GitLab

The old algorithm would ignore 2nd-level children of the revoked node
because they were inserted "before" their parent that was getting
removed from the list.

The new algorithm re-starts the revoke from the last "checkpoint" (node
that is guaranteed to be in the output tree) so that we can detect the
children of deleted nodes.

Instead of the weird "two-part" move that I was doing, trying to
splice both the old CDT root and its children into the new parent's
"children" list. I realized that you can just move the old root into the
children list, and everything will work out fine.

We don't (can't) have runtime L1 cache size detection on aarch64 without
help.  Of course, line size is always 64 bytes (and that can be found at
runtime); but the total L1 dcache size is not discoverable unless the
kernel (or something else at EL0) has flipped the ECT bit in the system
control register.  This could well be why getconf LEVEL1_DCACHE_SIZE
fails.  In any case, I can't see how it would work.

So, abuse the fact that no aarch64 impl has L1 dcache < 32KB and be happy.

In CapNet, predicates need to be able to use runtime information to say
whether a cnode is part of a valid traversal or not.

* Add CDT refcounting on grant so we get correct counts
* Make revoke_till do a proper traversal, skipping sub-trees that
  `revoke_till` tells it to skip.

This adds a 'metadata' argument to cap_grant, and cap_insert that allows
the caller to set the `metadata` field of a cnode atomically on
creation.

Changes the owner getters and setters to follow the (better) convention
the metadata getters and setters set.

Also adds `revoke_till` as an export symbol.

Revoke allows partial revocation of a CDT, rather than full revocation
when a node is deleted.

This is specifically being used to discover the type of a minted cptr as
it is minted.

* Moves where cnode->cptr is defined closer to where a cnode is first
  created. This way, cnodes not created through `cap_insert` still get
  cptrs.
* When granting, we definitely don't want copy the src cspace to the dst
  cspace. Kind-of defeats the purpose

Also adds some default returns to address compiler warnings.

Currently I'm assuming that we want the grant callbacks to actually see
the granted cnode. Therefore, we need to roll-back if the grant callback
aborts the grant operation.

The additional comments about the libcap callbacks just explain their
semantics in greater detail.

Unlike other kernel functions, mutex_trylock returns 1 on sucess
and 0 on error. The double negations were inverting the interpretation
of the result. (It still worked because on the first attempt, we
interpreted as a failure and tried again; on the second attempt, it
was really a failure to take the lock but we interpreted as a
success.)

This commit does three main things:
  1. Full CDT reference counting. When CDT locks are acquired, all
     intermediate root's reference counts are update safely.
  2. Re-factor's the operations to use two generic locking routines with
     special handlers (binop, and unop). This removes a lot of code duplication
     which made adding the locking code much easier, and should help
     prevent bugs.
  3. Removes the `delete` callback, now `delete` will be called whenever
     a cnode is created. It's the object's decision if this requires a
     memory free or not. Also adds three new callbacks:
       * `grant(src, dst)`: called when a grant from src -> dst happens.
          Only the handler for `src` is called.
       * `derive_src(src, dst)`: called on `src` when dst is derived from src.
       * `derive_dst(src, dst)`: called on `dst` when dst is derived from src.
    Objects are now responsible for doing some sort of reference
    counting in the grant and delete callbacks to prevent leaks. The
    grant and derive callbacks will also be the main hooks for capnet.

I got rid of the KERNEL_HEADERS_INSTALL thing. Kind of silly. The
user is just expected to set their prefix right. We still have to
do a hook in order to install the kernel-specific stuff. libcap.a
and libcap.ko (kernel binaries) go in prefix/lib.

I don't think it's needed at this point. The libcap user is
therefore responsible for tracking lifetimes and freeing things
at the correct points.

In addition, I noted in cap_grant (not implemented yet), that
grant will fail if the source and destination cspaces have
different type systems.

Forgot about that.

Also adds source file to build.

Moves David's register cap type into register private cap type.

The code builds right now by default (--enable-global-cap-types is
on by default). Next step is to adjust the internals.

Fixed an autoconf script bug: if you AC_SUBST a variable in one
case and AC_SUBST_FILE in another (perhaps in an if statement), autoconf
gets confused. So, I just always AC_SUBST now and cat the file into
the variable when necessary. (I'm referring to the
CAP_INCLUDE_GLOBAL_TYPES variable in configure.ac.)