Re: secure exec

[Niels Möller]

address@hidden (Niels Möller) writes:

> All this also sounds easy to do. I'll reorganize my code to get
> closer.

Now I have a new version. It doesn't implement all needed calls yet,
but it has the most important things: empty, live and zombie tasks,
death notifications (without retransmissions), reference handles,
control handles, and handle transfer.

The implementation is somewhat primitive (statically allocated arrays
and bitmaps), but these are implementation details in the task.c and
transaction.c files, and I don't think there's much point in improving
that until we have dynamic memory allocation. There are also no
reference counts on user's handles (that could be added whenever the
bitmaps are replaced with something more sophisticated).

I the include README file below. Tarball at
http://www.lysator.liu.se/~nisse/misc/task-server-0.1.tar.gz.

I think I understand the issues clearer after writing this code. I
hope it's also readable by others. Comments much appreciated, of
course.

For useless numbers, the source code is about 1000 lines, and the
(stripped) binary is about 7000 bytes.

Regards,
/Niels

TASK HANDLES

There are several ways to refer to a task.

Internally in the task server, tasks are referred to using _task id_s.
These are integers that are used to index the array of task objects,
at most 14 bits (32 bit platforms) but usually smaller than that.
task_id:s can not be divisible by 64, i.e. have the six least
significant bits all zero.

Externally, tasks are referred to using _task handle_s. A task handle
is a word, where the 14 least significant bits are a task handle, bit
14 is the control bit, and the rest is zero.
                    
  | 0 | control | task_id |
          14      13    0

If the control bit is set, it allows the owner of the handle to
control the task (i.e. create and destroy threads, for example). If
the control bit is clear, the handle is a reference to the task, which
guarantees that the task id cannot be reused, and lets the owner
perform non-destructive queries about the task state etc.

The task id is also included in the L4 thread id:s of all threads in
the task. L4 global thread id:s are used as folllows:

  | subsystem |   tid | taskid |
    31     29   28 14   13   0

The three bit subsystem identifies the Hurd subsystem, the task server
will not accept any requests from threads in different subsystems. The
subsystem and tid together form the L4 _threadno_.

The server threads of the task server itself has the thread id:s

  | subsystem |   cpu |      1 |
    31     29   28 14   13   0

That means that the task id 1 is reserved for the taskserver itself.

The special handle zero refers to the caller's own task.


CALLS

The operation code is put into the L4 tag label. Every call takes a
task handle (or transaction handle) as the first argument.

The reply puts a result code into the tag label, where zero means
success.


Tasks creation

  l4_word_t
  task_create(l4_word_t thread_max)

    Creates a new task, and returns a control handle to it. Creates an
    address space with space for thread_max threads (where a zero or
    too large thread_max is is interpreted as the maximum number
    allowed by the task server).

Thread management

  l4_thread_id_t
  task_thread_create(l4_word_t task, l4_thread_id_t pager)

    Creates a new thread in the specified tasks, using the supplied
    pager thread. Caller must supply a control handle. Returns the
    (global) thread id of the new thread. Task zero means the caller's
    task. 
    
  void
  task_thread_destroy(l4_word_t task, l4_thread_id_t thread)

    Destroys a thread in the specified task. Caller must supply a
    control handle. Task zero means the caller's task.

Transactions

  l4_word_t
  transaction_send_create(l4_word_t receiver,
                          l4_word_t handle,
                          l4_word_t control)

    Creates a transaction record for transferring a copy of HANDLE
    from he caller to RECEIVER. HANDLE zero means a handle to the
    caller's task. If CONTROL is zero, and the handle is a control
    handle, it is changed into a reference handle before handed to the
    receiver. Returns a transaction id.

  l4_word_t
  transaction_receive(l4_word_t sender,
                      l4_word_t transaction) 

    Uses transaction record TRANSACTION, created by SENDER. Returns
    the transferred handle. Note that it may be a handle that the
    caller already owns.

  l4_word_t
  transaction_destroy(l4_word_t transaction)

    Deletes the transaction record. Returns an error code if the
    transaction wasn't finished.