| 1 |
2 |
drasko |
.TH CAPABILITY 7 2009-11-07 "Codezero" "Codezero Programmer's Manual"
|
| 2 |
|
|
.SH NAME
|
| 3 |
|
|
.nf
|
| 4 |
|
|
.BR "Capability" " - Overview of Capabilities in Codezero"
|
| 5 |
|
|
|
| 6 |
|
|
.SH SYNOPSIS
|
| 7 |
|
|
.nf
|
| 8 |
|
|
.B #include
|
| 9 |
|
|
.B #include
|
| 10 |
|
|
|
| 11 |
|
|
|
| 12 |
|
|
.SH DESCRIPTION
|
| 13 |
|
|
A capability is a unique representation of security qualifiers on a particular resource.
|
| 14 |
|
|
Each thread, address space and container is associated with its own capability list represented by the below structure.
|
| 15 |
|
|
|
| 16 |
|
|
The capability structure is defined as follows:
|
| 17 |
|
|
.nf
|
| 18 |
|
|
.B struct capability {
|
| 19 |
|
|
.BI " struct link " "list" ";"
|
| 20 |
|
|
.BI ""
|
| 21 |
|
|
/* Capability identifiers */
|
| 22 |
|
|
.BI " l4id_t " "capid" "; /* Unique capability ID */"
|
| 23 |
|
|
.BI " l4id_t " "owner" "; /* Capability owner ID */"
|
| 24 |
|
|
.BI " l4id_t " "resid" "; /* Targeted resource ID */"
|
| 25 |
|
|
.BI " unsigned int " "type" "; /* Capability and target resource type */"
|
| 26 |
|
|
.BI ""
|
| 27 |
|
|
/* Capability permissions */
|
| 28 |
|
|
.BI " u32 " "access" "; /* Permitted operations */"
|
| 29 |
|
|
.BI ""
|
| 30 |
|
|
/* Other Limits/Attributes of the resource */
|
| 31 |
|
|
.BI " unsigned long " "start" "; /* Resource start value */"
|
| 32 |
|
|
.BI " unsigned long " "end" "; /* Resource end value */"
|
| 33 |
|
|
.BI " unsigned long " "size" "; /* Resource size */"
|
| 34 |
|
|
.BI ""
|
| 35 |
|
|
.BI " unsigned long " "used" "; /* Resource used size */"
|
| 36 |
|
|
.BI " unsigned int " "attr" "; /* User-defined attribute. (Device index and type on devices) */"
|
| 37 |
|
|
.BI " l4id_t " "irq" "; /* Device irq (Devices Only) */"
|
| 38 |
|
|
.B };
|
| 39 |
|
|
|
| 40 |
|
|
.TP
|
| 41 |
|
|
.fi
|
| 42 |
|
|
.I capid
|
| 43 |
|
|
denotes the unique capability ID.
|
| 44 |
|
|
|
| 45 |
|
|
.TP
|
| 46 |
|
|
.fi
|
| 47 |
|
|
.I resid
|
| 48 |
|
|
denotes the unique ID of targeted resource. The smallest resource targetable by a capability is a thread. There are also collections of targetable resources such as an address space or a container. An address space target resource implies all threads inside that address space, and a container target resource implies all threads inside that container. Quantitative capabilities such as typed memory pools do not possess a target, and therefore have an invalid resource ID.
|
| 49 |
|
|
|
| 50 |
|
|
.TP
|
| 51 |
|
|
.fi
|
| 52 |
|
|
.I owner
|
| 53 |
|
|
denotes the unique ID of the one and only capability owner. This is always a thread ID. The ownership of a capability determines who has the right to practise the capability modification privileges available over the capability, such as sharing, granting, spliting, reducing or destruction of the capability.
|
| 54 |
|
|
|
| 55 |
|
|
.TP
|
| 56 |
|
|
.fi
|
| 57 |
|
|
.I type
|
| 58 |
|
|
field contains the capability type or targeted resource type. The capability type determines the generic operations that the capability describes. For example a capability describing a system call would likely have a type name that resembles the name of that system call. See the
|
| 59 |
|
|
.B CAPABILITY TYPES
|
| 60 |
|
|
section below, for a list of valid capability types. The resource type denotes the type of targeted resources. In case this is a thread or a collection of threads, the type may be one of thread, address space, or container. Quantitative resources also have different types, describing the resource. Since quantitative resources such as memory pools, or memory regions are not associated with a target id, the resource types have no meaning for the resid field for these capabilities. See the CAPABILITY RESOURCE TYPES section below for the full list of valid resource types.
