Index: head/lib/libc/sys/cpuset_getaffinity.2 =================================================================== --- head/lib/libc/sys/cpuset_getaffinity.2 (revision 318764) +++ head/lib/libc/sys/cpuset_getaffinity.2 (revision 318765) @@ -1,166 +1,172 @@ .\" Copyright (c) 2008 Christian Brueffer .\" Copyright (c) 2008 Jeffrey Roberson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" -.Dd June 2, 2016 +.Dd May 23, 2017 .Dt CPUSET_GETAFFINITY 2 .Os .Sh NAME .Nm cpuset_getaffinity , .Nm cpuset_setaffinity .Nd manage CPU affinity .Sh LIBRARY .Lb libc .Sh SYNOPSIS .In sys/param.h .In sys/cpuset.h .Ft int .Fn cpuset_getaffinity "cpulevel_t level" "cpuwhich_t which" "id_t id" "size_t setsize" "cpuset_t *mask" .Ft int .Fn cpuset_setaffinity "cpulevel_t level" "cpuwhich_t which" "id_t id" "size_t setsize" "const cpuset_t *mask" .Sh DESCRIPTION .Fn cpuset_getaffinity and .Fn cpuset_setaffinity allow the manipulation of sets of CPUs available to processes, threads, interrupts, jails and other resources. These functions may manipulate sets of CPUs that contain many processes or per-object anonymous masks that effect only a single object. .Pp The valid values for the .Fa level and .Fa which arguments are documented in .Xr cpuset 2 . These arguments specify which object and which set of the object we are referring to. Not all possible combinations are valid. For example, only processes may belong to a numbered set accessed by a .Fa level argument of .Dv CPU_LEVEL_CPUSET . All resources, however, have a mask which may be manipulated with .Dv CPU_LEVEL_WHICH . .Pp Masks of type .Ft cpuset_t are composed using the .Dv CPU_SET macros. The kernel tolerates large sets as long as all CPUs specified in the set exist. Sets smaller than the kernel uses generate an error on calls to .Fn cpuset_getaffinity even if the result set would fit within the user supplied set. Calls to .Fn cpuset_setaffinity tolerate small sets with no restrictions. .Pp The supplied mask should have a size of .Fa setsize bytes. This size is usually provided by calling .Li sizeof(mask) which is ultimately determined by the value of .Dv CPU_SETSIZE as defined in .In sys/cpuset.h . .Pp .Fn cpuset_getaffinity retrieves the mask from the object specified by .Fa level , .Fa which and .Fa id and stores it in the space provided by .Fa mask . .Pp .Fn cpuset_setaffinity attempts to set the mask for the object specified by .Fa level , .Fa which and .Fa id to the value in .Fa mask . .Sh RETURN VALUES .Rv -std .Sh ERRORS The following error codes may be set in .Va errno : .Bl -tag -width Er .\" When changing this list, consider updating share/man/man3/pthread_create.3, .\" since that function can return any of these errors. .It Bq Er EINVAL The .Fa level or .Fa which argument was not a valid value. .It Bq Er EINVAL The .Fa mask argument specified when calling .Fn cpuset_setaffinity was not a valid value. .It Bq Er EDEADLK The .Fn cpuset_setaffinity call would leave a thread without a valid CPU to run on because the set does not overlap with the thread's anonymous mask. .It Bq Er EFAULT The mask pointer passed was invalid. .It Bq Er ESRCH The object specified by the .Fa id and .Fa which arguments could not be found. .It Bq Er ERANGE The .Fa cpusetsize was either preposterously large or smaller than the kernel set size. .It Bq Er EPERM The calling process did not have the credentials required to complete the operation. +.It Bq Er ECAPMODE +The calling process attempted to act on a process other than itself, while +in capability mode. +See +.Xr capsicum 4 . .El .Sh SEE ALSO +.Xr capsicum 4 , .Xr cpuset 1 , .Xr cpuset 2 , .Xr cpuset_getid 2 , .Xr cpuset_setid 2 , .Xr pthread_affinity_np 3 , .Xr pthread_attr_affinity_np 3 , .Xr cpuset 9 .Sh HISTORY The .Nm family of system calls first appeared in .Fx 7.1 . .Sh AUTHORS .An Jeffrey Roberson Aq Mt jeff@FreeBSD.org Index: head/share/man/man4/capsicum.4 =================================================================== --- head/share/man/man4/capsicum.4 (revision 318764) +++ head/share/man/man4/capsicum.4 (revision 318765) @@ -1,126 +1,136 @@ .\" .\" Copyright (c) 2011, 2013 Robert N. M. Watson .\" Copyright (c) 2011 Jonathan Anderson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" -.Dd July 5, 2016 +.Dd May 18, 2017 .Dt CAPSICUM 4 .Os .Sh NAME .Nm Capsicum .Nd lightweight OS capability and sandbox framework .Sh SYNOPSIS .Cd "options CAPABILITY_MODE" .Cd "options CAPABILITIES" .Sh DESCRIPTION .Nm is a lightweight OS capability and sandbox framework implementing a hybrid capability system model. .Nm can be used for application and library compartmentalisation, the decomposition of larger bodies of software into isolated (sandboxed) components in order to implement security policies and limit the impact of software vulnerabilities. .Pp .Nm provides two core kernel primitives: .Bl -tag -width indent .It capability mode A process mode, entered by invoking .Xr cap_enter 2 , in which access to global OS namespaces (such as the file system and PID namespaces) is restricted; only explicitly delegated rights, referenced by memory mappings or file descriptors, may be used. Once set, the flag is inherited by future children processes, and may not be cleared. .It capabilities Limit operations that can be called on file descriptors. For example, a file descriptor returned by .Xr open 2 may be refined using .Xr cap_rights_limit 2 so that only .Xr read 2 and .Xr write 2 can be called, but not .Xr fchmod 2 . The complete list of the capability rights can be found in the .Xr rights 4 manual page. .El .Pp In some cases, .Nm requires use of alternatives to traditional POSIX APIs in order to name objects using capabilities rather than global namespaces: .Bl -tag -width indent .It process descriptors File descriptors representing processes, allowing parent processes to manage child processes without requiring access to the PID namespace; described in greater detail in .Xr procdesc 4 . .It anonymous shared memory An extension to the POSIX shared memory API to support anonymous swap objects associated with file descriptors; described in greater detail in .Xr shm_open 2 . +.El +.Pp +In some cases, +.Nm +limits the valid values of some parameters to traditional APIs in order to +restrict access to global namespaces: +.Bl -tag -width indent +.It process IDs +Processes can only act upon their own process ID with syscalls such as +.Xr cpuset_setaffinity 2 . .El .Sh SEE ALSO .Xr cap_enter 2 , .Xr cap_fcntls_limit 2 , .Xr cap_getmode 2 , .Xr cap_ioctls_limit 2 , .Xr cap_rights_limit 2 , .Xr fchmod 2 , .Xr open 2 , .Xr pdfork 2 , .Xr pdgetpid 2 , .Xr pdkill 2 , .Xr pdwait4 2 , .Xr read 2 , .Xr shm_open 2 , .Xr write 2 , .Xr cap_rights_get 3 , .Xr libcasper 3 , .Xr procdesc 4 .Sh HISTORY .Nm first appeared in .Fx 9.0 , and was developed at the University of Cambridge. .Sh AUTHORS .Nm was developed by .An -nosplit .An Robert Watson Aq Mt rwatson@FreeBSD.org and .An Jonathan Anderson Aq Mt jonathan@FreeBSD.org at the University of Cambridge, and .An Ben Laurie Aq Mt benl@FreeBSD.org and .An Kris Kennaway Aq Mt kris@FreeBSD.org at Google, Inc., and .