1. 08 May, 2016 1 commit
  2. 04 May, 2016 1 commit
  3. 20 Apr, 2016 2 commits
  4. 18 Apr, 2016 1 commit
  5. 11 Apr, 2016 1 commit
  6. 07 Apr, 2016 1 commit
  7. 15 Mar, 2016 4 commits
    • Josh Kunz's avatar
      More logic errors/typos · 3e09a664
      Josh Kunz authored
      * Moves where cnode->cptr is defined closer to where a cnode is first
        created. This way, cnodes not created through `cap_insert` still get
      * When granting, we definitely don't want copy the src cspace to the dst
        cspace. Kind-of defeats the purpose
    • Josh Kunz's avatar
      Add delete callback invocation · c626cc01
      Josh Kunz authored
      Also adds some default returns to address compiler warnings.
    • Josh Kunz's avatar
      Actually call grant callback + callback docs · 98c05147
      Josh Kunz authored
      Currently I'm assuming that we want the grant callbacks to actually see
      the granted cnode. Therefore, we need to roll-back if the grant callback
      aborts the grant operation.
      The additional comments about the libcap callbacks just explain their
      semantics in greater detail.
    • Josh Kunz's avatar
      Fix logic bug in CDT locking · 909fc18e
      Josh Kunz authored
  8. 27 Jan, 2016 1 commit
    • Josh Kunz's avatar
      Re-work the old ops to use the new CDT interface · fe68b750
      Josh Kunz authored
      This commit does three main things:
        1. Full CDT reference counting. When CDT locks are acquired, all
           intermediate root's reference counts are update safely.
        2. Re-factor's the operations to use two generic locking routines with
           special handlers (binop, and unop). This removes a lot of code duplication
           which made adding the locking code much easier, and should help
           prevent bugs.
        3. Removes the `delete` callback, now `delete` will be called whenever
           a cnode is created. It's the object's decision if this requires a
           memory free or not. Also adds three new callbacks:
             * `grant(src, dst)`: called when a grant from src -> dst happens.
                Only the handler for `src` is called.
             * `derive_src(src, dst)`: called on `src` when dst is derived from src.
             * `derive_dst(src, dst)`: called on `dst` when dst is derived from src.
          Objects are now responsible for doing some sort of reference
          counting in the grant and delete callbacks to prevent leaks. The
          grant and derive callbacks will also be the main hooks for capnet.
  9. 13 Jan, 2016 3 commits
  10. 19 Jan, 2016 1 commit
    • Charlie Jacobsen's avatar
      Add kernel build fixes. · d6dc6cb7
      Charlie Jacobsen authored
      I got rid of the KERNEL_HEADERS_INSTALL thing. Kind of silly. The
      user is just expected to set their prefix right. We still have to
      do a hook in order to install the kernel-specific stuff. libcap.a
      and libcap.ko (kernel binaries) go in prefix/lib.
  11. 17 Jan, 2016 5 commits
  12. 16 Jan, 2016 3 commits
    • Charlie Jacobsen's avatar
      private-types: Updates headers and build for private type systems. · b5dc70da
      Charlie Jacobsen authored
      This will not build yet (cap_type_system_t not defined yet).
      In LCDs (kernel land), there will be multiple threads sharing
      this library, but they shouldn't share the same set of types. So,
      we need to allow building libcap to preclude this sharing (using
      a global type system).
      A global type system is allowed by default, and the same interface
      will still be there if global types are enabled. There are a few
      new functions introduced with this new feature:
      These functions will now always be part of the interface. The old
      functions will be available if global types are allowed:
            cap_init_cspace - init cspace and attach global type system to it
            cap_register_type - register a global type
      I used some autoconf magic to conditionally include these old
      functions in the libcap.h interface.
      Implementation not in place yet.
    • Charlie Jacobsen's avatar
      Updates cptr cache defs and build so that cspace config can truly vary. · 40077300
      Charlie Jacobsen authored
      Before, I just had some CPP checks that would stop the build
      if the cspace depth wasn't 4, etc. So it required some manual
      changes. Now it should be fully automated.
