Author: brooks
Date: Thu Apr 5 20:31:45 2018
New Revision: 332086
URL: https://svnweb.freebsd.org/changeset/base/332086
Log:
Added SAL annotatations to system calls.
Modify makesyscalls.sh to strip out SAL annotations.
No functional change.
This is based on work I started in CheriBSD and use to validate fat
pointers at the syscall boundary. Tal Garfinkel reviewed the changes,
added annotations to COMPAT* syscalls and is using them in a record and
playback framework. One can envision other uses such as a WITNESS-like
validator for copyin/out as speculated on in the review.
As this time we are only annotating sys/kern/syscalls.master as that is
sufficient for userspace work. If kernel use cases materialize, we can
annotate other syscalls.master as needed.
Submitted by: Tal Garfinkel
Sponsored by: DARPA, AFRL (in part)
Differential Revision:https://reviews.freebsd.org/D14285
Modified:
head/sys/kern/makesyscalls.sh
head/sys/kern/syscalls.master
Modified: head/sys/kern/makesyscalls.sh
==
--- head/sys/kern/makesyscalls.sh Thu Apr 5 19:45:30 2018
(r332085)
+++ head/sys/kern/makesyscalls.sh Thu Apr 5 20:31:45 2018
(r332086)
@@ -400,6 +400,16 @@ sed -e '
}
if (argtype[argc] == "")
parserr($f, "argument definition")
+
+ # The parser adds space around parens.
+ # Remove it from annotations.
+ gsub(/ \( /, "(", argtype[argc]);
+ gsub(/ \)/, ")", argtype[argc]);
+
+ #remove annotations
+ gsub(/_In[^ ]*[_)] /, "", argtype[argc]);
+ gsub(/_Out[^ ]*[_)] /, "", argtype[argc]);
+
argname[argc]=$f;
f += 2; # skip name, and any comma
}
Modified: head/sys/kern/syscalls.master
==
--- head/sys/kern/syscalls.master Thu Apr 5 19:45:30 2018
(r332085)
+++ head/sys/kern/syscalls.master Thu Apr 5 20:31:45 2018
(r332086)
@@ -43,7 +43,32 @@
; function prototype in sys/sysproto.h. Does add a
; definition to syscall.h besides adding a sysent.
; NOTSTATIC syscall is loadable
+
+; annotations:
+; SAL 2.0 annotations are used to specify how system calls treat
+; arguments that are passed using pointers. There are three basic
+; annotations.
;
+; _In_Object pointed to will be read and not modified.
+; _Out_ Object pointed to will be written and not read.
+; _Inout_ Object pointed to will be written and read.
+;
+; These annotations are used alone when the pointer refers to a single
+; object i.e. scalar types, structs, and pointers, and not NULL. Adding
+; the _opt_ suffix, e.g. _In_opt_, implies that the pointer may also
+; refer to NULL.
+;
+; For pointers to arrays, additional suffixes are added:
+;
+; _In_z_, _Out_z_, _Inout_z_:
+; for a NUL terminated array e.g. a string.
+; _In_reads_z_(n),_Out_writes_z_(n), _Inout_updates_z_(n):
+; for a NUL terminated array e.g. a string, of known length n bytes.
+; _In_reads_(n),_Out_writes_(n),_Inout_updates_(n):
+; for an array of n elements.
+; _In_reads_bytes_(n), _Out_writes_bytes_(n), _Inout_updates_bytes(n):
+; for a buffer of n-bytes.
+
; Please copy any additions and changes to the following compatability tables:
; sys/compat/freebsd32/syscalls.master
@@ -63,143 +88,181 @@
1 AUE_EXITSTD { void sys_exit(int rval); } exit \
sys_exit_args void
2 AUE_FORKSTD { int fork(void); }
-3 AUE_READSTD { ssize_t read(int fd, void *buf, \
+3 AUE_READSTD { ssize_t read(int fd, \
+ _Out_writes_bytes_(nbyte) void *buf, \
size_t nbyte); }
-4 AUE_WRITE STD { ssize_t write(int fd, const void *buf, \
+4 AUE_WRITE STD { ssize_t write(int fd, \
+ _In_reads_bytes_(nbyte) const void *buf, \
size_t nbyte); }
-5 AUE_OPEN_RWTC STD { int open(char *path, int flags, int mode); }
+5 AUE_OPEN_RWTC STD { int open( \
+ _In_z_ char *path, \
+ int flags, \
+ int mode); }
; XXX should be{ int open(const char *path, int flags, ...); }
; but we're not ready for `const' or varargs.
; XXX man page says `mode_t mode'.
6 AUE_CLOSE STD { int close(int