Changeset d24e987 in mainline

Timestamp:

2018-10-16T18:03:43Z (6 years ago)

Author:

Jakub Jermar <jakub@…>

Branches:

lfn, master, serial, ticket/834-toolchain-update, topic/msim-upgrade, topic/simplify-dev-export

Children:

2d93763a, e344422

Parents:

c0cef6f9

git-author:

Jakub Jermar <jakub@…> (2018-10-16 17:55:57)

git-committer:

Jakub Jermar <jakub@…> (2018-10-16 18:03:43)

Message:

Make access via capabilities revokable

This commit makes it possible to revoke access to a kernel object from
all capabilities across all tasks. In order to support this, each kernel
object is equipped with a list of capabilities that point to it.

Location:

kernel/generic

Files:

• include/cap/cap.h (modified) (3 diffs)
• src/cap/cap.c (modified) (9 diffs)

kernel/generic/include/cap/cap.h

@@ -69 +69 @@
 
 /*
- * Everything in kobject_t except for the atomic reference count is imutable.
+ * Everything in kobject_t except for the atomic reference count, the capability
+ * list and its lock is imutable.
  */
 typedef struct kobject {
         kobject_type_t type;
         atomic_t refcnt;
+
+        /** Mutex protecting caps_list */
+        mutex_t caps_list_lock;
+        /** List of published capabilities associated with the kobject */
+        list_t caps_list;
 
         kobject_ops_t *ops;
@@ -93 +99 @@
         struct task *task;
         cap_handle_t handle;
+
+        /** Link to the kobject's list of capabilities. */
+        link_t kobj_link;
 
         /* Link to the task's capabilities of the same kobject type. */
@@ -122 +131 @@
 extern void cap_publish(struct task *, cap_handle_t, kobject_t *);
 extern kobject_t *cap_unpublish(struct task *, cap_handle_t, kobject_type_t);
+extern void cap_revoke(kobject_t *);
 extern void cap_free(struct task *, cap_handle_t);
 

kernel/generic/src/cap/cap.c

@@ -63 +63 @@
  * kobject_add_ref() or as a result of unpublishing a capability and
  * disassociating it from its kobject_t using cap_unpublish().
+ *
+ * A holder of an explicit reference to a kernel object may revoke access to it
+ * from all capabilities that point to it by calling cap_revoke().
  *
  * As kernel objects are reference-counted, they get automatically destroyed
@@ -208 +211 @@
         cap->task = task;
         cap->handle = handle;
+        link_initialize(&cap->kobj_link);
         link_initialize(&cap->type_link);
 }
@@ -281 +285 @@
 cap_publish(task_t *task, cap_handle_t handle, kobject_t *kobj)
 {
+        mutex_lock(&kobj->caps_list_lock);
         mutex_lock(&task->cap_info->lock);
         cap_t *cap = cap_get(task, handle, CAP_STATE_ALLOCATED);
@@ -287 +292 @@
         /* Hand over kobj's reference to cap */
         cap->kobject = kobj;
+        list_append(&cap->kobj_link, &kobj->caps_list);
         list_append(&cap->type_link, &task->cap_info->type_list[kobj->type]);
         mutex_unlock(&task->cap_info->lock);
+        mutex_unlock(&kobj->caps_list_lock);
+}
+
+static void cap_unpublish_unsafe(cap_t *cap)
+{
+        cap->kobject = NULL;
+        list_remove(&cap->kobj_link);
+        list_remove(&cap->type_link);
+        cap->state = CAP_STATE_ALLOCATED;
 }
 
@@ -302 +317 @@
  * @param type    Kernel object type of the object associated with the
  *                capability.
+ *
+ * @return Pointer and explicit reference to the kobject that was associated
+ *         with the capability.
  */
 kobject_t *cap_unpublish(task_t *task, cap_handle_t handle, kobject_type_t type)
@@ -307 +325 @@
         kobject_t *kobj = NULL;
 
+restart:
         mutex_lock(&task->cap_info->lock);
         cap_t *cap = cap_get(task, handle, CAP_STATE_PUBLISHED);
@@ -313 +332 @@
                         /* Hand over cap's reference to kobj */
                         kobj = cap->kobject;
-                        cap->kobject = NULL;
-                        list_remove(&cap->type_link);
-                        cap->state = CAP_STATE_ALLOCATED;
+                        if (!mutex_trylock(&kobj->caps_list_lock)) {
+                                mutex_unlock(&task->cap_info->lock);
+                                kobj = NULL;
+                                goto restart;
+                        }
+                        cap_unpublish_unsafe(cap);
+                        mutex_unlock(&kobj->caps_list_lock);
                 }
         }
@@ -321 +344 @@
 
         return kobj;
+}
+
+/** Revoke access to kobject from all existing capabilities
+ *
+ * All published capabilities associated with the kobject are unpublished (i.e.
+ * their new state is set to CAP_STATE_ALLOCATED) and no longer point to the
+ * kobject. Kobject's reference count is decreased accordingly.
+ *
+ * Note that the caller is supposed to hold an explicit reference to the kobject
+ * so that the kobject is guaranteed to exist when this function returns.
+ *
+ * @param kobj  Pointer and explicit reference to the kobject capabilities of
+ *              which are about to be unpublished.
+ */
+void cap_revoke(kobject_t *kobj)
+{
+        mutex_lock(&kobj->caps_list_lock);
+        list_foreach_safe(kobj->caps_list, cur, hlp) {
+                cap_t *cap = list_get_instance(cur, cap_t, kobj_link);
+                mutex_lock(&cap->task->cap_info->lock);
+                cap_unpublish_unsafe(cap);
+                /* Drop the reference for the unpublished capability */
+                kobject_put(kobj);
+                mutex_unlock(&cap->task->cap_info->lock);
+        }
+        mutex_unlock(&kobj->caps_list_lock);
 }
 
@@ -355 +404 @@
 {
         atomic_store(&kobj->refcnt, 1);
+
+        mutex_initialize(&kobj->caps_list_lock, MUTEX_PASSIVE);
+        list_initialize(&kobj->caps_list);
+
         kobj->type = type;
         kobj->raw = raw;