ehmry/genode
ehmry
/
genode
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
genode/repos/base-linux/src/base/ipc/ipc.cc

662 lines
15 KiB
C++
Raw Normal View History

Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*
* \brief Socket-based IPC implementation for Linux
* \author Norman Feske
* \author Christian Helmuth
* \date 2011-10-11
*
* The current request message layout is:
*
* long server_local_name;
* int opcode;
* ...payload...
*
* Response messages look like this:
*
* long scratch_word;
* int exc_code;
* ...payload...
*
* All fields are naturally aligned, i.e., aligend on 4 or 8 byte boundaries on
* 32-bit resp. 64-bit systems.
*/
/*
Update copyright headers to 2013
2013-01-10 21:44:47 +01:00
* Copyright (C) 2011-2013 Genode Labs GmbH
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
*
* This file is part of the Genode OS framework, which is distributed
* under the terms of the GNU General Public License version 2.
*/
/* Genode includes */
#include <base/ipc.h>
#include <base/thread.h>
#include <base/blocking.h>
Create entrypoint sockets in core only This patch alleviates the need for any non-core process to create Unix domain sockets locally. All sockets used for RPC communication are created by core and subsequently passed to the other processes via RPC or the parent interface. The immediate benefit is that no process other than core needs to access the 'rpath' directory in order to communicate. However, access to 'rpath' is still needed for accessing dataspaces. Core creates one socket pair per thread on demand on the first call of the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()' functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU session interface. In addition to the socket accessors, the extension provides a mechanism to register the PID/TID of a thread. Those information were formerly propagated into core along with the thread name as argument to 'create_thread()'. Because core creates socket pairs for entrypoints, it needs to know all threads that are potential entrypoints. For lx_hybrid programs, we hadn't had propagated any thread information into core, yet. Hence, this patch also contains the code for registering threads of hybrid applications at core.
2012-08-09 16:52:47 +02:00
#include <base/env.h>
#include <linux_cpu_session/linux_cpu_session.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/* local includes */
#include <socket_descriptor_registry.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/* Linux includes */
#include <linux_syscalls.h>
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
#include <sys/un.h>
#include <sys/socket.h>
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
using namespace Genode;
Unify 'ipc.h' and 'ipc_generic.h' across platforms The distinction between 'ipc.h' and 'ipc_generic.h' is no more. The only use case for platform-specific extensions of the IPC support was the marshalling of capabilities. However, this case is accommodated by a function interface ('_marshal_capability', '_unmarshal_capability'). By moving the implementation of these functions from the headers into the respective ipc libraries, we can abandon the platform-specific 'ipc.h' headers.
2013-02-13 22:41:07 +01:00
/*****************************
** IPC marshalling support **
*****************************/
void Ipc_ostream::_marshal_capability(Native_capability const &cap)
{
if (cap.valid()) {
_write_to_buf(cap.local_name());
_snd_msg->append_cap(cap.dst().socket);
} else {
_write_to_buf(-1L);
}
}
void Ipc_istream::_unmarshal_capability(Native_capability &cap)
{
long local_name = 0;
_read_from_buf(local_name);
if (local_name == -1) {
/* construct invalid capability */
cap = Genode::Native_capability();
} else {
/* construct valid capability */
int const socket = _rcv_msg->read_cap();
cap = Native_capability(Cap_dst_policy::Dst(socket), local_name);
}
}
base-linux: implement IPC server destruction When an IPC server is finalized two important things should happen: First, the association of the server socket with a capability must be invalidated. And finally, the server socket pair (server side and client side) must be closed. Related to #38.
2012-11-15 12:53:32 +01:00
namespace Genode {
/*
* Helper for obtaining a bound and connected socket pair
*
* For core, the implementation is just a wrapper around
* 'lx_server_socket_pair()'. For all other processes, the implementation
* requests the socket pair from the Env::CPU session interface using a
* Linux-specific interface extension.
*/
Native_connection_state server_socket_pair();
/*
* Helper to destroy the server socket pair
*
* For core, this is a no-op. For all other processes, the server and client
* sockets are closed.