|
| 61 |
|
|
|
| 62 |
|
|
.TP
|
| 63 |
|
|
.fi
|
| 64 |
|
|
.I access
|
| 65 |
|
|
field denotes the fine-grain operations available on a particular resource. The meaning of each bitfield differs according to the type of the capability. For example, for a capability type thread_control, the bitfields may mean suspend, resume, create, delete etc. See below for the full list of capability bits.
|
| 66 |
|
|
|
| 67 |
|
|
.SH CAPABILITY TYPES
|
| 68 |
|
|
.TP
|
| 69 |
|
|
.B CAP_TYPE_TCTRL
|
| 70 |
|
|
.RB "Defines the capability to make the " "l4_thread_control " "system call. It is usually owned by the pager and targets the container so that the pager can issue the call on all threads in the container. "
|
| 71 |
|
|
.TP
|
| 72 |
|
|
.B CAP_TYPE_EXREGS
|
| 73 |
|
|
.RB "Defines the capability to make the " "l4_exchange_registers " "system call. "
|
| 74 |
|
|
.I rtype
|
| 75 |
|
|
.RB "field is usually expected to target the complete container, similar to " "CAP_TYPE_TCTRL " "capabilities."
|
| 76 |
|
|
.TP
|
| 77 |
|
|
.B CAP_TYPE_MAP_PHYSMEM
|
| 78 |
|
|
.RB "Defines a physical memory region. A thread who owns this capability would be always expected to use the " "l4_map " "system call, to map the physical area to its address space. As an optimisation there is no separate mapping capability defined for the " "l4_map " "system call. As a physical memory capability, it may also define fields for devices such as device types, numbers and irqs."
|
| 79 |
|
|
.TP
|
| 80 |
|
|
.B CAP_TYPE_MAP_VIRTMEM
|
| 81 |
|
|
.RB "Similar to the " " CAP_TYPE_MAP_PHYSMEM " "capability, it defines a virtual memory range that can be mapped using the " "l4_map " "system call."
|
| 82 |
|
|
|
| 83 |
|
|
.TP
|
| 84 |
|
|
.B CAP_TYPE_IPC
|
| 85 |
|
|
.RB "This is the most fundamentally used capability in the system. " "CAP_TYPE_IPC " "defines the ability to make ipc calls to threads in the system. By its "
|
| 86 |
|
|
.I rtype
|
| 87 |
|
|
.RB " field, it may be defined such that it enables inter-container ipc, i.e. the ability to send messages to a thread or all threads in another container. Ipc operations always have a valid target if it is a " " send " "operation. By this fact, ipc capability checks are done only during the send phase."
|
| 88 |
|
|
.TP
|
| 89 |
|
|
.B CAP_TYPE_IRQCTRL
|
| 90 |
|
|
.RB "Defines a thread's privilege to set up and handle irqs. A separate " "CAP_TYPE_MAP_PHYSMEM " "capability would also be necessary on each individual device, to gain access to its irqs."
|
| 91 |
|
|
.TP
|
| 92 |
|
|
.B CAP_TYPE_UMUTEX
|
| 93 |
|
|
.RB "Defines a thread's privilege to use kernel-supported userspace mutexes. A thread who has access to a " "mutexpool " "would have to have this capability to use it. In future versions, this capability may be removed, assuming the " "mutexpool " "capability is in itself sufficient for having access to mutexes."
|
| 94 |
|
|
.TP
|
| 95 |
|
|
.B CAP_TYPE_QUANTITY
|
| 96 |
|
|
.RB "There are various typed, fixed-size memory pools that have this capability type. Fixed-size memory pools such as " "mappool" ", " "cappool" ", " "threadpool" ", and similar capabilities are some of the examples. A quantitative capability has no valid target resource id type, because they are themselves resources to be consumed by their owner. Since they already have a unique capability ID, the target resource id does not provide any better identification. As a result normally the
|
| 97 |
|
|
.I resid
|
| 98 |
|
|
.RB "field is set to " "CAP_RESID_NONE" " on quantitative capabilities."
|
| 99 |
|
|
|
| 100 |
|
|
Quantitative capabilities have been introduced for allocation of structures that are fundamentally and minimally needed in the system. Any further abstraction of memory resources would make the design too generic, requiring much effort from userspace. The choice of which mechanisms need to be kept inside and out of the kernel is a subtle one. In this particular case, it was decided that a minimal set of typed resources would be always useful to keep in the kernel.
|
| 101 |
|
|
|
| 102 |
|
|
.TP
|
| 103 |
|
|
.B CAP_TYPE_CAP
|
| 104 |
|
|
.RB "Defines the capability to manipulate existing capabilities. Any thread who attempts to share, grant, modify, or replicate its capabilities must make a call to the " "l4_capability_control " "system call. This capability defines the operations available making this call. A caller must own this capability, and also own all other capabilities that are going to be modified."
