on the stack and assign it in the following. Ref #1704
2015-09-25 10:50:08 +02:00
* This constructor is especially used for ROM dataspaces
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*
base-linux: do not copy dataspace components Dataspace components inherit from RPC objects which are non-copyable from now on. Therefore, the Rom_session_component's constructor had to be modified to not construct a dataspace component on the stack and assign it in the following. Ref #1704
2015-09-25 10:50:08 +02:00
* \param args session parameters containing 'filename' key/value
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*/
base-linux: do not copy dataspace components Dataspace components inherit from RPC objects which are non-copyable from now on. Therefore, the Rom_session_component's constructor had to be modified to not construct a dataspace component on the stack and assign it in the following. Ref #1704
2015-09-25 10:50:08 +02:00
Dataspace_component(const char *args);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Linux: Don't access file system outside of core This patch changes the way of how dataspace content is accessed by processes outside of core. Dataspaces are opened by core only and the corresponding file descriptors are handed out the other processes via the 'Linux_dataspace::fd()' RPC function. At the client side, the returned file descriptor is then used to mmap the file. Consequently, this patch eliminates all files from 'lx_rpath'. The path is still needed by core to temporarily create dataspaces and unix domain sockets. However, those files are unlinked immediately after their creation.
2012-08-10 14:21:26 +02:00
/**
* Assign file descriptor to dataspace
*
* The file descriptor assigned to the dataspace will be enable
* processes outside of core to mmap the dataspace.
*/
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
void fd(int fd) { _cap = _fd_to_cap(fd); }
Linux: Don't access file system outside of core This patch changes the way of how dataspace content is accessed by processes outside of core. Dataspaces are opened by core only and the corresponding file descriptors are handed out the other processes via the 'Linux_dataspace::fd()' RPC function. At the client side, the returned file descriptor is then used to mmap the file. Consequently, this patch eliminates all files from 'lx_rpath'. The path is still needed by core to temporarily create dataspaces and unix domain sockets. However, those files are unlinked immediately after their creation.
2012-08-10 14:21:26 +02:00
Check ownership when freeing RAM dataspaces
2012-04-20 10:59:41 +02:00
/**
* Check if dataspace is owned by a specified object
*/
base/core: use references instead of pointers This patch replaces the former prominent use of pointers by references wherever feasible. This has the following benefits: * The contract between caller and callee becomes more obvious. When passing a reference, the contract says that the argument cannot be a null pointer. The caller is responsible to ensure that. Therefore, the use of reference eliminates the need to add defensive null-pointer checks at the callee site, which sometimes merely exist to be on the safe side. The bottom line is that the code becomes easier to follow. * Reference members must be initialized via an object initializer, which promotes a programming style that avoids intermediate object- construction states. Within core, there are still a few pointers as member variables left though. E.g., caused by the late association of 'Platform_thread' objects with their 'Platform_pd' objects. * If no pointers are present as member variables, we don't need to manually provide declarations of a private copy constructor and an assignment operator to avoid -Weffc++ errors "class ... has pointer data members [-Werror=effc++]". This patch also changes a few system bindings on NOVA and Fiasco.OC, e.g., the return value of the global 'cap_map' accessor has become a reference. Hence, the patch touches a few places outside of core. Fixes #3135
2019-01-24 22:00:01 +01:00
bool owner(Dataspace_owner const &o) const { return _owner == &o; }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
detach ds from all rm sessions before destruction Fixes #1617
2015-07-06 13:06:27 +02:00
/**
* Detach dataspace from all rm sessions.