*/
void destroy_server_socket_pair(Native_connection_state const &ncs);
}
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/******************************
** File-descriptor registry **
******************************/
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
Genode::Ep_socket_descriptor_registry *Genode::ep_sd_registry()
{
static Genode::Ep_socket_descriptor_registry registry;
return &registry;
}
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/********************************************
** Communication over Unix-domain sockets **
********************************************/
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
enum {
LX_EINTR = 4,
LX_ECONNREFUSED = 111
};
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/**
* Utility: Return thread ID to which the given socket is directed to
*
* \return -1 if the socket is pointing to a valid entrypoint
*/
static int lookup_tid_by_client_socket(int sd)
{
Linux: Add 'Platform_thread' destructor
2012-11-05 17:23:50 +01:00
/*
* Synchronize calls so that the large 'sockaddr_un' can be allocated
* in the BSS rather than the stack.
*/
base-linux: fix race condition in IPC code Fixes #1013.
2014-01-24 20:36:49 +01:00
static Lock lock;
Linux: Add 'Platform_thread' destructor
2012-11-05 17:23:50 +01:00
Lock::Guard guard(lock);
static sockaddr_un name;
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
socklen_t name_len = sizeof(name);
int ret = lx_getpeername(sd, (sockaddr *)&name, &name_len);
if (ret < 0)
return -1;
struct Prefix_len
{
Resolve ambigiouties of size_t When building in hybrid Linux/Genode mode, there exist two definitions of 'size_t', one in the 'Genode' namespace and one imported from the glibc headers.
2012-10-19 11:36:01 +02:00
typedef Genode::size_t size_t;
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
size_t const len;
static int _init_len(char const *s)
{
char const * const pattern = "/ep-";
static size_t const pattern_len = Genode::strlen(pattern);
for (size_t i = 0; Genode::strlen(s + i) >= pattern_len; i++)
if (Genode::strcmp(s + i, pattern, pattern_len) == 0)
return i + pattern_len;
struct Unexpected_rpath_prefix { };
throw Unexpected_rpath_prefix();
}
Prefix_len(char const *s) : len(_init_len(s)) { }
};
/*
* The name of the Unix-domain socket has the form <rpath>-<uid>/ep-<tid>.
* We are only interested in the <tid> part. Hence, we determine the length
* of the <rpath>-<uid>/ep- portion only once and keep it in a static
* variable.
*/
static Prefix_len prefix_len(name.sun_path);
unsigned tid = 0;
base: use reference for ascii_to output argument Issue #1477
2015-04-10 17:45:35 +02:00
if (Genode::ascii_to(name.sun_path + prefix_len.len, tid) == 0) {
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
PRAW("Error: could not parse tid number");
return -1;
}
return tid;
}
namespace {
/**
* Message object encapsulating data for sendmsg/recvmsg
*/
struct Message
{
public:
enum { MAX_SDS_PER_MSG = Genode::Msgbuf_base::MAX_CAPS_PER_MSG };
private:
Resolve ambigiouties of size_t When building in hybrid Linux/Genode mode, there exist two definitions of 'size_t', one in the 'Genode' namespace and one imported from the glibc headers.
2012-10-19 11:36:01 +02:00
typedef Genode::size_t size_t;
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
msghdr _msg;
sockaddr_un _addr;
iovec _iovec;
char _cmsg_buf[CMSG_SPACE(MAX_SDS_PER_MSG*sizeof(int))];
unsigned _num_sds;
public:
Message(void *buffer, size_t buffer_len) : _num_sds(0)
{
Genode::memset(&_msg, 0, sizeof(_msg));
/* initialize control message */
struct cmsghdr *cmsg;
_msg.msg_control = _cmsg_buf;
_msg.msg_controllen = sizeof(_cmsg_buf); /* buffer space available */
_msg.msg_flags |= MSG_CMSG_CLOEXEC;
cmsg = CMSG_FIRSTHDR(&_msg);
cmsg->cmsg_len = CMSG_LEN(0);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
_msg.msg_controllen = cmsg->cmsg_len; /* actual cmsg length */
/* initialize iovec */
_msg.msg_iov = &_iovec;
_msg.msg_iovlen = 1;
_iovec.iov_base = buffer;
_iovec.iov_len = buffer_len;
}
msghdr * msg() { return &_msg; }
void marshal_socket(int sd)
{
*((int *)CMSG_DATA((cmsghdr *)_cmsg_buf) + _num_sds) = sd;