      There are three awk scripts that generate some C code / do some
      calculations, and the results are plugged into some headers (that
      are now templates and generated by configure). I did it this way
      because the CPP doesn't seem powerful enough to generate variable
      length definitions like this (without some serious CPP hacking).
      Easier to use awk and then AC_SUBST the results in.
      If we want to make the code even faster, we could precompute some
      other stuff like this as well.
      I tested the user build, and ran multi_thrd_cap with a cspace
      depth of 8, and cnode table size of 8. Looked ok.
    • Charlie Jacobsen's avatar
      Adds symbol exports for kernel land. · 8e2fb16b
      Charlie Jacobsen authored
      When we install libcap as a kernel module, in order for other
      kernel code (modules) to link with it, we need to mark public
      functions with EXPORT_SYMBOL.
  13. 15 Jan, 2016 2 commits
  14. 14 Jan, 2016 1 commit
  15. 11 Jan, 2016 3 commits
    • Charlie Jacobsen's avatar
      cnode-metadata: Adds metadata field to capability/cnode/slot. · 468c4b15
      Charlie Jacobsen authored
      Motivation: The libcap user may want to associate some contextual
      information for each capability (rather than with the object). For
      example, the LCD microkernel uses metadata to track whether a page
      referred to by a page capability has been mapped and where.
      This metadata field *is not* carried over to child capabilities
      during grant, and is NULL'd out when a capability is deleted from
      a cspace (so when the slot is used again, the field starts out as
      Internals note: The cnode will start out with NULL metadata as well
      when it is first used because we do a zalloc to create cnode tables.
    • Charlie Jacobsen's avatar
      static-cptr-cache: Adds lock to cptr cache, fixes race conditions in tests. · 8c39cffc
      Charlie Jacobsen authored
      All looks OK now.
      Few other misc things:
         - config.h header goes with install
         - Some debug code in cap.c.
         - Wasn't handling return value of make cnode table in cap.c.
      For now, until we (possibly) move stuff around, I'm including the
      internal header in the public header so that I have access to
      the cap mutex type. I'm considering re-working things so that this
      won't be necessary in the future. Temporary hack for now.
    • Charlie Jacobsen's avatar
      static-cptr-cache: Updates cptr and cspace code for new cache, and tests. · fc4c8ed8
      Charlie Jacobsen authored
      I'm seeing what appears to be race conditions in the tests, so
      we're not out of the woods yet. I think I just need to introduce
      a lock for the cptr cache. It wasn't originally designed to be
      thread safe since only one thread at a time was using it. But we
      need it now.
      There are a few other miscellaneous changes:
        - Moves cptr manipulation into public header. Doc cleanup.
        - cptr_init returns an integer now (non-zero signals failure).
        - Adds CAP_BUG macro. Library code invokes this to abort or signal
          a serious internal library error (e.g., unexpected switch case).
                    kernel:   CAP_BUG ==> BUG
                    user:     CAP_BUG ==> abort
        - Aside from the cptr cache code updates for the modified struct,
          separates cptr cache initialization into two parts: alloc and init.
          Motivation: Some users of libcap will have already allocated the
          cptr cache (e.g., declared it as a static global), and only need
          it initialized. So, to fully initialize a cptr cache, you now need
          to do, e.g.,
                      int ret;
                      cptr_cache *cache;
                      ret = cptr_cache_alloc(&cache);
                      if (ret)
                            ... handle error ...
                      ret = cptr_cache_init(cache);
                      if (ret) {
                            ... handle error ...
        - Updates test apps to use new cptr cache API (alloc then init). Adds
          some extra error handling/clean up code.
  16. 09 Jan, 2016 1 commit
    • Charlie Jacobsen's avatar
      Fixes two minor memory leaks. · 8c5a1b80
      Charlie Jacobsen authored
      1 - Need to free name strings in cap types when we
          do cap_fini.
