rwatson (Robert Watson)
User

Projects (8)

User Details

User Since
Jul 28 2014, 7:43 PM (156 w, 1 d)

Recent Activity

May 22 2017

rwatson accepted D10850: disallow open(2) in capability mode.

Sounds plausible, but I do wonder if the sysctl is currently a sufficient mature way to enable application development. Enabling it requires root, so it's not directly usable by end users on multiuser systems, and it also has global scope rather than just affecting applications that the developer is working on, which could change failure modes for a range of applications (such as desktop applications) that the developer has no interest in debugging and fixing. Is there some other mechanism we can add -- e.g., using ptrace(2) -- or setting an environmental variable that causes rtld to itself twiddle a per-process setting, that might offer a better real-world debugging experience?

May 22 2017, 6:33 AM

May 18 2017

rwatson added a reviewer for D10776: Make Capsicum obligatory.: bz.
May 18 2017, 3:24 PM

May 13 2017

rwatson added a comment to D9030: Create new fexecve() variant with explicit interpreter.

One aspect I've been struggling with in this approach is duplication of the logic to find run-time linkers -- i.e., shifting responsibility for ELF header parsing from the kernel to userspace, which seems generally undesirable. One possibility might be to pass a capability to a directory relative to which the kernel should look for the interpreter. This would fail to address the "use a run-time linker other than the one in the binary" use case, but would allow the kernel to continue to own ELF header processing (and similar for non-ELF binaries).

May 13 2017, 10:59 AM

May 1 2017

rwatson added a comment to D10460: ext2fs: RW support for Extended Attributes.

FYI, there is another important semantic difference between BSD and Linux extended attributes. In FreeBSD, ACLs are exposed (and manipulated) via separate vnode operations in VFS, and similarly ACL system calls, since our VFS is ACL-aware, whereas in Linux, they use the extended attribute system calls and inode operations to carry a variety of metadata including ACLs. As such, if extfs is implementing ACLs, we'll want a wrapper that maps them to/from FreeBSD ACL vnode operations on the way through. There is arguably a desire to do something similar in the linuxulator to ensure that ACL operations enter our VFS as ACL operations rather than EA operations.

May 1 2017, 5:38 PM

Apr 22 2017

rwatson added a comment to D10460: ext2fs: RW support for Extended Attributes.

The expert on the UFS2 extattr code is phk, who wrote it. I believe UFS2 generally relies on the buffer cache to cache the extattr block associated with an inode, so that it follows normal LRU-like eviction rules, etc. I believe that the only time UFS2 keeps extattr data hung off the inode in a special in-memory buffer is during a multi-operation transaction started by VOP_OPENEXTATTR and a corresponding later VOP_CLOSEXTATTR. Between those two VOPs, if a buffer is present, writes occur against the buffer rather than against the buffer cache, allowing the writes to be batched atomically. Otherwise, I believe that UFS2 will simply issue updates to bits of buffer-cache-resident extattr data. Take a look at ffs_extread and ffs_extwrite for details.

Apr 22 2017, 4:22 PM
rwatson added a comment to D10460: ext2fs: RW support for Extended Attributes.

FYI, the ufs_extattr.c implementation is for UFS1 only, where there isn't in-layout storage for attributes. UFS2 uses code in ffs_vnops.c, relying on an additional block hung off the inode, and is probably a better reference for this work. The UFS implementation provides transaction-like semantics for multi-EA update -- hence the open/close behaviour. That is desirable when working with multiple simultaneous MAC policies that are each adding metadata in different attributes. I'm not sure how useful that will be to FreeBSD ext2fs users in practice, but it is the semantics in our VFS as a result -- and is what implies the in-memory copy so that we can atomically commit all the updates. I wonder if the 'default' mapping for ext2_extattr_index_to_linux() is safe..? I'm not sure what namespaces exist in Linux these days, but it might be one prefers to be conservative and protect non-user namespaces from access by unprivileged users.

Apr 22 2017, 3:49 PM

Apr 18 2017

rwatson added a comment to D10170: Capsicumize cpuset_*.

FYI, it may be desirable to add a note about scoping of cpuset*(2) to the capsicum(4) man page. We should probably extend that man page in other ways to describe other sorts of scoping in place, but that's a separate task...