_num_sds++;
struct cmsghdr *cmsg = CMSG_FIRSTHDR(&_msg);
cmsg->cmsg_len = CMSG_LEN(_num_sds*sizeof(int));
_msg.msg_controllen = cmsg->cmsg_len; /* actual cmsg length */
}
void accept_sockets(int num_sds)
{
struct cmsghdr *cmsg = CMSG_FIRSTHDR(&_msg);
cmsg->cmsg_len = CMSG_LEN(num_sds*sizeof(int));
_msg.msg_controllen = cmsg->cmsg_len; /* actual cmsg length */
}
int socket_at_index(int index) const
{
return *((int *)CMSG_DATA((cmsghdr *)_cmsg_buf) + index);
}
unsigned num_sockets() const
{
struct cmsghdr *cmsg = CMSG_FIRSTHDR(&_msg);
if (!cmsg)
return 0;
return (cmsg->cmsg_len - CMSG_ALIGN(sizeof(cmsghdr)))/sizeof(int);
}
};
} /* unnamed namespace */
/**
* Utility: Extract socket desriptors from SCM message into 'Genode::Msgbuf'
*/
static void extract_sds_from_message(unsigned start_index, Message const &msg,
Genode::Msgbuf_base &buf)
{
buf.reset_caps();
/* start at offset 1 to skip the reply channel */
for (unsigned i = start_index; i < msg.num_sockets(); i++) {
int const sd = msg.socket_at_index(i);
int const id = lookup_tid_by_client_socket(sd);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
int const associated_sd = Genode::ep_sd_registry()->try_associate(sd, id);
buf.append_cap(associated_sd);
if ((associated_sd >= 0) && (associated_sd != sd)) {
/*
* The association already existed under a different name, use
* already associated socket descriptor and and drop 'sd'.
*/
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
lx_close(sd);
}
}
}
/**
* Send request to server and wait for reply
*/
static inline void lx_call(int dst_sd,
Resolve ambigiouties of size_t When building in hybrid Linux/Genode mode, there exist two definitions of 'size_t', one in the 'Genode' namespace and one imported from the glibc headers.
2012-10-19 11:36:01 +02:00
Genode::Msgbuf_base &send_msgbuf, Genode::size_t send_msg_len,
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
Genode::Msgbuf_base &recv_msgbuf)
{
int ret;
Message send_msg(send_msgbuf.buf, send_msg_len);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
/*
* Create reply channel
*
* The reply channel will be closed when leaving the scope of 'lx_call'.
*/
struct Reply_channel
{
enum { LOCAL_SOCKET = 0, REMOTE_SOCKET = 1 };
int sd[2];
Reply_channel()
{
sd[LOCAL_SOCKET] = -1; sd[REMOTE_SOCKET] = -1;
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
int ret = lx_socketpair(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0, sd);
if (ret < 0) {
PRAW("[%d] lx_socketpair failed with %d", lx_getpid(), ret);
throw Genode::Ipc_error();
}
}
~Reply_channel()
{
base-linux: Fix condition in ~Reply_channel Issue #717
2013-04-29 16:36:50 +02:00
if (sd[LOCAL_SOCKET] != -1) lx_close(sd[LOCAL_SOCKET]);
if (sd[REMOTE_SOCKET] != -1) lx_close(sd[REMOTE_SOCKET]);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
}
int local_socket() const { return sd[LOCAL_SOCKET]; }
int remote_socket() const { return sd[REMOTE_SOCKET]; }
} reply_channel;
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/* assemble message */
/* marshal reply capability */
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
send_msg.marshal_socket(reply_channel.remote_socket());
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
/* marshal capabilities contained in 'send_msgbuf' */
for (unsigned i = 0; i < send_msgbuf.used_caps(); i++)
send_msg.marshal_socket(send_msgbuf.cap(i));
ret = lx_sendmsg(dst_sd, send_msg.msg(), 0);
if (ret < 0) {
PRAW("[%d] lx_sendmsg to sd %d failed with %d in lx_call()",
lx_getpid(), dst_sd, ret);
throw Genode::Ipc_error();
}
/* receive reply */
Message recv_msg(recv_msgbuf.buf, recv_msgbuf.size());
recv_msg.accept_sockets(Message::MAX_SDS_PER_MSG);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
ret = lx_recvmsg(reply_channel.local_socket(), recv_msg.msg(), 0);
/* system call got interrupted by a signal */
if (ret == -LX_EINTR)
throw Genode::Blocking_canceled();
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
if (ret < 0) {
PRAW("[%d] lx_recvmsg failed with %d in lx_call()", lx_getpid(), ret);
throw Genode::Ipc_error();
}
extract_sds_from_message(0, recv_msg, recv_msgbuf);