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net . Index: head/sys/compat/freebsd32/capabilities.conf =================================================================== --- head/sys/compat/freebsd32/capabilities.conf (revision 318764) +++ head/sys/compat/freebsd32/capabilities.conf (revision 318765) @@ -1,288 +1,288 @@ ## ## Copyright (c) 2008-2010 Robert N. M. Watson ## Copyright (c) 2016 The FreeBSD Foundation ## All rights reserved. ## ## This software was developed at the University of Cambridge Computer ## Laboratory with support from a grant from Google, Inc. ## ## Portions of this software were developed by Konstantin Belousov ## under sponsorship from the FreeBSD Foundation. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: ## 1. Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## 2. Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ## SUCH DAMAGE. ## ## List of system calls enabled in freebsd32 capability mode, one name ## per line. See the original list in the sys/kern/capabilities.conf. ## Position of the compat syscall in this file must be identical to ## the master, to facilitate comparision and diagnostic. ## ## $FreeBSD$ ## __acl_aclcheck_fd __acl_delete_fd __acl_get_fd __acl_set_fd __mac_get_fd #__mac_get_pid __mac_get_proc __mac_set_fd __mac_set_proc freebsd32_sysctl freebsd32_umtx_op abort2 accept accept4 aio_cancel freebsd32_aio_error aio_fsync freebsd32_aio_read freebsd32_aio_return freebsd32_aio_suspend freebsd32_aio_waitcomplete freebsd32_aio_write #audit bindat cap_enter cap_fcntls_get cap_fcntls_limit cap_getmode freebsd32_cap_ioctls_get freebsd32_cap_ioctls_limit __cap_rights_get cap_rights_limit freebsd32_clock_getres freebsd32_clock_gettime close closefrom connectat #cpuset -#freebsd32_cpuset_getaffinity +freebsd32_cpuset_getaffinity #freebsd32_cpuset_getid -#freebsd32_cpuset_setaffinity +freebsd32_cpuset_setaffinity #freebsd32_cpuset_setid dup dup2 extattr_delete_fd extattr_get_fd extattr_list_fd extattr_set_fd fchflags fchmod fchown freebsd32_fcntl freebsd32_fexecve flock fork fpathconf freebsd11_freebsd32_fstat freebsd11_freebsd32_fstatat freebsd11_freebsd32_getdirentries freebsd11_freebsd32_fstatfs freebsd11_freebsd32_mknodat freebsd6_freebsd32_ftruncate freebsd6_freebsd32_lseek freebsd6_freebsd32_mmap freebsd6_freebsd32_pread freebsd6_freebsd32_pwrite freebsd32_fstat fstatfs fsync ftruncate freebsd32_futimens freebsd32_futimes getaudit getaudit_addr getauid freebsd32_getcontext getdents freebsd32_getdirentries getdomainname getdtablesize getegid geteuid gethostid gethostname freebsd32_getitimer getgid getgroups getlogin freebsd32_getpagesize getpeername getpgid getpgrp getpid getppid getpriority getresgid getresuid getrlimit freebsd32_getrusage getsid getsockname getsockopt freebsd32_gettimeofday getuid freebsd32_ioctl issetugid freebsd32_kevent kill freebsd32_kmq_notify freebsd32_kmq_setattr freebsd32_kmq_timedreceive freebsd32_kmq_timedsend kqueue freebsd32_ktimer_create ktimer_delete ktimer_getoverrun freebsd32_ktimer_gettime freebsd32_ktimer_settime #ktrace freebsd32_lio_listio listen freebsd32_lseek madvise mincore minherit mlock mlockall freebsd32_mmap freebsd32_mprotect msync munlock munlockall munmap freebsd32_nanosleep ntp_gettime freebsd6_freebsd32_aio_read freebsd6_freebsd32_aio_write obreak freebsd6_freebsd32_lio_listio chflagsat faccessat fchmodat fchownat freebsd32_fstatat freebsd32_futimesat linkat mkdirat mkfifoat mknodat openat readlinkat renameat symlinkat unlinkat freebsd32_utimensat pdfork pdgetpid pdkill #pdwait4 # not yet implemented freebsd32_pipe pipe2 poll freebsd32_pread freebsd32_preadv profil #ptrace freebsd32_pwrite freebsd32_pwritev read freebsd32_readv freebsd6_freebsd32_recv freebsd32_recvfrom freebsd32_recvmsg rtprio rtprio_thread sbrk sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_rr_get_interval sched_setparam sched_setscheduler sched_yield sctp_generic_recvmsg sctp_generic_sendmsg sctp_generic_sendmsg_iov sctp_peeloff freebsd32_pselect freebsd32_select freebsd6_freebsd32_send freebsd32_sendfile freebsd32_sendmsg sendto setaudit setaudit_addr setauid freebsd32_setcontext setegid seteuid setgid freebsd32_setitimer setpriority setregid setresgid setresuid setreuid setrlimit setsid setsockopt setuid shm_open shutdown freebsd32_sigaction freebsd32_sigaltstack freebsd32_sigblock freebsd32_sigpending sigprocmask sigqueue freebsd32_sigreturn freebsd32_sigsetmask ofreebsd32_sigstack sigsuspend freebsd32_sigtimedwait freebsd32_sigvec freebsd32_sigwaitinfo sigwait socket socketpair sstk sync sys_exit freebsd32_sysarch thr_create thr_exit thr_kill #thr_kill2 freebsd32_thr_new thr_self thr_set_name freebsd32_thr_suspend thr_wake umask utrace uuidgen write freebsd32_writev yield Index: head/sys/kern/capabilities.conf =================================================================== --- head/sys/kern/capabilities.conf (revision 318764) +++ head/sys/kern/capabilities.conf (revision 318765) @@ -1,743 +1,742 @@ ## ## Copyright (c) 2008-2010 Robert N. M. Watson ## All rights reserved. ## ## This software was developed at the University of Cambridge Computer ## Laboratory with support from a grant from Google, Inc. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: ## 1. Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## 2. Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## ## THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ## ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ## SUCH DAMAGE. ## ## List of system calls enabled in capability mode, one name per line. ## ## Notes: ## - sys_exit(2), abort2(2) and close(2) are very important. ## - Sorted alphabetically, please keep it that way. ## ## $FreeBSD$ ## ## ## Allow ACL and MAC label operations by file descriptor, subject to ## capability rights. Allow MAC label operations on the current process but ## we will need to scope __mac_get_pid(2). ## __acl_aclcheck_fd __acl_delete_fd __acl_get_fd __acl_set_fd __mac_get_fd #__mac_get_pid __mac_get_proc __mac_set_fd __mac_set_proc ## ## Allow sysctl(2) as we scope internal to the call; this is a global ## namespace, but there are several critical sysctls required for almost ## anything to run, such as hw.pagesize. For now that policy lives in the ## kernel for performance and simplicity, but perhaps it could move to a ## proxying daemon in userspace. ## __sysctl ## ## Allow umtx