ktrace: Record cpuset violations with KTR_CAPFAIL
ClosedPublic
Actions

Authored by jfree on Jun 20 2023, 10:04 PM.

Details

Reviewers

markj

Commits

rG96c8b3e50988: ktrace: Record cpuset violations with KTR_CAPFAIL

Summary

Report Capsicum violations in the cpuset namespace with CAPFAIL_CPUSET.

Programs that are not yet Capsicumized may be traced to discover
potential capability failures. With `ktrace -t p` and kdump, you
are given a list of syscalls as a starting point for program
Capsicumization.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jfree created this revision.Jun 20 2023, 10:04 PM

Herald added a subscriber: imp. · View Herald TranscriptJun 20 2023, 10:04 PM

jfree requested review of this revision.Jun 20 2023, 10:04 PM

jfree added a parent revision: D40676: ktrace: Record detailed ECAPMODE violations.Jun 20 2023, 10:21 PM

markj added inline comments.Sep 28 2023, 4:20 PM

sys/kern/kern_cpuset.c
1803	Rather than duplicating all of these conditions, I'd suggest lifting them into a function `bool cpuset_capmode_allowed(level, which, id)` and call that from this function.

It feels wrong to return inside of a macro, but I did not see any comments about it in style(9). This seems to be the solution that is most elegant in minimizing code duplication. Let me know your thoughts.

Actually, scratch that. I just understood your comment and this is a better solution.

As a side note though... Is returning in macros usually frowned upon?

jfree marked an inline comment as done.Jan 7 2024, 8:24 AM

In D40677#988077, @jfree wrote:

Actually, scratch that. I just understood your comment and this is a better solution.

As a side note though... Is returning in macros usually frowned upon?

I would frown at that. :) It introduces hidden control flow which makes it hard to see quickly what a function does.

Consider the common case where a function allocates some memory and is supposed to free it before returning: if I'm reviewing the code and want to verify it behaves properly with respect to that free() call, it's much easier to check if I just have to look for the "return" keyword in the function.

Once in a while it's handy, but it should be avoided if possible.

sys/kern/kern_cpuset.c
1793	Note that you've factored the caller such that cpuset_capmode_allowed() isn't really required now: you could inline it into the caller without introducing code duplication. But I would keep this as it is: cpuset_capmode_allowed() is a pure function, and IMO it's good style to factor those out when possible. (cpuset_check_capabilities() itself is not a pure function because it may call ktrcapfail(), which logs to a ktrace buffer.)

This revision is now accepted and ready to land.Jan 8 2024, 2:55 PM

In D40677#988214, @markj wrote:

I would frown at that. :) It introduces hidden control flow which makes it hard to see quickly what a function does.

Consider the common case where a function allocates some memory and is supposed to free it before returning: if I'm reviewing the code and want to verify it behaves properly with respect to that free() call, it's much easier to check if I just have to look for the "return" keyword in the function.

Once in a while it's handy, but it should be avoided if possible.

Thanks for the explanation. These things seem obvious once you know them, but it is sometimes hard to reason if you don't. I think in most cases, it is possible to rearrange a function to remove a macro that returns anyway. That's what lead me to explore other solutions.

Closed by commit rG96c8b3e50988: ktrace: Record cpuset violations with KTR_CAPFAIL (authored by jfree). · Explain WhySun, Apr 7, 11:58 PM

This revision was automatically updated to reflect the committed changes.

jfree added a commit: rG96c8b3e50988: ktrace: Record cpuset violations with KTR_CAPFAIL.

Herald added a subscriber: olce. · View Herald TranscriptSun, Apr 7, 11:58 PM