ehmry/genode
ehmry
/
genode
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
genode/repos/base-linux/src/base/process/process.cc

93 lines
2.3 KiB
C++
Raw Normal View History

Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*
* \brief Implementation of process creation for Linux
* \author Norman Feske
* \date 2006-07-06
*/
/*
Update copyright headers to 2013
2013-01-10 21:44:47 +01:00
* Copyright (C) 2006-2013 Genode Labs GmbH
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
/* Genode includes */
#include <base/elf.h>
#include <base/env.h>
#include <base/process.h>
#include <base/printf.h>
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
#include <linux_pd_session/client.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
/* framework-internal includes */
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
#include <linux_syscalls.h>
using namespace Genode;
Dataspace_capability Process::_dynamic_linker_cap;
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/**
* Check for dynamic ELF header
*/
static bool _check_dynamic_elf(Dataspace_capability elf_ds_cap)
{
/* attach ELF locally */
addr_t elf_addr;
try { elf_addr = env()->rm_session()->attach(elf_ds_cap); }
catch (...) { return false; }
/*
* If attach is called within core, it will return zero because
* Linux uses Core_rm_session.
*/
if (!elf_addr) return false;
/* read program header and interpreter */
Elf_binary elf((addr_t)elf_addr);
env()->rm_session()->detach((void *)elf_addr);
return elf.is_dynamically_linked();
}
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
Process::Process(Dataspace_capability elf_data_ds_cap,
Ram_session_capability ram_session_cap,
Cpu_session_capability cpu_session_cap,
Rm_session_capability rm_session_cap,
Parent_capability parent_cap,
Propagate process labels to PD sessions On Linux, we use the session label for naming the corresponding Linux process. When looking up the processes via 'ps', the Genode process hierarchy becomes immediately visible.
2012-10-11 20:57:10 +02:00
char const *name,
Generalize handling of PD-session arguments On Linux, we want to attach additional attributes to processes, i.e., the chroot location, the designated UID, and GID. Instead of polluting the generic code with such Linux-specific platform details, I introduced the new 'Native_pd_args' type, which can be customized for each platform. The platform-dependent policy of init is factored out in the new 'pd_args' library. The new 'base-linux/run/lx_pd_args.run' script can be used to validate the propagation of those attributes into core. Note that this patch does not add the interpretation of the new UID and PID attributes by core. This will be subject of a follow-up patch. Related to #510.
2012-11-21 15:20:21 +01:00
Native_pd_args const *pd_args)
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
:
Generalize handling of PD-session arguments On Linux, we want to attach additional attributes to processes, i.e., the chroot location, the designated UID, and GID. Instead of polluting the generic code with such Linux-specific platform details, I introduced the new 'Native_pd_args' type, which can be customized for each platform. The platform-dependent policy of init is factored out in the new 'pd_args' library. The new 'base-linux/run/lx_pd_args.run' script can be used to validate the propagation of those attributes into core. Note that this patch does not add the interpretation of the new UID and PID attributes by core. This will be subject of a follow-up patch. Related to #510.
2012-11-21 15:20:21 +01:00
_pd(name, pd_args),
base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes.
2013-01-03 16:23:11 +01:00
_cpu_session_client(cpu_session_cap),
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
_rm_session_client(Rm_session_capability())
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
{
/* check for dynamic program header */
if (_check_dynamic_elf(elf_data_ds_cap)) {
if (!_dynamic_linker_cap.valid()) {
PERR("Dynamically linked file found, but no dynamic linker binary present");
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
return;
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
base-linux: ld.lib.so loads dynamic binaries For ARM support on N900, commit 4a9b1c6 changed the process library to start dynamic binaries directly depending on the Linux kernel to comply to the interp section info ("ld.lib.so"). This seems not required on more recent platforms or kernel versions and also introduced challenging corner cases in region handling on Linux. Therefore, this commit restores the original behavior.
2013-09-06 16:33:29 +02:00
elf_data_ds_cap = _dynamic_linker_cap;
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes.
2013-01-03 16:23:11 +01:00
/*
* Register main thread at core
*
* At this point in time, we do not yet know the TID and PID of the new
* thread. Those information will be provided to core by the constructor of
* the 'Platform_env' of the new process.
*/
thread API & CPU session: accounting of CPU quota In the init configuration one can configure the donation of CPU time via 'resource' tags that have the attribute 'name' set to "CPU" and the attribute 'quantum' set to the percentage of CPU quota that init shall donate. The pattern is the same as when donating RAM quota. ! <start name="test"> ! <resource name="CPU" quantum="75"/> ! </start> This would cause init to try donating 75% of its CPU quota to the child "test". Init and core do not preserve CPU quota for their own requirements by default as it is done with RAM quota. The CPU quota that a process owns can be applied through the thread constructor. The constructor has been enhanced by an argument that indicates the percentage of the programs CPU quota that shall be granted to the new thread. So 'Thread(33, "test")' would cause the backing CPU session to try to grant 33% of the programs CPU quota to the thread "test". By now, the CPU quota of a thread can't be altered after construction. Constructing a thread with CPU quota 0 doesn't mean the thread gets never scheduled but that the thread has no guaranty to receive CPU time. Such threads have to live with excess CPU time. Threads that already existed in the official repositories of Genode were adapted in the way that they receive a quota of 0. This commit also provides a run test 'cpu_quota' in base-hw (the only kernel that applies the CPU-quota scheme currently). The test basically runs three threads with different physical CPU quota. The threads simply count for 30 seconds each and the test then checks wether the counter values relate to the CPU-quota distribution. fix #1275
2014-10-16 11:15:46 +02:00
_thread0_cap = _cpu_session_client.create_thread(0, name);
base-linux: reflect SIGCHLD as Cpu_session signal With this patch, core responds to SIGCHLD signals of terminating Genode processes by reflecting these events as exceptions to the CPU session interface. This way, Genode processes become able to respond to terminating Genode child processes.
2013-01-03 16:23:11 +01:00
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
Linux_pd_session_client lx_pd(static_cap_cast<Linux_pd_session>(_pd.cap()));
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Linux: move process creation into core Genode used to create new processes by directly forking from the respective Genode parent using the process library. The forking process created a PD session at core merely for propagating the PID of the new process into core (for later destruction). This traditional mechanisms has the following disadvantages: First, the PID reported by the creating process to core cannot easily be validated by core. Therefore core has to trust the PD client to not specify a PID of an existing process, which would happen to be killed once the PD session gets destructed. This problem is documented by issue #318. Second, there is no way for a Genode process to detect the failure of its any grandchildren. The immediate parent of a faulting process could use the SIGCHLD-and-waitpid mechanism to observe its children but this mechanism does not work transitively. By performing the process creation exclusively within core, all Genode processes become immediate child processes of core. Hence, core can respond to failures of any of those processes and reflect such conditions via core's session interfaces. Furthermore, the PID associated to a PD session is locally known within core and cannot be forged anymore. In fact, there is actually no need at all to make processes aware of any PIDs of other processes. Please note that this patch breaks the 'chroot' mechanism that comes in the form of the 'os/src/app/chroot' program. Because all processes are forked from core, a chroot'ed process could sneak outside its chroot environment by just creating a new Genode process. To address this issue, the chroot mechanism must be added to core.
2012-08-15 19:14:05 +02:00
lx_pd.assign_parent(parent_cap);
Propagate process labels to PD sessions On Linux, we use the session label for naming the corresponding Linux process. When looking up the processes via 'ps', the Genode process hierarchy becomes immediately visible.
2012-10-11 20:57:10 +02:00
lx_pd.start(elf_data_ds_cap);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
Process::~Process() { }