      I decided to ran valgrind to check for any others.
      2 - Need to free fake slab cache for user version.
      There are a handful of innocuous leaks in the
      multi_thrd_cap test app. There are also some innocuous
      leaks reported due to glib's use of memory pooling (it appears).
  17. 18 Dec, 2015 1 commit
  18. 23 Nov, 2015 1 commit
  19. 20 Nov, 2015 1 commit
  20. 17 Nov, 2015 3 commits
  21. 16 Nov, 2015 1 commit
    • Josh Kunz's avatar
      Adds a reference from a cnode its cptr · 83e8ef65
      Josh Kunz authored
              Rationale: When the `revoke` handler is called for a particular
              cspace, cnode, and object, the cptr associated with that cnode
              needs to be free'd so it can be re-used by other objects (given
              there are a relatively small number of cptrs in a cspace).
              We can discover the cptr_cache associated with a cspace by
              looking at the `cspace->owner` field (which we point at our
              cache), but we can't figure out from the cnode alone which
              pointer in that cache points to the given cnode. This
              information is known when the cnode is created, so I added a
              field to the cnode that contains this information.
  22. 11 Nov, 2015 1 commit
    • Pankaj Kumar's avatar
      Add hook to lookup/verify cnode in cspace · c6d4015f
      Pankaj Kumar authored
      1. Added a function cap_cnode_verify for cnodes lookup in cspace.
         Earlier cap_cnode_get was called to verify the cnode. It imposed
         extra restrictions on the user of libcap to release cnode lock.
         Now, cap_cnode_verify will itself take care of cnode lock.
      2. Updated testcases to use cap_cnode_verify.
      Signed-off-by: Pankaj Kumar's avatarPankaj Kumar <pankajk@cs.utah.edu>
  23. 03 Nov, 2015 1 commit
    • David Johnson's avatar
      Refactor libcap to allow both user lib and kernel module builds. · ab9ac0a0
      David Johnson authored
      Mostly, I kept the existing source skeletons in cap.c and
      cptr_cache.c (they've just moved to src/common), but all the
      user/kernel include differences are nicely factored out.  You
      might think my organization is a bit schizophrenic (a flattened
      include/ dir, and a hierarchical src/ dir), but I do that because
      I don't particularly care for libraries that install headers in
      $PREFIX/include/libfoo/{subdir1,subdir2,...}.  The idea with the
      src/ dir is that common cap/cptr logic goes in src/common, and
      any "platform" specialization (user lib vs kernel mod) goes in
      src/user or src/kernel .  The libcap.h and libcap_internal.h
      headers define some common types, macros, and functions, and expect
      the platform headers and source files to specialize them.
      I added a very basic notion of capability object types and tied it
      to revocation and deletion in the same way the original library did.
      For userspace, since I didn't have atomic ops, I just did basically
      what the kernel does, a cache-aware spinlock thing, but used pthread
      spinlocks (what does that even mean) in hopes they could do something
      smart internally.  Silly me, glib actually has atomic ops.  Anyway, I
      had to do that to restore atomic bit ops to userspace.
      Obviously, I got rid of all the LCD-specific stuff.
      Most of the build happens via automake, but you'll notice the
      src/kernel/Makefile.in .  That's not a checkin mistake; the kernel
      build makefiles don't play nicely with autofoo.  That Makefile just
      calls into the kernel module build process in the normal way.  Of
      course, we have to do some autofoo to arrange the sources and the
      Makefile to be in the same dir... stinky.  See src/kernel/Makefile.in .
      For now, we haven't committed the generated .in files; use
      autogen.sh as described in INSTALL.  That will probably change
      down the road.
      I mostly left the examples unchanged, although I added some locking
      to the multithread example and abstracted out its thread operations
      so you're not locked into 20k threads; it scales.  I also tried to
      make the grant/revoke operations wait until the slots had been
      constructed.  This extra locking and care has the effect of
      reducing the paralellism, I suppose, but not enough to detract from
      the test, I think.  We'll see.