genode/repos/base-linux/src/base/process/process.cc

/*
 * \brief  Implementation of process creation for Linux
 * \author Norman Feske
 * \date   2006-07-06
 */

/*
 * Copyright (C) 2006-2013 Genode Labs GmbH
 *
 * This file is part of the Genode OS framework, which is distributed
 * under the terms of the GNU General Public License version 2.
 */

/* Genode includes */
#include <base/env.h>
#include <base/process.h>
#include <base/printf.h>
#include <linux_native_pd/client.h>

/* base-internal includes */
#include <linux_syscalls.h>
#include <base/internal/elf.h>


using namespace Genode;

Dataspace_capability Process::_dynamic_linker_cap;


/**
 * Check for dynamic ELF header
 */
static bool _check_dynamic_elf(Dataspace_capability elf_ds_cap)
{
	/* attach ELF locally */
	addr_t elf_addr;

	try { elf_addr = env()->rm_session()->attach(elf_ds_cap); }
	catch (...) { return false; }

	/*
	 * If attach is called within core, it will return zero because
	 * Linux uses Core_rm_session.
	 */
	if (!elf_addr) return false;

	/* read program header and interpreter */
	Elf_binary elf((addr_t)elf_addr);
	env()->rm_session()->detach((void *)elf_addr);

	return elf.is_dynamically_linked();
}


Process::Process(Dataspace_capability   elf_data_ds_cap,
                 Pd_session_capability  pd_session_cap,
                 Ram_session_capability ram_session_cap,
                 Cpu_session_capability cpu_session_cap,
                 Rm_session_capability  rm_session_cap,
                 Parent_capability      parent_cap,
                 char const            *name)
:
	_pd_session_client(pd_session_cap),
	_cpu_session_client(cpu_session_cap),
	_rm_session_client(Rm_session_capability())
{
	/* check for dynamic program header */
	if (_check_dynamic_elf(elf_data_ds_cap)) {
		if (!_dynamic_linker_cap.valid()) {
			PERR("Dynamically linked file found, "
			     "but no dynamic linker binary present");
			return;
		}
		elf_data_ds_cap = _dynamic_linker_cap;
	}

	/*
	 * Register main thread at core
	 *
	 * At this point in time, we do not yet know the TID and PID of the new
	 * thread. Those information will be provided to core by the constructor of
	 * the 'Platform_env' of the new process.
	 */
	enum { WEIGHT = Cpu_session::DEFAULT_WEIGHT };
	_thread0_cap = _cpu_session_client.create_thread(WEIGHT, name);

	Linux_native_pd_client
		lx_pd(static_cap_cast<Linux_native_pd>(_pd_session_client.native_pd()));

	_pd_session_client.assign_parent(parent_cap);
	lx_pd.start(elf_data_ds_cap);
}


Process::~Process() { }
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`/*`
			`* \brief Implementation of process creation for Linux`
			`* \author Norman Feske`
			`* \date 2006-07-06`
			`*/`

			`/*`
Update copyright headers to 2013 2013-01-10 21:44:47 +01:00			`* Copyright (C) 2006-2013 Genode Labs GmbH`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`*`
			`* This file is part of the Genode OS framework, which is distributed`
			`* under the terms of the GNU General Public License version 2.`
			`*/`

			`/* Genode includes */`
			`#include <base/env.h>`
			`#include <base/process.h>`
			`#include <base/printf.h>`
Integrate CAP session into PD session This patch integrates the functionality of the former CAP session into the PD session and unifies the approch of supplementing the generic PD session with kernel-specific functionality. The latter is achieved by the new 'Native_pd' interface. The kernel-specific interface can be obtained via the Pd_session::native_pd accessor function. The kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and Linux_native_pd. The latter change allowed for to deduplication of the pd_session_component code among the various base platforms. To retain API compatibility, we keep the 'Cap_session' and 'Cap_connection' around. But those classes have become mere wrappers around the PD session interface. Issue #1841 2016-01-19 20:24:22 +01:00			`#include <linux_native_pd/client.h>`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00
base: move crt0.h and elf.h to base/internal Those headers remained unused outside the internal framework. So it is better to remove them from the public API. Issue #1832 2016-01-22 14:31:58 +01:00			`/* base-internal includes */`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`#include <linux_syscalls.h>`
base: move crt0.h and elf.h to base/internal Those headers remained unused outside the internal framework. So it is better to remove them from the public API. Issue #1832 2016-01-22 14:31:58 +01:00			`#include <base/internal/elf.h>`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00

			`using namespace Genode;`

			`Dataspace_capability Process::_dynamic_linker_cap;`

Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload. 2012-08-08 22:01:04 +02:00
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`/**`
			`* Check for dynamic ELF header`
			`*/`
			`static bool _check_dynamic_elf(Dataspace_capability elf_ds_cap)`
			`{`
			`/* attach ELF locally */`
			`addr_t elf_addr;`

			`try { elf_addr = env()->rm_session()->attach(elf_ds_cap); }`
			`catch (...) { return false; }`

			`/*`
			`* If attach is called within core, it will return zero because`
			`* Linux uses Core_rm_session.`
			`*/`
			`if (!elf_addr) return false;`