operations as these are scoped by address space. ## ## XXRW: Need to check this very carefully. ## _umtx_op ## ## Allow process termination using abort2(2). ## abort2 ## ## Allow accept(2) since it doesn't manipulate namespaces directly, rather ## relies on existing bindings on a socket, subject to capability rights. ## accept accept4 ## ## Allow AIO operations by file descriptor, subject to capability rights. ## aio_cancel aio_error aio_fsync aio_read aio_return aio_suspend aio_waitcomplete aio_write ## ## audit(2) is a global operation, submitting to the global trail, but it is ## controlled by privilege, and it might be useful to be able to submit ## records from sandboxes. For now, disallow, but we may want to think about ## providing some sort of proxy service for this. ## #audit ## ## Allow bindat(2). ## bindat ## ## Allow capability mode and capability system calls. ## cap_enter cap_fcntls_get cap_fcntls_limit cap_getmode cap_ioctls_get cap_ioctls_limit __cap_rights_get cap_rights_limit ## ## Allow read-only clock operations. ## clock_getres clock_gettime ## ## Always allow file descriptor close(2). ## close closefrom ## ## Allow connectat(2). ## connectat ## -## cpuset(2) and related calls require scoping by process, but should -## eventually be allowed, at least in the current process case. +## cpuset(2) and related calls are limited to caller's own process/thread. ## #cpuset -#cpuset_getaffinity +cpuset_getaffinity #cpuset_getid -#cpuset_setaffinity +cpuset_setaffinity #cpuset_setid ## ## Always allow dup(2) and dup2(2) manipulation of the file descriptor table. ## dup dup2 ## ## Allow extended attribute operations by file descriptor, subject to ## capability rights. ## extattr_delete_fd extattr_get_fd extattr_list_fd extattr_set_fd ## ## Allow changing file flags, mode, and owner by file descriptor, subject to ## capability rights. ## fchflags fchmod fchown ## ## For now, allow fcntl(2), subject to capability rights, but this probably ## needs additional scoping. ## fcntl ## ## Allow fexecve(2), subject to capability rights. We perform some scoping, ## such as disallowing privilege escalation. ## fexecve ## ## Allow flock(2), subject to capability rights. ## flock ## ## Allow fork(2), even though it returns pids -- some applications seem to ## prefer this interface. ## fork ## ## Allow fpathconf(2), subject to capability rights. ## fpathconf ## ## Allow various file descriptor-based I/O operations, subject to capability ## rights. ## freebsd11_fstat freebsd11_fstatat freebsd11_getdirentries freebsd11_fstatfs freebsd11_mknodat freebsd6_ftruncate freebsd6_lseek freebsd6_mmap freebsd6_pread freebsd6_pwrite ## ## Allow querying file and file system state with fstat(2) and fstatfs(2), ## subject to capability rights. ## fstat fstatfs ## ## Allow further file descriptor-based I/O operations, subject to capability ## rights. ## fsync ftruncate ## ## Allow futimens(2) and futimes(2), subject to capability rights. ## futimens futimes ## ## Allow querying process audit state, subject to normal access control. ## getaudit getaudit_addr getauid ## ## Allow thread context management with getcontext(2). ## getcontext ## ## Allow directory I/O on a file descriptor, subject to capability rights. ## Originally we had separate capabilities for directory-specific read ## operations, but on BSD we allow reading the raw directory data, so we just ## rely on CAP_READ now. ## getdents getdirentries ## ## Allow querying certain trivial global state. ## getdomainname ## ## Allow querying certain per-process resource limit state. ## getdtablesize ## ## Allow querying current process credential state. ## getegid geteuid ## ## Allow querying certain trivial global state. ## gethostid gethostname ## ## Allow querying per-process timer. ## getitimer ## ## Allow querying current process credential state. ## getgid getgroups getlogin ## ## Allow querying certain trivial global state. ## getpagesize getpeername ## ## Allow querying certain per-process scheduling, resource limit, and ## credential state. ## ## XXXRW: getpgid(2) needs scoping. It's not clear if it's worth scoping ## getppid(2). getpriority(2) needs scoping. getrusage(2) needs scoping. ## getsid(2) needs scoping. ## getpgid getpgrp getpid getppid getpriority getresgid getresuid getrlimit getrusage getsid ## ## Allow querying socket state, subject to capability rights. ## ## XXXRW: getsockopt(2) may need more attention. ## getsockname getsockopt ## ## Allow querying the global clock. ## gettimeofday ## ## Allow querying current process credential state. ## getuid ## ## Allow ioctl(2), which hopefully will be limited by applications only to ## required commands with cap_ioctls_limit(2) syscall. ## ioctl ## ## Allow querying current process credential state. ## issetugid ## ## Allow kevent(2), as we will authorize based on capability rights on the ## target descriptor. ## kevent ## ## Allow kill(2), as we allow the process to send signals only to himself. ## kill ## ## Allow message queue operations on file descriptors, subject to capability ## rights. ## kmq_notify kmq_setattr kmq_timedreceive kmq_timedsend ## ## Allow kqueue(2), we will control use. ## kqueue ## ## Allow managing per-process timers. ## ktimer_create ktimer_delete ktimer_getoverrun ktimer_gettime ktimer_settime ## ## We can't allow ktrace(2) because it relies on a global namespace, but we ## might want to introduce an fktrace(2) of some sort. ## #ktrace ## ## Allow AIO operations by file descriptor, subject to capability rights. ## lio_listio ## ## Allow listen(2), subject to capability rights. ## ## XXXRW: One might argue this manipulates a global namespace. ## listen ## ## Allow I/O-related file descriptors, subject to capability rights. ## lseek ## ## Allow simple VM operations on the current process. ## madvise mincore minherit mlock mlockall ## ## Allow memory mapping a file descriptor, and updating protections, subject ## to capability rights. ## mmap mprotect ## ## Allow simple VM operations on the current process. ## msync munlock munlockall munmap ## ## Allow the current process to sleep. ## nanosleep ## ## Allow querying the global clock. ## ntp_gettime ## ## Allow AIO operations by file descriptor, subject to capability rights. ## oaio_read oaio_write ## ## Allow simple VM operations on the current process. ## obreak ## ## Allow AIO operations by file descriptor, subject to capability rights. ## olio_listio ## ## Operations relative to directory capabilities. ## chflagsat faccessat fchmodat fchownat fstatat futimesat linkat mkdirat mkfifoat mknodat openat readlinkat renameat symlinkat unlinkat utimensat ## ## Process descriptor-related system calls are allowed. ## pdfork pdgetpid pdkill #pdwait4 # not yet implemented ## ## Allow