}
/**
* for request from client
*
* \return socket descriptor of reply capability
*/
static inline int lx_wait(Genode::Native_connection_state &cs,
Genode::Msgbuf_base &recv_msgbuf)
{
Message msg(recv_msgbuf.buf, recv_msgbuf.size());
msg.accept_sockets(Message::MAX_SDS_PER_MSG);
int ret = lx_recvmsg(cs.server_sd, msg.msg(), 0);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
/* system call got interrupted by a signal */
if (ret == -LX_EINTR)
throw Genode::Blocking_canceled();
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
if (ret < 0) {
PRAW("lx_recvmsg failed with %d in lx_wait(), sd=%d", ret, cs.server_sd);
throw Genode::Ipc_error();
}
int const reply_socket = msg.socket_at_index(0);
extract_sds_from_message(1, msg, recv_msgbuf);
return reply_socket;
}
/**
* Send reply to client
*/
static inline void lx_reply(int reply_socket,
Genode::Msgbuf_base &send_msgbuf,
Resolve ambigiouties of size_t When building in hybrid Linux/Genode mode, there exist two definitions of 'size_t', one in the 'Genode' namespace and one imported from the glibc headers.
2012-10-19 11:36:01 +02:00
Genode::size_t msg_len)
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
{
Message msg(send_msgbuf.buf, msg_len);
/*
* Marshall capabilities to be transferred to the client
*/
for (unsigned i = 0; i < send_msgbuf.used_caps(); i++)
msg.marshal_socket(send_msgbuf.cap(i));
int ret = lx_sendmsg(reply_socket, msg.msg(), 0);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
/* ignore reply send error caused by disappearing client */
if (ret >= 0 || ret == -LX_ECONNREFUSED) {
lx_close(reply_socket);
return;
}
if (ret < 0)
PRAW("[%d] lx_sendmsg failed with %d in lx_reply()", lx_getpid(), ret);
Linux: cleanup system-call bindings This patch simplifies the system call bindings. The common syscall bindings in 'src/platform/' have been reduced to the syscalls needed by non-core programs. The additional syscalls that are needed solely by core have been moved to 'src/core/include/core_linux_syscalls.h'. Furthermore, the resource path is not used outside of core anymore. Hence, we could get rid of the rpath library. The resource-path code has been moved to 'src/core/include/resource_path.h'. The IPC-related parts of 'src/platform' have been moved to the IPC library. So there is now a clean separation between low-level syscall bindings (in 'src/platform') and higher-level code. The code for the socket-descriptor registry is now located in the 'src/base/ipc/socket_descriptor_registry.h' header. The interface is separated from 'ipc.cc' because core needs to access the registry from outside the ipc library.
2012-08-10 16:35:57 +02:00
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/*****************
** Ipc_ostream **
*****************/
/*
* XXX This class will be removed soon.
*/
void Ipc_ostream::_prepare_next_send()
{
PRAW("unexpected call to %s (%p)", __PRETTY_FUNCTION__, this);
}
void Ipc_ostream::_send()
{
PRAW("unexpected call to %s (%p)", __PRETTY_FUNCTION__, this);
}
Ipc_ostream::Ipc_ostream(Native_capability dst, Msgbuf_base *snd_msg):
Ipc_marshaller(snd_msg->buf, snd_msg->size()), _snd_msg(snd_msg), _dst(dst)
{ }
/*****************
** Ipc_istream **
*****************/
/*
* XXX This class will be removed soon.
*/
void Ipc_istream::_prepare_next_receive()
{
PRAW("unexpected call to %s (%p)", __PRETTY_FUNCTION__, this);
}
void Ipc_istream::_wait()
{
PRAW("unexpected call to %s (%p)", __PRETTY_FUNCTION__, this);
}
Ipc_istream::Ipc_istream(Msgbuf_base *rcv_msg)
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
:
Ipc_unmarshaller(rcv_msg->buf, rcv_msg->size()),
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
Native_capability(Dst(-1), 0),
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
_rcv_msg(rcv_msg)
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
{ }
base-linux: implement IPC server destruction When an IPC server is finalized two important things should happen: First, the association of the server socket with a capability must be invalidated. And finally, the server socket pair (server side and client side) must be closed. Related to #38.