			`/* read program header and interpreter */`
			`Elf_binary elf((addr_t)elf_addr);`
			`env()->rm_session()->detach((void *)elf_addr);`

			`return elf.is_dynamically_linked();`
			`}`


Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core. 2012-08-15 19:14:05 +02:00			`Process::Process(Dataspace_capability elf_data_ds_cap,`
base: make PD session upgradeable Ref #1443 2015-05-05 08:50:16 +02:00			`Pd_session_capability pd_session_cap,`
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core. 2012-08-15 19:14:05 +02:00			`Ram_session_capability ram_session_cap,`
			`Cpu_session_capability cpu_session_cap,`
			`Rm_session_capability rm_session_cap,`
			`Parent_capability parent_cap,`
base: make PD session upgradeable Ref #1443 2015-05-05 08:50:16 +02:00			`char const *name)`
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core. 2012-08-15 19:14:05 +02:00			`:`
base: make PD session upgradeable Ref #1443 2015-05-05 08:50:16 +02:00			`_pd_session_client(pd_session_cap),`
base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes. 2013-01-03 16:23:11 +01:00			`_cpu_session_client(cpu_session_cap),`
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core. 2012-08-15 19:14:05 +02:00			`_rm_session_client(Rm_session_capability())`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`{`
			`/* check for dynamic program header */`
			`if (_check_dynamic_elf(elf_data_ds_cap)) {`
			`if (!_dynamic_linker_cap.valid()) {`
base: make PD session upgradeable Ref #1443 2015-05-05 08:50:16 +02:00			`PERR("Dynamically linked file found, "`
			`"but no dynamic linker binary present");`
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core. 2012-08-15 19:14:05 +02:00			`return;`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`}`
base-linux: ld.lib.so loads dynamic binaries For ARM support on N900, commit 4a9b1c6 changed the process library to start dynamic binaries directly depending on the Linux kernel to comply to the interp section info ("ld.lib.so"). This seems not required on more recent platforms or kernel versions and also introduced challenging corner cases in region handling on Linux. Therefore, this commit restores the original behavior. 2013-09-06 16:33:29 +02:00			`elf_data_ds_cap = _dynamic_linker_cap;`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`}`

base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes. 2013-01-03 16:23:11 +01:00			`/*`
			`* Register main thread at core`
			`*`
			`* At this point in time, we do not yet know the TID and PID of the new`
			`* thread. Those information will be provided to core by the constructor of`
			`* the 'Platform_env' of the new process.`
			`*/`
CPU session: apply quota via relative weightings Physical CPU quota was previously given to a thread on construction only by directly specifying a percentage of the quota of the according CPU session. Now, a new thread is given a weighting that can be any value. The physical counter-value of such a weighting depends on the weightings of the other threads at the CPU session. Thus, the physical quota of all threads of a CPU session must be updated when a weighting is added or removed. This is each time the session creates or destroys a thread. This commit also adapts the "cpu_quota" test in base-hw accordingly. Ref #1464 2015-03-27 14:05:55 +01:00			`enum { WEIGHT = Cpu_session::DEFAULT_WEIGHT };`
			`_thread0_cap = _cpu_session_client.create_thread(WEIGHT, name);`
base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes. 2013-01-03 16:23:11 +01:00
Integrate CAP session into PD session This patch integrates the functionality of the former CAP session into the PD session and unifies the approch of supplementing the generic PD session with kernel-specific functionality. The latter is achieved by the new 'Native_pd' interface. The kernel-specific interface can be obtained via the Pd_session::native_pd accessor function. The kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and Linux_native_pd. The latter change allowed for to deduplication of the pd_session_component code among the various base platforms. To retain API compatibility, we keep the 'Cap_session' and 'Cap_connection' around. But those classes have become mere wrappers around the PD session interface. Issue #1841 2016-01-19 20:24:22 +01:00			`Linux_native_pd_client`
			`lx_pd(static_cap_cast<Linux_native_pd>(_pd_session_client.native_pd()));`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00
Integrate CAP session into PD session This patch integrates the functionality of the former CAP session into the PD session and unifies the approch of supplementing the generic PD session with kernel-specific functionality. The latter is achieved by the new 'Native_pd' interface. The kernel-specific interface can be obtained via the Pd_session::native_pd accessor function. The kernel-specific interfaces are named Nova_native_pd, Foc_native_pd, and Linux_native_pd. The latter change allowed for to deduplication of the pd_session_component code among the various base platforms. To retain API compatibility, we keep the 'Cap_session' and 'Cap_connection' around. But those classes have become mere wrappers around the PD session interface. Issue #1841 2016-01-19 20:24:22 +01:00			`_pd_session_client.assign_parent(parent_cap);`
Propagate process labels to PD sessions On Linux, we use the session label for naming the corresponding Linux process. When looking up the processes via 'ps', the Genode process hierarchy becomes immediately visible. 2012-10-11 20:57:10 +02:00			`lx_pd.start(elf_data_ds_cap);`
Imported Genode release 11.11 2011-12-22 16:19:25 +01:00			`}`


			`Process::~Process() { }`