Apr 18 2017, 7:36 AM
rwatson updated subscribers of D10170: Capsicumize cpuset_*.
Apr 18 2017, 7:19 AM

Apr 13 2017

rwatson added inline comments to D10385: Remove many write-only variables from kernel.
Apr 13 2017, 7:38 PM
rwatson added inline comments to D10385: Remove many write-only variables from kernel.
Apr 13 2017, 6:33 PM
rwatson added inline comments to D10385: Remove many write-only variables from kernel.
Apr 13 2017, 6:04 PM

Apr 11 2017

rwatson added a comment to D10351: Restore ability to shutdown datagram sockets.

I'm not sure I approve of calling a local variable 'fakeerror'. Given that the only value it can take on is ENOTCONN, how about making it a boolean 'soerror_enotconn'?

Apr 11 2017, 7:19 PM
rwatson added a comment to D3039: Make shutdown() return ENOTCONN as required by POSIX, part deux..

Note that this is not the complete story: There's a separate issue with "interrupting" threads already blocked in I/O on sockets at shutdown(2) time. Lack of that support causes a test failure in the Java test suite (if I recall) because calling shutdown(2) on a socket from one thread while another thread is blocked in read(2)/recv(2) or write(2)/send(2) will not interrupt the blocked thread. This is due to the way we do locking and reference counting on file descriptors and sockets.

Apr 11 2017, 1:17 PM

Apr 4 2017

rwatson added inline comments to D10170: Capsicumize cpuset_*.
Apr 4 2017, 3:45 PM
rwatson added a comment to D10170: Capsicumize cpuset_*.

I like the overall approach especially after various changes to do the checks only in the system calls themselves, not in the common helper functions.

Apr 4 2017, 3:21 PM

Apr 3 2017

rwatson added a reviewer for D9618: xDMA support for atse(4): bz.
Apr 3 2017, 2:29 PM
rwatson committed rS316450: Break audit_bsm_klib.c into two files: one (audit_bsm_klib.c).
Break audit_bsm_klib.c into two files: one (audit_bsm_klib.c)
Apr 3 2017, 10:16 AM

Mar 31 2017

rwatson accepted D10227: Correct a kernel stack leak in 32-bit compat when vfc_name is short..

Seems sensible.

Mar 31 2017, 9:37 PM
rwatson committed rS316339: Currently, less(1) uses K&R prototypes, which both fails to provide useful.
Currently, less(1) uses K&R prototypes, which both fails to provide useful
Mar 31 2017, 9:30 PM
rwatson closed D10152: Use contemporary C function prototypes with less(1). by committing rS316339: Currently, less(1) uses K&R prototypes, which both fails to provide useful.
Mar 31 2017, 9:30 PM
rwatson updated the diff for D10152: Use contemporary C function prototypes with less(1)..

Two whitespace fixes requested by @emaste.

Mar 31 2017, 7:59 PM
rwatson updated the diff for D10152: Use contemporary C function prototypes with less(1)..

Catch a couple of further instances of K&R prototypes not caught by current
compiler warnings.

Mar 31 2017, 7:56 PM
rwatson updated the diff for D10152: Use contemporary C function prototypes with less(1)..

Line wrap two overlong lines (with new type information) to 80 characters.

Mar 31 2017, 7:24 PM
rwatson committed rS316334: Audit arguments to posix_fallocate(2) and posix_fadvise(2) system calls..
Audit arguments to posix_fallocate(2) and posix_fadvise(2) system calls.
Mar 31 2017, 2:18 PM
rwatson committed rS316333: Correct macro names and signatures for !AUDIT versions of canonical.
Correct macro names and signatures for !AUDIT versions of canonical
Mar 31 2017, 2:14 PM
rwatson committed rS316332: Audit arguments to POSIX message queues, semaphores, and shared memory..
Audit arguments to POSIX message queues, semaphores, and shared memory.
Mar 31 2017, 1:43 PM