*/
void detach_from_rm_sessions() { }
base/core: use references instead of pointers This patch replaces the former prominent use of pointers by references wherever feasible. This has the following benefits: * The contract between caller and callee becomes more obvious. When passing a reference, the contract says that the argument cannot be a null pointer. The caller is responsible to ensure that. Therefore, the use of reference eliminates the need to add defensive null-pointer checks at the callee site, which sometimes merely exist to be on the safe side. The bottom line is that the code becomes easier to follow. * Reference members must be initialized via an object initializer, which promotes a programming style that avoids intermediate object- construction states. Within core, there are still a few pointers as member variables left though. E.g., caused by the late association of 'Platform_thread' objects with their 'Platform_pd' objects. * If no pointers are present as member variables, we don't need to manually provide declarations of a private copy constructor and an assignment operator to avoid -Weffc++ errors "class ... has pointer data members [-Werror=effc++]". This patch also changes a few system bindings on NOVA and Fiasco.OC, e.g., the return value of the global 'cap_map' accessor has become a reference. Hence, the patch touches a few places outside of core. Fixes #3135
2019-01-24 22:00:01 +01:00
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*************************
** Dataspace interface **
*************************/
base/core: use references instead of pointers This patch replaces the former prominent use of pointers by references wherever feasible. This has the following benefits: * The contract between caller and callee becomes more obvious. When passing a reference, the contract says that the argument cannot be a null pointer. The caller is responsible to ensure that. Therefore, the use of reference eliminates the need to add defensive null-pointer checks at the callee site, which sometimes merely exist to be on the safe side. The bottom line is that the code becomes easier to follow. * Reference members must be initialized via an object initializer, which promotes a programming style that avoids intermediate object- construction states. Within core, there are still a few pointers as member variables left though. E.g., caused by the late association of 'Platform_thread' objects with their 'Platform_pd' objects. * If no pointers are present as member variables, we don't need to manually provide declarations of a private copy constructor and an assignment operator to avoid -Weffc++ errors "class ... has pointer data members [-Werror=effc++]". This patch also changes a few system bindings on NOVA and Fiasco.OC, e.g., the return value of the global 'cap_map' accessor has become a reference. Hence, the patch touches a few places outside of core. Fixes #3135
2019-01-24 22:00:01 +01:00
size_t size() override { return _size; }
addr_t phys_addr() override { return _addr; }
bool writable() override { return _writable; }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/****************************************
** Linux-specific dataspace interface **
****************************************/
Add missing override annotations Issue #3159
2019-02-14 22:39:08 +01:00
Filename fname() override { return _fname; }
Linux: Don't access file system outside of core This patch changes the way of how dataspace content is accessed by processes outside of core. Dataspaces are opened by core only and the corresponding file descriptors are handed out the other processes via the 'Linux_dataspace::fd()' RPC function. At the client side, the returned file descriptor is then used to mmap the file. Consequently, this patch eliminates all files from 'lx_rpath'. The path is still needed by core to temporarily create dataspaces and unix domain sockets. However, those files are unlinked immediately after their creation.
2012-08-10 14:21:26 +02:00
base-linux: socket descriptor caps for RPC On Linux, Genode used to represent each RPC object by a socket descriptor of the receiving thread (entrypoint) and a globally-unique value that identifies the object. Because the latter was transferred as plain message payload, clients had to be trusted to not forge the values. For this reason, Linux could not be considered as a productive Genode base platform but remained merely a development vehicle. This patch changes the RPC mechanism such that each RPC object is represented by a dedicated socket pair. Entrypoints wait on a set of the local ends of the socket pairs of all RPC objects managed by the respective entrypoint. The epoll kernel interface is used as the underlying mechanism to wait for a set of socket descriptors at the server side. When delegating a capability, the remote end of the socket pair is transferred to the recipient along with a plaintext copy of the socket-descriptor value of the local end. The latter value serves as a hint for re-identifiying a capability whenever it is delegated back to its origin. Note that the client is not trusted to preserve this information. The integrity of the hint value is protected by comparing the inode values of incoming and already present capablities at the originating site (whenever the capability is invoked or presented to the owner of the RPC object). The new mechanism effectively equips base-linux with Genode's capablity model as described in the Chapter 3 of the Genode Foundations book. That said, the sandboxing of components cannot be assumed at this point because each component has still direct access to the Linux system-call interface. This patch is based on the extensive exploration work conducted by Stefan Thoeni who strongly motivated the inclusion of this feature into Genode. Issue #3581
2020-04-09 12:30:21 +02:00
Untyped_capability fd() override { return _cap; }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
};
}
base: update include guards This patch cleans up the include guards, assisted by the tool/fix_include_ifndef script.
2016-01-20 20:52:51 +01:00
#endif /* _CORE__INCLUDE__DATASPACE_COMPONENT_H_ */
Reference in New Issue Copy Permalink