pipe(2). ## pipe pipe2 ## ## Allow poll(2), which will be scoped by capability rights. ## XXXRW: We don't yet do that scoping. ## poll ## ## Allow I/O-related file descriptors, subject to capability rights. ## pread preadv ## ## Allow access to profiling state on the current process. ## profil ## ## Disallow ptrace(2) for now, but we do need debugging facilities in ## capability mode, so we will want to revisit this, possibly by scoping its ## operation. ## #ptrace ## ## Allow I/O-related file descriptors, subject to capability rights. ## pwrite pwritev read readv recv recvfrom recvmsg ## ## Allow real-time scheduling primitives to be used. ## ## XXXRW: These require scoping. ## rtprio rtprio_thread ## ## Allow simple VM operations on the current process. ## sbrk ## ## Allow querying trivial global scheduler state. ## sched_get_priority_max sched_get_priority_min ## ## Allow various thread/process scheduler operations. ## ## XXXRW: Some of these require further scoping. ## sched_getparam sched_getscheduler sched_rr_get_interval sched_setparam sched_setscheduler sched_yield ## ## Allow I/O-related file descriptors, subject to capability rights. ## sctp_generic_recvmsg sctp_generic_sendmsg sctp_generic_sendmsg_iov sctp_peeloff ## ## Allow pselect(2) and select(2), which will be scoped by capability rights. ## ## XXXRW: But is it? ## pselect select ## ## Allow I/O-related file descriptors, subject to capability rights. Use of ## explicit addresses here is restricted by the system calls themselves. ## send sendfile sendmsg sendto ## ## Allow setting per-process audit state, which is controlled separately by ## privileges. ## setaudit setaudit_addr setauid ## ## Allow setting thread context. ## setcontext ## ## Allow setting current process credential state, which is controlled ## separately by privilege. ## setegid seteuid setgid ## ## Allow use of the process interval timer. ## setitimer ## ## Allow setpriority(2). ## ## XXXRW: Requires scoping. ## setpriority ## ## Allow setting current process credential state, which is controlled ## separately by privilege. ## setregid setresgid setresuid setreuid ## ## Allow setting process resource limits with setrlimit(2). ## setrlimit ## ## Allow creating a new session with setsid(2). ## setsid ## ## Allow setting socket options with setsockopt(2), subject to capability ## rights. ## ## XXXRW: Might require scoping. ## setsockopt ## ## Allow setting current process credential state, which is controlled ## separately by privilege. ## setuid ## ## shm_open(2) is scoped so as to allow only access to new anonymous objects. ## shm_open ## ## Allow I/O-related file descriptors, subject to capability rights. ## shutdown ## ## Allow signal control on current process. ## sigaction sigaltstack sigblock sigpending sigprocmask sigqueue sigreturn sigsetmask sigstack sigsuspend sigtimedwait sigvec sigwaitinfo sigwait ## ## Allow creating new socket pairs with socket(2) and socketpair(2). ## socket socketpair ## ## Allow simple VM operations on the current process. ## ## XXXRW: Kernel doesn't implement this, so drop? ## sstk ## ## Do allow sync(2) for now, but possibly shouldn't. ## sync ## ## Always allow process termination with sys_exit(2). ## sys_exit ## ## sysarch(2) does rather diverse things, but is required on at least i386 ## in order to configure per-thread data. As such, it's scoped on each ## architecture. ## sysarch ## ## Allow thread operations operating only on current process. ## thr_create thr_exit thr_kill ## ## Disallow thr_kill2(2), as it may operate beyond the current process. ## ## XXXRW: Requires scoping. ## #thr_kill2 ## ## Allow thread operations operating only on current process. ## thr_new thr_self thr_set_name thr_suspend thr_wake ## ## Allow manipulation of the current process umask with umask(2). ## umask ## ## Allow submitting of process trace entries with utrace(2). ## utrace ## ## Allow generating UUIDs with uuidgen(2). ## uuidgen ## ## Allow I/O-related file descriptors, subject to capability rights. ## write writev ## ## Allow processes to yield(2). ## yield Index: head/sys/kern/kern_cpuset.c =================================================================== --- head/sys/kern/kern_cpuset.c (revision 318764) +++ head/sys/kern/kern_cpuset.c (revision 318765) @@ -1,1329 +1,1349 @@ /*- * Copyright (c) 2008, Jeffrey Roberson * All rights reserved. * * Copyright (c) 2008 Nokia Corporation * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice unmodified, this list of conditions, and the following * disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include __FBSDID("$FreeBSD$"); #include "opt_ddb.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include +#include #include #include #include #include #include #include #include #include #include #include #include #ifdef DDB #include #endif /* DDB */ /* * cpusets provide a mechanism for creating and manipulating sets of * processors for the purpose of constraining the scheduling of threads to * specific processors. * * Each process belongs to an identified set, by default this is set 1. Each * thread may further restrict the cpus it may run on to a subset of this * named set. This creates an anonymous set which other threads and processes * may not join by number. * * The named set is referred to herein as the 'base' set to avoid ambiguity. * This set is usually a child of a 'root' set while the anonymous set may * simply be referred to as a mask. In the syscall api these are referred to * as the ROOT, CPUSET, and MASK levels where CPUSET is called 'base' here. * * Threads inherit their set from their creator whether it be anonymous or * not. This means that anonymous sets are immutable because they may be * shared. To modify an anonymous set a new set is created with the desired * mask and the same parent as the existing anonymous set. This gives the * illusion of each thread having a private mask. * * Via the syscall apis a user may ask to retrieve or modify the root, base, * or mask that is discovered via a pid, tid, or setid. Modifying a set * modifies all numbered and anonymous child sets to comply with the new mask. * Modifying a pid or tid's mask applies only to that tid but must still * exist within the assigned parent set. * * A thread may not be assigned to a group separate from other threads in * the process. This is to remove ambiguity when the setid is queried with * a pid argument. There is no other technical limitation. * * This somewhat complex arrangement is intended to make it easy for * applications to query available processors and bind their threads to * specific processors while also allowing administrators to dynamically * reprovision by changing sets which apply to groups of processes. * * A simple