Mar 30 2017

rwatson committed rS316308: Audit arguments to System V IPC system calls implementing sempahores,.
Audit arguments to System V IPC system calls implementing sempahores,
Mar 30 2017, 10:27 PM
rwatson committed rS316307: Add system-call argument auditing for ACL-related system calls..
Add system-call argument auditing for ACL-related system calls.
Mar 30 2017, 10:01 PM
rwatson committed rS316305: Various BSM generation improvements when auditing AUE_ACCEPT,.
Various BSM generation improvements when auditing AUE_ACCEPT,
Mar 30 2017, 9:41 PM
rwatson committed rS316271: Don't ifdef KDTRACE_HOOKS struct, variable, and function prototype.
Don't ifdef KDTRACE_HOOKS struct, variable, and function prototype
Mar 30 2017, 12:36 PM

Mar 29 2017

rwatson committed rS316185: When handling msgsys(2), semsys(2), and shmsys(2) multiplex system calls,.
When handling msgsys(2), semsys(2), and shmsys(2) multiplex system calls,
Mar 29 2017, 11:32 PM
rwatson committed rS316182: Hook up new audit event identifiers for various non-Orange Book/CAPP.
Hook up new audit event identifiers for various non-Orange Book/CAPP
Mar 29 2017, 10:35 PM
rwatson committed rS316176: Add an experimental DTrace audit provider, which allows users of DTrace to.
Add an experimental DTrace audit provider, which allows users of DTrace to
Mar 29 2017, 7:59 PM
rwatson closed D10149: DTrace Audit Provider Prototype by committing rS316176: Add an experimental DTrace audit provider, which allows users of DTrace to.
Mar 29 2017, 7:59 PM
rwatson added a comment to D10149: DTrace Audit Provider Prototype.

We are probably now at a commit candidate, if various reviewers wouldn't mind checking that they are happy with how the patch has ended up looking?

Mar 29 2017, 3:48 PM
rwatson updated the diff for D10149: DTrace Audit Provider Prototype.

Restore higher stability level for DTrace probes, as otherwise the
DTrace command-line tool will reject use of the probes in its default
mode.

Mar 29 2017, 3:20 PM
rwatson added inline comments to D10149: DTrace Audit Provider Prototype.
Mar 29 2017, 1:20 PM
rwatson updated the diff for D10149: DTrace Audit Provider Prototype.

Address a number of reviewer comments from @jonathan, @markj for dtaudit.

Mar 29 2017, 12:59 PM
rwatson added inline comments to D10149: DTrace Audit Provider Prototype.
Mar 29 2017, 12:35 PM
rwatson added inline comments to D10149: DTrace Audit Provider Prototype.
Mar 29 2017, 10:31 AM
rwatson added a comment to D10149: DTrace Audit Provider Prototype.

Thanks for these reviews; will make various changes and update the patch soon.

Mar 29 2017, 10:20 AM

Mar 28 2017

rwatson updated the diff for D10152: Use contemporary C function prototypes with less(1)..

Further updates to constant use in less(1) using a more recent LLVM.

Mar 28 2017, 11:25 PM

Mar 27 2017

rwatson created D10152: Use contemporary C function prototypes with less(1)..
Mar 27 2017, 6:28 PM
rwatson updated the diff for D10149: DTrace Audit Provider Prototype.

Minor update: remove unneeded #include that snuck in.

Mar 27 2017, 12:42 PM
rwatson added a reviewer for D10149: DTrace Audit Provider Prototype: DTrace.
Mar 27 2017, 11:55 AM
rwatson created D10149: DTrace Audit Provider Prototype.
Mar 27 2017, 11:55 AM
rwatson committed rS316018: Introduce an audit event identifier -> audit event name mapping.
Introduce an audit event identifier -> audit event name mapping
Mar 27 2017, 10:39 AM
rwatson committed rS316015: Extend comment describing path canonicalisation in audit..
Extend comment describing path canonicalisation in audit.
Mar 27 2017, 8:29 AM

Mar 26 2017

rwatson committed rS316006: Merge OpenBSM 1.2-alpha5 from vendor branch to FreeBSD -CURRENT:.
Merge OpenBSM 1.2-alpha5 from vendor branch to FreeBSD -CURRENT:
Mar 26 2017, 9:15 PM
rwatson committed rS316004: Slightly improve consistency of "fooint" vs "foo_int" in DPCPU(9) examples..
Slightly improve consistency of "fooint" vs "foo_int" in DPCPU(9) examples.
Mar 26 2017, 8:24 PM
rwatson added a comment to D10048: Replace the kernel RC4 with Chacha20..