2012-11-15 12:53:32 +01:00
Ipc_istream::~Ipc_istream()
{
/*
* The association of the capability (client) socket must be invalidated on
* server destruction. We implement it here as the IPC server currently has
* no destructor. We have the plan to remove Ipc_istream and Ipc_ostream
* in the future and, then, move this into the server destructor.
*
* IPC clients have -1 as client_sd and need no disassociation.
*/
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
if (_rcv_cs.client_sd != -1) {
base-linux: implement IPC server destruction When an IPC server is finalized two important things should happen: First, the association of the server socket with a capability must be invalidated. And finally, the server socket pair (server side and client side) must be closed. Related to #38.
2012-11-15 12:53:32 +01:00
Genode::ep_sd_registry()->disassociate(_rcv_cs.client_sd);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
/*
* Reset thread role to non-server such that we can enter 'sleep_forever'
* without getting a warning.
*/
Thread_base *thread = Thread_base::myself();
if (thread)
thread->tid().is_ipc_server = false;
}
base-linux: implement IPC server destruction When an IPC server is finalized two important things should happen: First, the association of the server socket with a capability must be invalidated. And finally, the server socket pair (server side and client side) must be closed. Related to #38.
2012-11-15 12:53:32 +01:00
destroy_server_socket_pair(_rcv_cs);
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
_rcv_cs.client_sd = -1;
_rcv_cs.server_sd = -1;
base-linux: implement IPC server destruction When an IPC server is finalized two important things should happen: First, the association of the server socket with a capability must be invalidated. And finally, the server socket pair (server side and client side) must be closed. Related to #38.
2012-11-15 12:53:32 +01:00
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
/****************
** Ipc_client **
****************/
void Ipc_client::_prepare_next_call()
{
/* prepare next request in buffer */
linux: Fix 'explicit_reply' semantics By storing the reply socket descriptor inside the 'Ipc_ostream::_dst' capability instead as part of the connection state object, we can use the 'explicit_reply' mechanism as usual. Right now, we store both the tid and socket handle in 'Native_capability::Dst'. In the final version, the 'tid' member will be gone.
2012-07-18 14:48:37 +02:00
long const local_name = Ipc_ostream::_dst.local_name();
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_write_offset = 0;
_write_to_buf(local_name);
/* prepare response buffer */
_read_offset = sizeof(long);
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
_snd_msg->reset_caps();
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
void Ipc_client::_call()
{
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
if (Ipc_ostream::_dst.valid())
lx_call(Ipc_ostream::_dst.dst().socket, *_snd_msg, _write_offset, *_rcv_msg);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_prepare_next_call();
}
base: count caps replied by a rpc function Issue #905
2013-09-16 10:50:15 +02:00
Ipc_client::Ipc_client(Native_capability const &srv, Msgbuf_base *snd_msg,
Msgbuf_base *rcv_msg, unsigned short)
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
: Ipc_istream(rcv_msg), Ipc_ostream(srv, snd_msg), _result(0)
{
_prepare_next_call();
}
/****************
** Ipc_server **
****************/
void Ipc_server::_prepare_next_reply_wait()
{
/* skip server-local name */
_read_offset = sizeof(long);
/* prepare next reply */
_write_offset = 0;
Replace 'Native_capability::copy_to' by accessor The 'copy_to' function turned out to be not flexible enough to accommodate the Noux fork mechanism. This patch removes the function, adds an accessor for the capability destination and a compound type 'Native_capability::Raw' to be used wherever plain capability information must be communicated.
2012-03-26 14:32:16 +02:00
long local_name = Ipc_ostream::_dst.local_name();
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_write_to_buf(local_name); /* XXX unused, needed by de/marshaller */
/* leave space for exc code at the beginning of the msgbuf */
_write_offset += align_natural(sizeof(int));
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
/* reset capability slots of send message buffer */
_snd_msg->reset_caps();
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
}
void Ipc_server::_wait()
{
linux: Fix 'explicit_reply' semantics By storing the reply socket descriptor inside the 'Ipc_ostream::_dst' capability instead as part of the connection state object, we can use the 'explicit_reply' mechanism as usual. Right now, we store both the tid and socket handle in 'Native_capability::Dst'. In the final version, the 'tid' member will be gone.
2012-07-18 14:48:37 +02:00
_reply_needed = true;
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
/*
* Block infinitely if called from the main thread. This may happen if the
* main thread calls 'sleep_forever()'.