application should not concern itself with sets at all and * rather apply masks to its own threads via CPU_WHICH_TID and a -1 id * meaning 'curthread'. It may query available cpus for that tid with a * getaffinity call using (CPU_LEVEL_CPUSET, CPU_WHICH_PID, -1, ...). */ static uma_zone_t cpuset_zone; static struct mtx cpuset_lock; static struct setlist cpuset_ids; static struct unrhdr *cpuset_unr; static struct cpuset *cpuset_zero, *cpuset_default; /* Return the size of cpuset_t at the kernel level */ SYSCTL_INT(_kern_sched, OID_AUTO, cpusetsize, CTLFLAG_RD | CTLFLAG_CAPRD, SYSCTL_NULL_INT_PTR, sizeof(cpuset_t), "sizeof(cpuset_t)"); cpuset_t *cpuset_root; cpuset_t cpuset_domain[MAXMEMDOM]; /* * Acquire a reference to a cpuset, all pointers must be tracked with refs. */ struct cpuset * cpuset_ref(struct cpuset *set) { refcount_acquire(&set->cs_ref); return (set); } /* * Walks up the tree from 'set' to find the root. Returns the root * referenced. */ static struct cpuset * cpuset_refroot(struct cpuset *set) { for (; set->cs_parent != NULL; set = set->cs_parent) if (set->cs_flags & CPU_SET_ROOT) break; cpuset_ref(set); return (set); } /* * Find the first non-anonymous set starting from 'set'. Returns this set * referenced. May return the passed in set with an extra ref if it is * not anonymous. */ static struct cpuset * cpuset_refbase(struct cpuset *set) { if (set->cs_id == CPUSET_INVALID) set = set->cs_parent; cpuset_ref(set); return (set); } /* * Release a reference in a context where it is safe to allocate. */ void cpuset_rel(struct cpuset *set) { cpusetid_t id; if (refcount_release(&set->cs_ref) == 0) return; mtx_lock_spin(&cpuset_lock); LIST_REMOVE(set, cs_siblings); id = set->cs_id; if (id != CPUSET_INVALID) LIST_REMOVE(set, cs_link); mtx_unlock_spin(&cpuset_lock); cpuset_rel(set->cs_parent); uma_zfree(cpuset_zone, set); if (id != CPUSET_INVALID) free_unr(cpuset_unr, id); } /* * Deferred release must be used when in a context that is not safe to * allocate/free. This places any unreferenced sets on the list 'head'. */ static void cpuset_rel_defer(struct setlist *head, struct cpuset *set) { if (refcount_release(&set->cs_ref) == 0) return; mtx_lock_spin(&cpuset_lock); LIST_REMOVE(set, cs_siblings); if (set->cs_id != CPUSET_INVALID) LIST_REMOVE(set, cs_link); LIST_INSERT_HEAD(head, set, cs_link); mtx_unlock_spin(&cpuset_lock); } /* * Complete a deferred release. Removes the set from the list provided to * cpuset_rel_defer. */ static void cpuset_rel_complete(struct cpuset *set) { LIST_REMOVE(set, cs_link); cpuset_rel(set->cs_parent); uma_zfree(cpuset_zone, set); } /* * Find a set based on an id. Returns it with a ref. */ static struct cpuset * cpuset_lookup(cpusetid_t setid, struct thread *td) { struct cpuset *set; if (setid == CPUSET_INVALID) return (NULL); mtx_lock_spin(&cpuset_lock); LIST_FOREACH(set, &cpuset_ids, cs_link) if (set->cs_id == setid) break; if (set) cpuset_ref(set); mtx_unlock_spin(&cpuset_lock); KASSERT(td != NULL, ("[%s:%d] td is NULL", __func__, __LINE__)); if (set != NULL && jailed(td->td_ucred)) { struct cpuset *jset, *tset; jset = td->td_ucred->cr_prison->pr_cpuset; for (tset = set; tset != NULL; tset = tset->cs_parent) if (tset == jset) break; if (tset == NULL) { cpuset_rel(set); set = NULL; } } return (set); } /* * Create a set in the space provided in 'set' with the provided parameters. * The set is returned with a single ref. May return EDEADLK if the set * will have no valid cpu based on restrictions from the parent. */ static int _cpuset_create(struct cpuset *set, struct cpuset *parent, const cpuset_t *mask, cpusetid_t id) { if (!CPU_OVERLAP(&parent->cs_mask, mask)) return (EDEADLK); CPU_COPY(mask, &set->cs_mask); LIST_INIT(&set->cs_children); refcount_init(&set->cs_ref, 1); set->cs_flags = 0; mtx_lock_spin(&cpuset_lock); CPU_AND(&set->cs_mask, &parent->cs_mask); set->cs_id = id; set->cs_parent = cpuset_ref(parent); LIST_INSERT_HEAD(&parent->cs_children, set, cs_siblings); if (set->cs_id != CPUSET_INVALID) LIST_INSERT_HEAD(&cpuset_ids, set, cs_link); mtx_unlock_spin(&cpuset_lock); return (0); } /* * Create a new non-anonymous set with the requested parent and mask. May * return failures if the mask is invalid or a new number can not be * allocated. */ static int cpuset_create(struct cpuset **setp, struct cpuset *parent, const cpuset_t *mask) { struct cpuset *set; cpusetid_t id; int error; id = alloc_unr(cpuset_unr); if (id == -1) return (ENFILE); *setp = set = uma_zalloc(cpuset_zone, M_WAITOK); error = _cpuset_create(set, parent, mask, id); if (error == 0) return (0); free_unr(cpuset_unr, id); uma_zfree(cpuset_zone, set); return (error); } /* * Recursively check for errors that would occur from applying mask to * the tree of sets starting at 'set'. Checks for sets that would become * empty as well as RDONLY flags. */ static int cpuset_testupdate(struct cpuset *set, cpuset_t *mask, int check_mask) { struct cpuset *nset; cpuset_t newmask; int error; mtx_assert(&cpuset_lock, MA_OWNED); if (set->cs_flags & CPU_SET_RDONLY) return (EPERM); if (check_mask) { if (!CPU_OVERLAP(&set->cs_mask, mask)) return (EDEADLK); CPU_COPY(&set->cs_mask, &newmask); CPU_AND(&newmask, mask); } else CPU_COPY(mask, &newmask); error = 0; LIST_FOREACH(nset, &set->cs_children, cs_siblings) if ((error = cpuset_testupdate(nset, &newmask, 1)) != 0) break; return (error); } /* * Applies the mask 'mask' without checking for empty sets or permissions. */ static void cpuset_update(struct cpuset *set, cpuset_t *mask) { struct cpuset *nset; mtx_assert(&cpuset_lock, MA_OWNED); CPU_AND(&set->cs_mask, mask); LIST_FOREACH(nset, &set->cs_children, cs_siblings) cpuset_update(nset, &set->cs_mask); return; } /* * Modify the set 'set' to use a copy of the mask provided. Apply this new * mask to restrict all children in the tree. Checks for validity before * applying the changes. */ static int cpuset_modify(struct cpuset *set, cpuset_t *mask) { struct cpuset *root; int error; error = priv_check(curthread, PRIV_SCHED_CPUSET); if (error) return (error); /* * In case we are called from within the jail * we do not allow modifying the dedicated root * cpuset of the jail but may still allow to * change child sets. */ if (jailed(curthread->td_ucred) && set->cs_flags & CPU_SET_ROOT) return (EPERM); /* * Verify that we have access to this set of * cpus. */ root = set->cs_parent; if (root && !CPU_SUBSET(&root->cs_mask, mask)) return (EINVAL); mtx_lock_spin(&cpuset_lock); error = cpuset_testupdate(set, mask, 0); if (error) goto out; CPU_COPY(mask, &set->cs_mask); cpuset_update(set, mask); out: mtx_unlock_spin(&cpuset_lock); return (error); } /* * Resolve the 'which' parameter of several cpuset apis. * * For WHICH_PID and WHICH_TID return a locked proc and valid proc/tid. Also * checks for permission via p_cansched(). * * For WHICH_SET returns a valid set with a new reference. * * -1 may be supplied for any argument to mean the current proc/thread or * the base set of the current thread. May fail with ESRCH/EPERM. */ int cpuset_which(cpuwhich_t which, id_t id, struct proc **pp, struct thread **tdp, struct cpuset **setp) { struct cpuset *set; struct thread *td; struct proc *p; int error; *pp = p = NULL; *tdp = td = NULL; *setp = set = NULL; switch (which) { case CPU_WHICH_PID: if (id == -1) { PROC_LOCK(curproc); p = curproc; break; } if ((p = pfind(id)) == NULL) return (ESRCH); break; case CPU_WHICH_TID: if (id == -1) { PROC_LOCK(curproc); p = curproc; td = curthread; break; } td = tdfind(id, -1); if (td == NULL) return (ESRCH); p = td->td_proc; break; case CPU_WHICH_CPUSET: if (id == -1) { thread_lock(curthread); set = cpuset_refbase(curthread->td_cpuset); thread_unlock(curthread); } else set = cpuset_lookup(id, curthread); if (set) { *setp = set; return (0); } return (ESRCH); case CPU_WHICH_JAIL: { /* Find `set' for prison with given id. */ struct prison *pr; sx_slock(&allprison_lock); pr = prison_find_child(curthread->td_ucred->cr_prison, id); sx_sunlock(&allprison_lock); if (pr == NULL) return (ESRCH); cpuset_ref(pr->pr_cpuset); *setp = pr->pr_cpuset; mtx_unlock(&pr->pr_mtx); return (0); } case CPU_WHICH_IRQ: case CPU_WHICH_DOMAIN: return (0); default: return (EINVAL); } error = p_cansched(curthread, p); if (error) { PROC_UNLOCK(p); return (error); } if (td == NULL) td = FIRST_THREAD_IN_PROC(p); *pp = p; *tdp = td; return (0); } /* * Create an anonymous set with the provided mask in the space provided by * 'fset'. If the passed in set is anonymous we use its parent otherwise * the new set is a child of 'set'. */ static int cpuset_shadow(struct cpuset *set, struct cpuset *fset, const cpuset_t *mask) { struct cpuset *parent; if (set->cs_id == CPUSET_INVALID) parent = set->cs_parent; else parent = set; if (!CPU_SUBSET(&parent->cs_mask, mask)) return (EDEADLK); return (_cpuset_create(fset, parent, mask, CPUSET_INVALID)); } /* * Handle two cases for replacing the base set or mask of an entire process. * * 1) Set is non-null and mask is null. This reparents all anonymous sets * to the provided set and replaces all non-anonymous td_cpusets with the * provided set. * 2) Mask is non-null and set is null. This replaces or creates anonymous * sets for every thread with the existing base as a parent. * * This is overly complicated because we can't allocate while holding a * spinlock and spinlocks must be held while changing and examining thread * state. */ static int cpuset_setproc(pid_t pid, struct cpuset *set, cpuset_t *mask) { struct setlist freelist; struct setlist droplist; struct cpuset *tdset; struct cpuset *nset; struct thread *td; struct proc *p; int threads; int nfree; int error; + /* * The algorithm requires two passes due to locking considerations. * * 1) Lookup the process and acquire the locks in the required order. * 2) If enough cpusets have not been allocated release the locks and * allocate them. Loop. */ LIST_INIT(&freelist); LIST_INIT(&droplist); nfree = 0; for (;;) { error = cpuset_which(CPU_WHICH_PID, pid, &p, &td, &nset); if (error) goto out; if (nfree >= p->p_numthreads) break; threads = p->p_numthreads; PROC_UNLOCK(p); for (; nfree < threads; nfree++) { nset = uma_zalloc(cpuset_zone, M_WAITOK); LIST_INSERT_HEAD(&freelist, nset, cs_link); } } PROC_LOCK_ASSERT(p, MA_OWNED); /* * Now that the appropriate locks are held and we have enough cpusets, * make sure the operation will succeed before applying changes. The * proc lock prevents td_cpuset from changing between calls. */ error = 0; FOREACH_THREAD_IN_PROC(p, td) { thread_lock(td); tdset = td->td_cpuset; /* * Verify that a new mask doesn't specify cpus outside of * the set the thread is a member of. */ if (mask) { if (tdset->cs_id == CPUSET_INVALID) tdset = tdset->cs_parent; if (!CPU_SUBSET(&tdset->cs_mask, mask)) error = EDEADLK; /* * Verify that a new set won't leave an existing thread * mask without a cpu to run on. It can, however, restrict * the set. */ } else if (tdset->cs_id == CPUSET_INVALID) { if (!CPU_OVERLAP(&set->cs_mask, &tdset->cs_mask)) error = EDEADLK; } thread_unlock(td); if (error) goto unlock_out; } /* * Replace each thread's cpuset while using deferred release. We * must do this because the thread lock must be held while operating * on the thread and this limits the type of operations allowed. */ FOREACH_THREAD_IN_PROC(p, td) { thread_lock(td); /* * If we presently have an anonymous set or are applying a * mask we must create an anonymous shadow set. That is * either parented to our existing base or the supplied set. * * If we have a base set with no anonymous shadow we simply * replace it outright. */ tdset = td->td_cpuset; if (tdset->cs_id == CPUSET_INVALID || mask) { nset = LIST_FIRST(&freelist); LIST_REMOVE(nset, cs_link); if (mask) error = cpuset_shadow(tdset, nset, mask); else error = _cpuset_create(nset, set, &tdset->cs_mask, CPUSET_INVALID); if (error) { LIST_INSERT_HEAD(&freelist, nset, cs_link); thread_unlock(td); break; } } else nset = cpuset_ref(set); cpuset_rel_defer(&droplist, tdset); td->td_cpuset = nset; sched_affinity(td); thread_unlock(td); } unlock_out: PROC_UNLOCK(p); out: while ((nset = LIST_FIRST(&droplist)) != NULL) cpuset_rel_complete(nset); while ((nset = LIST_FIRST(&freelist)) != NULL) { LIST_REMOVE(nset, cs_link); uma_zfree(cpuset_zone, nset); } return (error); } /* * Return a string representing a valid layout for a cpuset_t object. * It expects an incoming buffer at least sized as CPUSETBUFSIZ. */ char * cpusetobj_strprint(char *buf, const cpuset_t *set) { char *tbuf; size_t i, bytesp, bufsiz; tbuf = buf; bytesp = 0; bufsiz = CPUSETBUFSIZ; for (i = 0; i < (_NCPUWORDS - 1); i++) { bytesp = snprintf(tbuf, bufsiz, "%lx,", set->__bits[i]); bufsiz -= bytesp; tbuf += bytesp; } snprintf(tbuf, bufsiz, "%lx", set->__bits[_NCPUWORDS - 1]); return (buf); } /* * Build a valid cpuset_t object from a string representation. * It expects an incoming buffer at least sized as CPUSETBUFSIZ. */ int cpusetobj_strscan(cpuset_t *set, const char *buf) { u_int nwords; int i, ret; if (strlen(buf) > CPUSETBUFSIZ - 1) return (-1); /* Allow to pass a shorter version of the mask when necessary. */ nwords = 1; for (i = 0; buf[i] != '\0'; i++) if (buf[i] == ',') nwords++; if (nwords > _NCPUWORDS) return (-1); CPU_ZERO(set); for (i = 0; i < (nwords - 1); i++) { ret = sscanf(buf, "%lx,", &set->__bits[i]); if (ret == 0 || ret == -1) return (-1); buf = strstr(buf, ","); if (buf == NULL) return (-1); buf++; } ret = sscanf(buf, "%lx", &set->__bits[nwords - 1]); if (ret == 0 || ret == -1) return (-1); return (0); } /* * Apply an anonymous