Re: Communication between kernel and userspace via local socket
On сб, 19 лис 2011 11:02:47 Julian Elischer wrote: > On 11/17/11 11:40 AM, Maxim Ignatenko wrote: > > Julian Elischer wrote: > >> On 11/16/11 12:55 AM, Ed Schouten wrote: > >>> * Maxim Ignatenko, 2015 21:18: > >>>> I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch > >>>> and looking for most convenient way to establish communication > >>>> between userspace processes and kernel part. Communication pattern > >>>> best fits to listening PF_LOCAL socket opened from kernel and > >>>> userspace processes connecting to it. > >>> > >>> What's wrong with a character device? > >> > >> you can't easily have a different character device depending on which > >> jail you are in.. > >> (well, you can but it gets tricky).. see the problem with /dev/pflog > >> and vimages. > >> > >> > >> Maxim, look at the usage of sockets with netgraph ng_socket node.. also > >> divert sockets. > > > > Did you meant ng_ksocket? I've looked on it, but in case of ng_ksocket > > connections accepted upon receiving control message NGM_KSOCKET_ACCEPT, > > but I need to accept connections without such "punch". As far as I > > understand, I need to spawn kernel process or thread which will listen > > for incoming connections and respond to requests, just like normal > > network daemon does, but I don't know how to do this. > > divert(4) will not do the job, since packets written to divert socket > > goes to IP stack. > > No I meant ng_socket.. you wanted to communicate between userland and > kernel. > that ng_socket is the interface between kernel and userland for netgraph. > Thanks! Creating new domain is, probably, overkill, but should work :) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Communication between kernel and userspace via local socket
Julian Elischer wrote: > On 11/16/11 12:55 AM, Ed Schouten wrote: >> * Maxim Ignatenko, 2015 21:18: >>> I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch and >>> looking for most convenient way to establish communication between >>> userspace processes and kernel part. Communication pattern best fits to >>> listening PF_LOCAL socket opened from kernel and userspace processes >>> connecting to it. >> What's wrong with a character device? > > you can't easily have a different character device depending on which > jail you are in.. > (well, you can but it gets tricky).. see the problem with /dev/pflog > and vimages. > > > Maxim, look at the usage of sockets with netgraph ng_socket node.. also > divert sockets. > Did you meant ng_ksocket? I've looked on it, but in case of ng_ksocket connections accepted upon receiving control message NGM_KSOCKET_ACCEPT, but I need to accept connections without such "punch". As far as I understand, I need to spawn kernel process or thread which will listen for incoming connections and respond to requests, just like normal network daemon does, but I don't know how to do this. divert(4) will not do the job, since packets written to divert socket goes to IP stack. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Communication between kernel and userspace via local socket
On 16 November 2011 10:55, Ed Schouten wrote: > * Maxim Ignatenko , 2015 21:18: >> I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch and >> looking for most convenient way to establish communication between userspace >> processes and kernel part. Communication pattern best fits to listening >> PF_LOCAL socket opened from kernel and userspace processes connecting to it. > > What's wrong with a character device? > With character device I'll need to manually maintain "per-connection" buffers, this will bloat the code. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Communication between kernel and userspace via local socket
On вт, 15 лис 2011 23:17:41 m...@freebsd.org wrote: > On Tue, Nov 15, 2011 at 12:18 PM, Maxim Ignatenko wrote: > > frHi, > > > > I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch > > and looking for most convenient way to establish communication between > > userspace processes and kernel part. Communication pattern best fits to > > listening PF_LOCAL socket opened from kernel and userspace processes > > connecting to it. Clients should be able to send requests and receive > > responses from kernel (to retrieve list of loaded modules, active > > ruleset, add or remove rules, ...) and vice versa: kernel should be able > > to send request to userspace process and receive response (I'm planning > > to add interactive features like in most firewalls for windows(r)). > > > > First part can be implemented via ioctl, but it should be called not only > > by processes with euid == 0, so supplied pointer to receive buffer > > cannot be trusted (is there any mechanism to check memory allocation?) > > and any unprivileged user can instruct kernel to write some trash at > > arbitrary address (for example, VM just rebooted ungracefully when I > > supplied (void*)123 as pointer to destination buffer). > > Were you using copyout(9)? I think FreeBSD's memory isolation between > processes is pretty decent. I would be very surprised if copyout to an > invalid address did something other than return EFAULT. At least the > amd64 implementation of copyout(9) will also explicitly check that the > address is a user address, so that you can't corrupt kernel memory > with a rogue pointer from user-space. > Yep. I've used this https://gitorious.org/acpi_call-freebsd/acpi_call- freebsd/blobs/master/acpi_call.c#line49 for tests. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Communication between kernel and userspace via local socket
frHi, I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch and looking for most convenient way to establish communication between userspace processes and kernel part. Communication pattern best fits to listening PF_LOCAL socket opened from kernel and userspace processes connecting to it. Clients should be able to send requests and receive responses from kernel (to retrieve list of loaded modules, active ruleset, add or remove rules, ...) and vice versa: kernel should be able to send request to userspace process and receive response (I'm planning to add interactive features like in most firewalls for windows(r)). First part can be implemented via ioctl, but it should be called not only by processes with euid == 0, so supplied pointer to receive buffer cannot be trusted (is there any mechanism to check memory allocation?) and any unprivileged user can instruct kernel to write some trash at arbitrary address (for example, VM just rebooted ungracefully when I supplied (void*)123 as pointer to destination buffer). So, requirements is: 1) message exchange can initiated from userspace and from kernel 2) safe to communicate with unprivileged processes (not like in above case with ioctl) 3) kernel part should be able to determine process uid 4) messages size can be large (from 1KB to 10KB and more) Now I'm thinking about few variants: 1) emulation of local socket via character device. This way requires to manually handle per-process IO buffers, which almost certainly will have many bugs 2) opening local socket from kernel. This, as I think, require to spawn new process in kernel (but I don't know how to do this) to listen for incoming connections and messages 3) userspace mux/demux daemon (like devd): one and only one process opens character device and uses local socket to communicate with other processes. This requires to design 2 ABIs - kernel<->daemon and daemon<->client. 2nd variant looks most appropriate but know I don't know how to implement it. Can anyone point me to some documentation about spawning processes in kernel an working with sockets from kernelspace, or suggest better way of communication between processes and kernel? ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Acquiring ACPI_LOCK(acpi) from kernel module during boot process
Hi, I have this code: https://gitorious.org/acpi_call-freebsd/acpi_call-freebsd/blobs/5e6a79869721a2bd8de88b5cfa90c14b429cb5c7/acpi_call.c It works just fine when loaded into kernel manually, but crashes if loaded during boot via loader.conf: http://i.imgur.com/fLPen.png I've added some printf's to acpi_register_ioctl() to track down where it hangs and crashes after about one minute: http://pastebin.com/vvJutWLA What am I missing? Do I need to somehow (how?) specify module initialization order? Or just call acpi_register_ioctl() by some other mean when it would not cause panic? Thanks. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"