*/
if (!Thread_base::myself()) {
struct timespec ts = { 1000, 0 };
for (;;) lx_nanosleep(&ts, 0);
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
try {
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
int const reply_socket = lx_wait(_rcv_cs, *_rcv_msg);
linux: Fix 'explicit_reply' semantics By storing the reply socket descriptor inside the 'Ipc_ostream::_dst' capability instead as part of the connection state object, we can use the 'explicit_reply' mechanism as usual. Right now, we store both the tid and socket handle in 'Native_capability::Dst'. In the final version, the 'tid' member will be gone.
2012-07-18 14:48:37 +02:00
/*
* Remember reply capability
*
* The 'local_name' of a capability is meaningful for addressing server
* objects only. Because a reply capabilities does not address a server
* object, the 'local_name' is meaningless.
*/
enum { DUMMY_LOCAL_NAME = -1 };
typedef Native_capability::Dst Dst;
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
Ipc_ostream::_dst = Native_capability(Dst(reply_socket), DUMMY_LOCAL_NAME);
linux: Fix 'explicit_reply' semantics By storing the reply socket descriptor inside the 'Ipc_ostream::_dst' capability instead as part of the connection state object, we can use the 'explicit_reply' mechanism as usual. Right now, we store both the tid and socket handle in 'Native_capability::Dst'. In the final version, the 'tid' member will be gone.
2012-07-18 14:48:37 +02:00
_prepare_next_reply_wait();
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
} catch (Blocking_canceled) { }
}
void Ipc_server::_reply()
{
try {
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
lx_reply(Ipc_ostream::_dst.dst().socket, *_snd_msg, _write_offset); }
catch (Ipc_error) { }
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_prepare_next_reply_wait();
}
void Ipc_server::_reply_wait()
{
/* when first called, there was no request yet */
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
if (_reply_needed)
lx_reply(Ipc_ostream::_dst.dst().socket, *_snd_msg, _write_offset);
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_wait();
}
Ipc_server::Ipc_server(Msgbuf_base *snd_msg, Msgbuf_base *rcv_msg)
linux: Remove socket member from 'Native_thread' The only information needed per thread is whether the thread plays the role of an 'Ipc_server' or not. We encode this information using a bool value.
2012-07-26 19:22:55 +02:00
:
Ipc_istream(rcv_msg),
Ipc_ostream(Native_capability(), snd_msg), _reply_needed(false)
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
{
linux: Remove socket member from 'Native_thread' The only information needed per thread is whether the thread plays the role of an 'Ipc_server' or not. We encode this information using a bool value.
2012-07-26 19:22:55 +02:00
Thread_base *thread = Thread_base::myself();
/*
* If 'thread' is 0, the constructor was called by the main thread. By
* definition, main is never an RPC entrypoint. However, the main thread
* may call 'sleep_forever()', which instantiates 'Ipc_server'.
*/
if (thread && thread->tid().is_ipc_server) {
Linux: Robustness of socket life-time management This patch improves the life-time management of socket descriptors and addresses several corner cases exposed by the 'bomb' test. The lookup and association of file descriptors with global IDs have been turned into an atomic operation. Otherwise, multiple threads interacting with the singleton 'ep_sd_registry' may override each other's associations. Closing the socket pair used for the reply channel has been implemented via the RAII pattern to capture all corner cases, in particular exceptions. If blocking operations are interrupted by signals, we throw a 'Blocking_canceled' exception. We preserve core's socket descriptor at 'PARENT_SOCKET_HANDLE' to avoid a corner case where the parent capability is going to dup2'ed to the same handle. Support for 'Thread_base::join' within core to enable leaving Genode via Control-C.
2012-11-26 20:30:35 +01:00
PRAW("[%d] unexpected multiple instantiation of Ipc_server by one thread",
lx_gettid());
linux: Remove socket member from 'Native_thread' The only information needed per thread is whether the thread plays the role of an 'Ipc_server' or not. We encode this information using a bool value.