FYI, I have now committed a man page for DPCPU(9) in r316003. It includes some (safe?) synchronisation patterns in its example code.

Mar 26 2017, 8:16 PM
rwatson committed rS316003: Add a man page for the kernel's dynamic per-CPU memory allocator..
Add a man page for the kernel's dynamic per-CPU memory allocator.
Mar 26 2017, 8:15 PM
rwatson added a comment to D10048: Replace the kernel RC4 with Chacha20..

RWatson: Not to get picky or anything, but there was already a malloc() in that place.

Mar 26 2017, 6:52 PM
rwatson added a comment to D10048: Replace the kernel RC4 with Chacha20..

Your commit introduces per-CPU memory allocation.

Where?

M

Mar 26 2017, 6:04 PM
rwatson committed rS315990: Provide proper contemporary function prototypes for many of the functions.
Provide proper contemporary function prototypes for many of the functions
Mar 26 2017, 5:23 PM
rwatson added a comment to D10048: Replace the kernel RC4 with Chacha20..

This is correct: you must make sure that you continue to access state on the CPU for which you acquired a mutex -- e.g., by caching a pointer to the per-CPU state you are accessing, in case migration takes place.

But that is racey. Preemption can in theory occur straight after I have verified that it hasn't. Looks like I need to use critical regions for now. I can live with that if you can?

Mar 26 2017, 5:19 PM
rwatson committed rS315987: Emply contemporary function prototypes in bootpd, rather than relying on.
Emply contemporary function prototypes in bootpd, rather than relying on
Mar 26 2017, 2:37 PM
rwatson added a comment to D10048: Replace the kernel RC4 with Chacha20..
  • I feel that using sleepable mutexes here is fine -- the difference in performance is negligible on most contemporary microarchitectures, and there is an argument for moving some of our other critical sections to being mutexes (e.g., per-CPU UMA caches).

I'm concerned about cpu migration. Mutexes don't guarantee that a thread will stay on the same cpu, right?

Mar 26 2017, 12:08 PM

Mar 23 2017

rwatson committed rS315862: In libcasper, prefer to send a function index or service name over the IPC.
In libcasper, prefer to send a function index or service name over the IPC
Mar 23 2017, 2:35 PM
rwatson requested changes to D10048: Replace the kernel RC4 with Chacha20..

Just a few quick comments:

Mar 23 2017, 11:06 AM

Mar 15 2017

rwatson added a comment to D10013: Add support for syscall::*fork:return probes in both parent and child..

How does this play out with non-native ABIs (e.g., the Linux emulator) -- I thought SYS_fork (etc) were ABI-specific system-call numbers?

Mar 15 2017, 9:16 PM

Mar 13 2017

rwatson added a comment to D9987: Add support for syscall::*fork:return tracing in DTrace.

It would be more tempting to add the systrace_probe_func invocation at the end of fork_return() where the similar KTRACE probe fires (for similar reasons). Take a look at the call to ktrsysret(SYS_fork, 0, 0); for details.

Mar 13 2017, 2:24 PM

Mar 4 2017

rwatson added a comment to D9721: Add netisr queue for deferred IPsec processing to reduce kernel stack requirements.

This seems like a sensible general change. I'm quite surprised it wasn't this way already (.. and sort of misremembered that it was -- IPSEC should always have been using the netisr...).

Mar 4 2017, 8:57 AM

Feb 7 2017

rwatson added a comment to D9465: Remove unnecessary ifdef soup from struct tcpcb.

I like the idea, and encourage you to proceed, but be aware that struct tcpcb is part of the user-visible ABI for monitoring tools (sigh). Someone should restock our supplies of padding someday.