mask to a single thread. */ int cpuset_setthread(lwpid_t id, cpuset_t *mask) { struct cpuset *nset; struct cpuset *set; struct thread *td; struct proc *p; int error; nset = uma_zalloc(cpuset_zone, M_WAITOK); error = cpuset_which(CPU_WHICH_TID, id, &p, &td, &set); if (error) goto out; set = NULL; thread_lock(td); error = cpuset_shadow(td->td_cpuset, nset, mask); if (error == 0) { set = td->td_cpuset; td->td_cpuset = nset; sched_affinity(td); nset = NULL; } thread_unlock(td); PROC_UNLOCK(p); if (set) cpuset_rel(set); out: if (nset) uma_zfree(cpuset_zone, nset); return (error); } /* * Apply new cpumask to the ithread. */ int cpuset_setithread(lwpid_t id, int cpu) { struct cpuset *nset, *rset; struct cpuset *parent, *old_set; struct thread *td; struct proc *p; cpusetid_t cs_id; cpuset_t mask; int error; nset = uma_zalloc(cpuset_zone, M_WAITOK); rset = uma_zalloc(cpuset_zone, M_WAITOK); cs_id = CPUSET_INVALID; CPU_ZERO(&mask); if (cpu == NOCPU) CPU_COPY(cpuset_root, &mask); else CPU_SET(cpu, &mask); error = cpuset_which(CPU_WHICH_TID, id, &p, &td, &old_set); if (error != 0 || ((cs_id = alloc_unr(cpuset_unr)) == CPUSET_INVALID)) goto out; /* cpuset_which() returns with PROC_LOCK held. */ old_set = td->td_cpuset; if (cpu == NOCPU) { /* * roll back to default set. We're not using cpuset_shadow() * here because we can fail CPU_SUBSET() check. This can happen * if default set does not contain all CPUs. */ error = _cpuset_create(nset, cpuset_default, &mask, CPUSET_INVALID); goto applyset; } if (old_set->cs_id == 1 || (old_set->cs_id == CPUSET_INVALID && old_set->cs_parent->cs_id == 1)) { /* * Current set is either default (1) or * shadowed version of default set. * * Allocate new root set to be able to shadow it * with any mask. */ error = _cpuset_create(rset, cpuset_zero, &cpuset_zero->cs_mask, cs_id); if (error != 0) { PROC_UNLOCK(p); goto out; } rset->cs_flags |= CPU_SET_ROOT; parent = rset; rset = NULL; cs_id = CPUSET_INVALID; } else { /* Assume existing set was already allocated by previous call */ parent = old_set; old_set = NULL; } error = cpuset_shadow(parent, nset, &mask); applyset: if (error == 0) { thread_lock(td); td->td_cpuset = nset; sched_affinity(td); thread_unlock(td); nset = NULL; } else old_set = NULL; PROC_UNLOCK(p); if (old_set != NULL) cpuset_rel(old_set); out: if (nset != NULL) uma_zfree(cpuset_zone, nset); if (rset != NULL) uma_zfree(cpuset_zone, rset); if (cs_id != CPUSET_INVALID) free_unr(cpuset_unr, cs_id); return (error); } /* * Creates system-wide cpusets and the cpuset for thread0 including two * sets: * * 0 - The root set which should represent all valid processors in the * system. It is initially created with a mask of all processors * because we don't know what processors are valid until cpuset_init() * runs. This set is immutable. * 1 - The default set which all processes are a member of until changed. * This allows an administrator to move all threads off of given cpus to * dedicate them to high priority tasks or save power etc. */ struct cpuset * cpuset_thread0(void) { struct cpuset *set; int error, i; cpuset_zone = uma_zcreate("cpuset", sizeof(struct cpuset), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); mtx_init(&cpuset_lock, "cpuset", NULL, MTX_SPIN | MTX_RECURSE); /* * Create the root system set for the whole machine. Doesn't use * cpuset_create() due to NULL parent. */ set = uma_zalloc(cpuset_zone, M_WAITOK | M_ZERO); CPU_FILL(&set->cs_mask); LIST_INIT(&set->cs_children); LIST_INSERT_HEAD(&cpuset_ids, set, cs_link); set->cs_ref = 1; set->cs_flags = CPU_SET_ROOT; cpuset_zero = set; cpuset_root = &set->cs_mask; /* * Now derive a default, modifiable set from that to give out. */ set = uma_zalloc(cpuset_zone, M_WAITOK); error = _cpuset_create(set, cpuset_zero, &cpuset_zero->cs_mask, 1); KASSERT(error == 0, ("Error creating default set: %d\n", error)); cpuset_default = set; /* * Initialize the unit allocator. 0 and 1 are allocated above. */ cpuset_unr = new_unrhdr(2, INT_MAX, NULL); /* * If MD code has not initialized per-domain cpusets, place all * CPUs in domain 0. */ for (i = 0; i < MAXMEMDOM; i++) if (!CPU_EMPTY(&cpuset_domain[i])) goto domains_set; CPU_COPY(&all_cpus, &cpuset_domain[0]); domains_set: return (set); } /* * Create a cpuset, which would be cpuset_create() but * mark the new 'set' as root. * * We are not going to reparent the td to it. Use cpuset_setproc_update_set() * for that. * * In case of no error, returns the set in *setp locked with a reference. */ int cpuset_create_root(struct prison *pr, struct cpuset **setp) { struct cpuset *set; int error; KASSERT(pr != NULL, ("[%s:%d] invalid pr", __func__, __LINE__)); KASSERT(setp != NULL, ("[%s:%d] invalid setp", __func__, __LINE__)); error = cpuset_create(setp, pr->pr_cpuset, &pr->pr_cpuset->cs_mask); if (error) return (error); KASSERT(*setp != NULL, ("[%s:%d] cpuset_create returned invalid data", __func__, __LINE__)); /* Mark the set as root. */ set = *setp; set->cs_flags |= CPU_SET_ROOT; return (0); } int cpuset_setproc_update_set(struct proc *p, struct cpuset *set) { int error; KASSERT(p != NULL, ("[%s:%d] invalid proc", __func__, __LINE__)); KASSERT(set != NULL, ("[%s:%d] invalid set", __func__, __LINE__)); cpuset_ref(set); error = cpuset_setproc(p->p_pid, set, NULL); if (error) return (error); cpuset_rel(set); return (0); } /* * This is called once the final set of system cpus is known. Modifies * the root set and all children and mark the root read-only. */ static void cpuset_init(void *arg) { cpuset_t mask; mask = all_cpus; if (cpuset_modify(cpuset_zero, &mask)) panic("Can't set initial cpuset mask.\n"); cpuset_zero->cs_flags |= CPU_SET_RDONLY; } SYSINIT(cpuset, SI_SUB_SMP, SI_ORDER_ANY, cpuset_init, NULL); #ifndef _SYS_SYSPROTO_H_ struct cpuset_args { cpusetid_t *setid; }; #endif int sys_cpuset(struct thread *td, struct cpuset_args *uap) { struct cpuset *root; struct cpuset *set; int error; thread_lock(td); root = cpuset_refroot(td->td_cpuset); thread_unlock(td); error = cpuset_create(&set, root, &root->cs_mask); cpuset_rel(root); if (error) return (error); error = copyout(&set->cs_id, uap->setid, sizeof(set->cs_id)); if (error == 0) error = cpuset_setproc(-1, set, NULL); cpuset_rel(set); return (error); } #ifndef _SYS_SYSPROTO_H_ struct cpuset_setid_args { cpuwhich_t which; id_t id; cpusetid_t setid; }; #endif int sys_cpuset_setid(struct thread *td, struct cpuset_setid_args *uap) { return (kern_cpuset_setid(td, uap->which, uap->id, uap->setid)); } int kern_cpuset_setid(struct thread *td, cpuwhich_t which, id_t id, cpusetid_t setid) { struct cpuset *set; int error; /* * Presently we only support per-process sets. */ if (which != CPU_WHICH_PID) return (EINVAL); set = cpuset_lookup(setid, td); if (set == NULL) return (ESRCH); error = cpuset_setproc(id, set, NULL); cpuset_rel(set); return (error); } #ifndef _SYS_SYSPROTO_H_ struct cpuset_getid_args { cpulevel_t level; cpuwhich_t which; id_t id; cpusetid_t *setid; }; #endif int sys_cpuset_getid(struct thread *td, struct cpuset_getid_args *uap) { return (kern_cpuset_getid(td, uap->level, uap->which, uap->id, uap->setid)); } int kern_cpuset_getid(struct thread *td, cpulevel_t level, cpuwhich_t which, id_t id, cpusetid_t *setid) { struct cpuset *nset; struct cpuset *set; struct thread *ttd; struct proc *p; cpusetid_t tmpid; int error; if (level == CPU_LEVEL_WHICH && which != CPU_WHICH_CPUSET) return (EINVAL); error = cpuset_which(which, id, &p, &ttd, &set); if (error) return (error); switch (which) { case CPU_WHICH_TID: case CPU_WHICH_PID: thread_lock(ttd); set = cpuset_refbase(ttd->td_cpuset); thread_unlock(ttd); PROC_UNLOCK(p); break; case CPU_WHICH_CPUSET: case CPU_WHICH_JAIL: break; case CPU_WHICH_IRQ: case CPU_WHICH_DOMAIN: return (EINVAL); } switch (level) { case CPU_LEVEL_ROOT: nset = cpuset_refroot(set); cpuset_rel(set); set = nset; break; case CPU_LEVEL_CPUSET: break; case CPU_LEVEL_WHICH: break; } tmpid = set->cs_id; cpuset_rel(set); if (error == 0) error = copyout(&tmpid, setid, sizeof(id)); return (error); } #ifndef _SYS_SYSPROTO_H_ struct cpuset_getaffinity_args { cpulevel_t level; cpuwhich_t which; id_t id; size_t cpusetsize; cpuset_t *mask; }; #endif int sys_cpuset_getaffinity(struct thread *td, struct cpuset_getaffinity_args *uap) { return (kern_cpuset_getaffinity(td, uap->level, uap->which, uap->id, uap->cpusetsize, uap->mask)); } int kern_cpuset_getaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which, id_t id, size_t cpusetsize, cpuset_t *maskp) { struct thread *ttd; struct cpuset *nset; struct cpuset *set; struct proc *p; cpuset_t *mask; int error; size_t size; if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); + /* In Capability mode, you can only get your own CPU set. */ + if (IN_CAPABILITY_MODE(td)) { + if (level != CPU_LEVEL_WHICH) + return (ECAPMODE); + if (which != CPU_WHICH_TID && which != CPU_WHICH_PID) + return (ECAPMODE); + if (id != -1) + return (ECAPMODE); + } size = cpusetsize; mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO); error = cpuset_which(which, id, &p, &ttd, &set); if (error) goto out; switch (level) { case CPU_LEVEL_ROOT: case CPU_LEVEL_CPUSET: switch (which) { case CPU_WHICH_TID: case CPU_WHICH_PID: thread_lock(ttd); set = cpuset_ref(ttd->td_cpuset); thread_unlock(ttd); break; case CPU_WHICH_CPUSET: case CPU_WHICH_JAIL: break; case CPU_WHICH_IRQ: case CPU_WHICH_INTRHANDLER: case CPU_WHICH_ITHREAD: case CPU_WHICH_DOMAIN: error = EINVAL; goto out; } if (level == CPU_LEVEL_ROOT) nset = cpuset_refroot(set); else nset = cpuset_refbase(set); CPU_COPY(&nset->cs_mask, mask); cpuset_rel(nset); break; case CPU_LEVEL_WHICH: switch (which) { case CPU_WHICH_TID: thread_lock(ttd); CPU_COPY(&ttd->td_cpuset->cs_mask, mask); thread_unlock(ttd); break; case CPU_WHICH_PID: FOREACH_THREAD_IN_PROC(p, ttd) { thread_lock(ttd); CPU_OR(mask, &ttd->td_cpuset->cs_mask); thread_unlock(ttd); } break; case CPU_WHICH_CPUSET: case CPU_WHICH_JAIL: CPU_COPY(&set->cs_mask, mask); break; case CPU_WHICH_IRQ: case CPU_WHICH_INTRHANDLER: case CPU_WHICH_ITHREAD: error = intr_getaffinity(id, which, mask); break; case CPU_WHICH_DOMAIN: if (id < 0 || id >= MAXMEMDOM) error = ESRCH; else CPU_COPY(&cpuset_domain[id], mask); break; } break; default: error = EINVAL; break; } if (set) cpuset_rel(set); if (p) PROC_UNLOCK(p); if (error == 0) error = copyout(mask, maskp, size); out: free(mask, M_TEMP); return (error); } #ifndef _SYS_SYSPROTO_H_ struct cpuset_setaffinity_args { cpulevel_t level; cpuwhich_t which; id_t id; size_t cpusetsize; const cpuset_t *mask; }; #endif int sys_cpuset_setaffinity(struct thread *td, struct cpuset_setaffinity_args *uap) { return (kern_cpuset_setaffinity(td, uap->level, uap->which, uap->id, uap->cpusetsize, uap->mask)); } int kern_cpuset_setaffinity(struct thread *td, cpulevel_t level, cpuwhich_t which, id_t id, size_t cpusetsize, const cpuset_t *maskp) { struct cpuset *nset; struct cpuset *set; struct thread *ttd; struct proc *p; cpuset_t *mask; int error; if (cpusetsize < sizeof(cpuset_t) || cpusetsize > CPU_MAXSIZE / NBBY) return (ERANGE); + /* In Capability mode, you can only set your own CPU set. */ + if (IN_CAPABILITY_MODE(td)) { + if (level != CPU_LEVEL_WHICH) + return (ECAPMODE); + if (which != CPU_WHICH_TID && which != CPU_WHICH_PID) + return (ECAPMODE); + if (id != -1) + return (ECAPMODE); + } mask = malloc(cpusetsize, M_TEMP, M_WAITOK | M_ZERO); error = copyin(maskp, mask, cpusetsize); if (error) goto out; /* * Verify that no high bits are set. */ if (cpusetsize > sizeof(cpuset_t)) { char *end; char *cp; end = cp = (char *)&mask->__bits; end += cpusetsize; cp += sizeof(cpuset_t); while (cp != end) if (*cp++ != 0) { error = EINVAL; goto out; } } switch (level) { case CPU_LEVEL_ROOT: case CPU_LEVEL_CPUSET: error = cpuset_which(which, id, &p, &ttd, &set); if (error) break; switch (which) { case CPU_WHICH_TID: case CPU_WHICH_PID: thread_lock(ttd); set = cpuset_ref(ttd->td_cpuset); thread_unlock(ttd); PROC_UNLOCK(p); break; case CPU_WHICH_CPUSET: case CPU_WHICH_JAIL: break; case CPU_WHICH_IRQ: case CPU_WHICH_INTRHANDLER: case CPU_WHICH_ITHREAD: case CPU_WHICH_DOMAIN: error = EINVAL; goto out; } if (level == CPU_LEVEL_ROOT) nset = cpuset_refroot(set); else nset = cpuset_refbase(set); error = cpuset_modify(nset, mask); cpuset_rel(nset); cpuset_rel(set); break; case CPU_LEVEL_WHICH: switch (which) { case CPU_WHICH_TID: error = cpuset_setthread(id, mask); break; case CPU_WHICH_PID: error = cpuset_setproc(id, NULL, mask); break; case CPU_WHICH_CPUSET: case CPU_WHICH_JAIL: error = cpuset_which(which, id, &p, &ttd, &set); if (error == 0) { error = cpuset_modify(set, mask); cpuset_rel(set); } break; case CPU_WHICH_IRQ: case CPU_WHICH_INTRHANDLER: case CPU_WHICH_ITHREAD: error = intr_setaffinity(id, which, mask); break; default: error = EINVAL; break; } break; default: error = EINVAL; break; } out: free(mask, M_TEMP); return (error); } #ifdef DDB void ddb_display_cpuset(const cpuset_t *set) { int cpu, once; for (once = 0, cpu = 0; cpu < CPU_SETSIZE; cpu++) { if (CPU_ISSET(cpu, set)) { if (once == 0) { db_printf("%d", cpu); once = 1; } else db_printf(",%d", cpu); } } if (once == 0) db_printf(""); } DB_SHOW_COMMAND(cpusets, db_show_cpusets) { struct cpuset *set; LIST_FOREACH(set, &cpuset_ids, cs_link) { db_printf("set=%p id=%-6u ref=%-6d flags=0x%04x parent id=%d\n", set, set->cs_id, set->cs_ref, set->cs_flags, (set->cs_parent != NULL) ? set->cs_parent->cs_id : 0); db_printf(" mask="); ddb_display_cpuset(&set->cs_mask); db_printf("\n"); if (db_pager_quit) break; } } #endif /* DDB */