Re: [filemon] CVS commit: htdocs/support/security

[Andrew Doran <ad%netbsd.org@localhost>]

On Tue, Dec 17, 2019 at 04:06:12PM +0100, Kamil Rytarowski wrote:
> On 17.12.2019 15:44, Andrew Doran wrote:
> >>>> Typically with a character device, the kmod can get unloaded while an ioctl
> >>>> is being executed on it.
> >
> > That's solvable.  Conceptually I think the main stumbling block is that
> > there are two layers at play which need to reconciled: specfs and devsw.  It
> > could also be an opportunity to lessen the distinction between block and
> > character devices, there's no real need for cached access from userspace,
> > that would simplify things too.
> >
> >>>> When it comes to syscalls, I haven't looked
> >>>> closely, but the issue is likely the same.
> >
> > It's atomic and side effect free if done correctly.  We have pleasing
> > examples of this.  This is hard to get right though, so naturally mistakes
> > are made.
> >
> 
> It would be nice to have at least an example of doing it right.

Sure, look at ksem_sysfini().

It tries to uninstall the syscall package.  If any syscall is in use, fail. 
It then looks to see if it has created ksems.  If any exist fail, and plug
the syscalls back in.

While that's happening new ksem syscalls are being gated by sys_nomodule()
(this all happens under lock).  The legitimate users of the ksem syscalls
will never see a spurious failure due to an attempt to unload.

ksem_sysinit() seems to have a bug though; ksem_max should be set before the
syscall package is installed.

Andrew