Feb 7 2017, 1:24 PM

Jan 28 2017

rwatson committed rS312922: Merge enhancements to the ALTERA Avalon bus generic device attachment.
Merge enhancements to the ALTERA Avalon bus generic device attachment
Jan 28 2017, 1:25 PM
rwatson committed rS312920: Merge robustness improvements for the ALTERA JTAG UART driver from.
Merge robustness improvements for the ALTERA JTAG UART driver from
Jan 28 2017, 12:43 PM
rwatson committed rS312919: Fix build of aio_test on MIPS, where the compiler warns about the local.
Fix build of aio_test on MIPS, where the compiler warns about the local
Jan 28 2017, 12:26 PM
rwatson committed rS312918: As with GENERIC on other architectures, include COMPAT_FREEBSD10 and.
As with GENERIC on other architectures, include COMPAT_FREEBSD10 and
Jan 28 2017, 11:39 AM

Jan 9 2017

rwatson added a comment to D9096: Add Recursive Functionality to setfacl(1).

Adding "-R" support is a good idea.

Jan 9 2017, 3:35 AM

Jan 6 2017

rwatson added a comment to D9053: Remove writability requirement for single-mbuf, contiguous-range m_pulldown().

I'm not sure if consumers of m_pulldown() make assumptions about writability or not. The man page doesn't mention that they should (or not) but this is more of an empirical question. As I recall, m_pulldown() is particularly popular in IPv6, so tagging Bjoern to perhaps take a look at this and see what he thinks.

Jan 6 2017, 7:11 PM
rwatson added a reviewer for D9053: Remove writability requirement for single-mbuf, contiguous-range m_pulldown(): bz.
Jan 6 2017, 7:11 PM
rwatson accepted D9066: Update shm_open.2.

Seems reasonable to me!

Jan 6 2017, 6:46 PM

Dec 7 2016

rwatson committed rS309678: Regnerate system-call definitions following r309677 correcting a whitespace.
Regnerate system-call definitions following r309677 correcting a whitespace
Dec 7 2016, 4:12 PM
rwatson committed rS309677: Replace spaces with tabs in definition of SCTP system calls, for consistency.
Replace spaces with tabs in definition of SCTP system calls, for consistency
Dec 7 2016, 4:12 PM

Nov 30 2016

rwatson committed rS309326: Clarify warning message when failing to configure audit on user login:.
Clarify warning message when failing to configure audit on user login:
Nov 30 2016, 2:02 PM

Nov 22 2016

rwatson committed rS308947: Audit 'fd' and 'cmd' arguments to fcntl(2), and when generating BSM,.
Audit 'fd' and 'cmd' arguments to fcntl(2), and when generating BSM,
Nov 22 2016, 12:41 AM

Nov 5 2016

rwatson committed rS308323: Unshackle jonathan from the chains of mentorship: he has [more than] done.
Unshackle jonathan from the chains of mentorship: he has [more than] done
Nov 5 2016, 1:02 AM

Oct 20 2016

rwatson accepted D4339: Add suffix rules for LLVM IR and bitcode..

Mentor approval granted. (NB: not a technical review, but existing technical reviews here look good to go!)

Oct 20 2016, 1:55 PM

Oct 7 2016

rwatson added inline comments to D8110: Allow some dotdot lookups in capability mode..
Oct 7 2016, 3:11 PM · capsicum

Oct 5 2016

rwatson added a comment to D8110: Allow some dotdot lookups in capability mode..

Overall I like this approach, but there's an important experimental question as to whether this enables all the use cases we care about -- and, more generally, whether there are visible failure modes that might surprise application programmers. We also need to think quite hard to convince ourselves this maintains safe operation. Getting Jon Anderson, Ben Laurie, and David Drysdale to review the approach would be very useful.

Oct 5 2016, 12:02 PM · capsicum
rwatson added a comment to D8110: Allow some dotdot lookups in capability mode..
In D8110#168999, @kib wrote:

Implement Jonathan Anderson suggestion of checking the result of dotdot lookup against the recorded list of traversed vnodes. Drop rename notifications. Check for dotdot vnodes living on local fs.

Oct 5 2016, 10:31 AM · capsicum

Oct 3 2016

rwatson added inline comments to D1345: Capsicum support for jot(1).
Oct 3 2016, 8:33 AM

Oct 1 2016

rwatson added inline comments to D8110: Allow some dotdot lookups in capability mode..
Oct 1 2016, 4:00 PM · capsicum

Sep 30 2016

rwatson added a comment to D7947: Capsicumify open.2.