2012-07-26 19:22:55 +02:00
struct Ipc_server_multiple_instance { };
throw Ipc_server_multiple_instance();
}
Create entrypoint sockets in core only This patch alleviates the need for any non-core process to create Unix domain sockets locally. All sockets used for RPC communication are created by core and subsequently passed to the other processes via RPC or the parent interface. The immediate benefit is that no process other than core needs to access the 'rpath' directory in order to communicate. However, access to 'rpath' is still needed for accessing dataspaces. Core creates one socket pair per thread on demand on the first call of the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()' functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU session interface. In addition to the socket accessors, the extension provides a mechanism to register the PID/TID of a thread. Those information were formerly propagated into core along with the thread name as argument to 'create_thread()'. Because core creates socket pairs for entrypoints, it needs to know all threads that are potential entrypoints. For lx_hybrid programs, we hadn't had propagated any thread information into core, yet. Hence, this patch also contains the code for registering threads of hybrid applications at core.
2012-08-09 16:52:47 +02:00
if (thread) {
_rcv_cs = server_socket_pair();
linux: Remove socket member from 'Native_thread' The only information needed per thread is whether the thread plays the role of an 'Ipc_server' or not. We encode this information using a bool value.
2012-07-26 19:22:55 +02:00
thread->tid().is_ipc_server = true;
Create entrypoint sockets in core only This patch alleviates the need for any non-core process to create Unix domain sockets locally. All sockets used for RPC communication are created by core and subsequently passed to the other processes via RPC or the parent interface. The immediate benefit is that no process other than core needs to access the 'rpath' directory in order to communicate. However, access to 'rpath' is still needed for accessing dataspaces. Core creates one socket pair per thread on demand on the first call of the 'Linux_cpu_session::server_sd()' or 'Linux_cpu_session::client_sd()' functions. 'Linux_cpu_session' is a Linux-specific extension to the CPU session interface. In addition to the socket accessors, the extension provides a mechanism to register the PID/TID of a thread. Those information were formerly propagated into core along with the thread name as argument to 'create_thread()'. Because core creates socket pairs for entrypoints, it needs to know all threads that are potential entrypoints. For lx_hybrid programs, we hadn't had propagated any thread information into core, yet. Hence, this patch also contains the code for registering threads of hybrid applications at core.
2012-08-09 16:52:47 +02:00
}
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
/* override capability initialization performed by 'Ipc_istream' */
*static_cast<Native_capability *>(this) =
Delegate access to entrypoints via SCM rights This patch eliminates the thread ID portion of the 'Native_capability' type. The access to entrypoints is now exclusively handled by passing socket descripts over Unix domain sockets and by inheriting the socket descriptor of the parent entrypoint at process-creation time. Each entrypoint creates a socket pair. The server-side socket is bound to a unique name defined by the server. The client-side socket is then connected to the same name. Whereas the server-side socket is meant to be exclusively used by the server to wait for incoming requests, the client-side socket can be delegated to other processes as payload of RPC messages (via SCM rights). Anyone who receives a capability over RPC receives the client-side socket of the entrypoint to which the capability refers. Given this socket descriptor, the unique name (as defined by the server) can be requested using 'getpeername'. Using this name, it is possible to compare socket descriptors, which is important to avoid duplicates from polluting the limited socket-descriptor name space. Wheras this patch introduces capability-based delegation of access rights to entrypoints, it does not cover the protection of the integrity of RPC objects. RPC objects are still referenced by a global ID passed as normal message payload.
2012-08-08 22:01:04 +02:00
Native_capability(Native_capability::Dst(_rcv_cs.client_sd), 0);
Support for socket-descriptor marshalling This patch adds prinicipal support for transmitting socket descriptors as RPC payload. Socket descriptors are handled by the linux-specific implementation of the capability marshalling and unmarshalling functions in 'ipc.h'. The 'Message' type in 'src/platform/linux_socket.h' has been extended to carry multiple descriptors in a single message. Unfortuately, we hit a problem (and potential show stopper) here: lx_sendmsg failed with -109 in lx_call() The error code corresponds to ETOOMANYREFS. There is only one place in the Linux kernel where this error code is used (net/unix/af_unix.c). The code for 'unix_attach_fds()' suggests that there is a limit with regard to the maximum number of references for a given Unix domain socket. When the error occurs, core and init are running. The socket of core's server entrypoint is present in the '/proc/pid/fd' of those processes 8 times. The error occurs when core tries to perform an RPC to the entrypoint to perform 'Ram_session::transfer_quota()' (base/include/base/child.h at line 248).
2012-07-26 20:29:45 +02:00
Imported Genode release 11.11
2011-12-22 16:19:25 +01:00
_prepare_next_reply_wait();
}