In general, this seems like a good idea. A bit of wordsmithing does help, and reviewing an updated commit candidate before it goes into the tree wouldn't hurt if you can tolerate another RTT with reviewers :-).

Sep 30 2016, 3:34 PM

Sep 23 2016

rwatson accepted D8000: kern_mib: Allow kern.hostname in Capsicum capability sandbox.

I'm fine with exposing the hostname here -- the goal of Capsicum has always been to be pragmatic about getting software running where it doesn't violate isolation properties. You could argue that this is an information leak and/or might cause problems for deterministic replay-style applications of Capsicum -- but I'd rather we had more code working in a sandboxing. :-)

Sep 23 2016, 10:08 AM

Sep 18 2016

rwatson added reviewers for D7926: praudit(8): Capsicumify: sson, brueffer, gnn.
Sep 18 2016, 10:30 AM
rwatson added a comment to D7926: praudit(8): Capsicumify.

High-level comments rather than a detailed code review:

Sep 18 2016, 10:29 AM

Sep 13 2016

rwatson added a comment to D7878: Remove the 4.3BSD compatible macro m_copy(), use m_copym() instead.

Should we also be ditching M_COPY() and/or switching it to M_COPYM() for consistency..?

Sep 13 2016, 1:45 PM

Aug 29 2016

rwatson accepted D7682: Don't check aq64_minfree which is unsigned for negative values..

The comments could have to do with the au_qctrl structure, which uses "int", whereas the au_qctrl64 type uses "uint64_t". You can see the code handling the older structure a bit below this point, which likely has to do with compatibility with older Solaris/XNU versions rather than FreeBSD per se.

Aug 29 2016, 4:22 PM

Aug 20 2016

rwatson committed rS304544: Audit the accepted (or rejected) username argument to setlogin(2)..
Audit the accepted (or rejected) username argument to setlogin(2).
Aug 20 2016, 8:28 PM
rwatson committed rS304537: Audit additional vnode information in the implementation of the.
Audit additional vnode information in the implementation of the
Aug 20 2016, 6:52 PM

Jul 28 2016

rwatson accepted D7345: Update copyright and location of cr_can* prototypes in header files.

Looks good to me!

Jul 28 2016, 12:52 PM

Jul 15 2016

rwatson added a comment to D6799: Prepare for network stack as a module: Move protocol-specific functionality out of common jail-related source files..

I'd suggest avoiding any style changes in the initial copy of code to the new locations, so diffs can more easily be checked, and changes can be more easily merged. Apply style/comment/etc changes in a separate commit.

Jul 15 2016, 9:06 PM

Jul 11 2016

rwatson added a comment to D7188: Add missing default case to capable(..) function definition.

I think using panic() here would be preferable to KASSERT().

Jul 11 2016, 6:54 PM
rwatson committed rS302564: Add AUE_WAIT6 handling to the BSM conversion switch statement, reusing.
Add AUE_WAIT6 handling to the BSM conversion switch statement, reusing
Jul 11 2016, 1:06 PM

Jul 10 2016

rwatson committed rS302526: In process-descriptor close(2) and fstat(2), audit target process.
In process-descriptor close(2) and fstat(2), audit target process
Jul 10 2016, 2:18 PM
rwatson committed rS302525: Do allow auditing of read(2) and write(2) system calls, by assigning.
Do allow auditing of read(2) and write(2) system calls, by assigning
Jul 10 2016, 1:42 PM
rwatson committed rS302524: When mmap(2) is used with a vnode, capture vnode attributes in the.
When mmap(2) is used with a vnode, capture vnode attributes in the
Jul 10 2016, 11:49 AM
rwatson committed rS302519: Audit the file-descriptor number argument for openat(2). Remove a comment.
Audit the file-descriptor number argument for openat(2). Remove a comment
Jul 10 2016, 9:50 AM
rwatson committed rS302514: Audit file-descriptor arguments to I/O system calls such as.
Audit file-descriptor arguments to I/O system calls such as
Jul 10 2016, 8:04 AM