|
| 105 |
|
|
|
| 106 |
|
|
.SH CAPABILITY RESOURCE TYPES
|
| 107 |
|
|
Capability resource types define the type of resource id stored in the
|
| 108 |
|
|
.I resid
|
| 109 |
|
|
field.
|
| 110 |
|
|
.TP
|
| 111 |
|
|
.B CAP_RTYPE_THREAD
|
| 112 |
|
|
Threads are the smallest resource entities in the system, targetable by a system call. A capability with this resource type defines the ability to manipulate a single thread. E.g.
|
| 113 |
|
|
.BR "l4_thread_control " "or " "l4_ipc " "syscalls could only operate on the single thread, whose id is defined by the "
|
| 114 |
|
|
.I resid
|
| 115 |
|
|
field.
|
| 116 |
|
|
.TP
|
| 117 |
|
|
.B CAP_RTYPE_SPACE
|
| 118 |
|
|
Address spaces contain one or more threads. A capability with this resource type may act on any thread inside the defined address space, defined by the
|
| 119 |
|
|
.I resid
|
| 120 |
|
|
field of the capability.
|
| 121 |
|
|
.TP
|
| 122 |
|
|
.B CAP_RTYPE_CONTAINER
|
| 123 |
|
|
Containers provide the outermost isolation level on the system. A capability with this resource type would have the most comprehensive privileges, since a container defines the largest collection of entities, containing threads and address spaces. As an example, a thread having a capability with a container resource type, could issue that system call on all the address spaces and threads that exist in that container.
|
| 124 |
|
|
|
| 125 |
|
|
.fi
|
| 126 |
|
|
.in 7
|
| 127 |
|
|
The rest of the resources in the system are defined as quantitative resources, and they consist of different types of memory pools. As mentioned earlier, their
|
| 128 |
|
|
.I resid
|
| 129 |
|
|
fields invalid, and they get used and checked implicitly as part of other capability operations.
|
| 130 |
|
|
|
| 131 |
|
|
.TP
|
| 132 |
|
|
.B CAP_RTYPE_CPUPOOL
|
| 133 |
|
|
Defines the CPU resources of a thread. Depending on the underlying scheduler, it may mean cpu time percentage or a priority. Also, real-time threads may invalidate the value of these capabilities.
|
| 134 |
|
|
|
| 135 |
|
|
.TP
|
| 136 |
|
|
.B CAP_RTYPE_THREADPOOL
|
| 137 |
|
|
Defines the maximum number of threads that may be created by its possessor. Implicitly used and checked as part of the
|
| 138 |
|
|
.B l4_thread_control
|
| 139 |
|
|
system call.
|
| 140 |
|
|
|
| 141 |
|
|
.TP
|
| 142 |
|
|
.B CAP_RTYPE_SPACEPOOL
|
| 143 |
|
|
Defines the maximum number of address spaces (e.g. page tables, and any other related structures) that may be created by its possessor. Similarly affects success of
|
| 144 |
|
|
.B l4_thread_control
|
| 145 |
|
|
system call by providing address space accounting.
|
| 146 |
|
|
|
| 147 |
|
|
.TP
|
| 148 |
|
|
.B CAP_RTYPE_MUTEXPOOL
|
| 149 |
|
|
Defines the maximum number of mutexes that may be contended and get temporarily created inside the kernel at any one time. Normally userspace mutex operations are resolved in userspace, but on contended mutexes, kernel internally creates and consumes mutex structures for the userspace.
|
| 150 |
|
|
|
| 151 |
|
|
.TP
|
| 152 |
|
|
.B CAP_RTYPE_MAPPOOL
|
| 153 |
|
|
On some cpu architectures such as ARM, a virtual to physical memory mapping may require the kernel to allocate intermediate page table structures. This capability defines and enables resource accounting for the allocation of such structures.
|
| 154 |
|
|
|
| 155 |
|
|
.TP
|
| 156 |
|
|
.B CAP_RTYPE_CAPPOOL
|
| 157 |
|
|
When capabilities are manipulated at run-time, some operations may result in allocation of new capability structures. For example, a
|
| 158 |
|
|
.B replicate
|
| 159 |
|
|
or a
|
| 160 |
|
|
.B split
|
| 161 |
|
|
operation may create new capabilities in the system. This capability accounts for such operations that result in creation of a new capability.
|
| 162 |
|
|
|
| 163 |
|
|
|
| 164 |
|
|
.SH SEE ALSO
|
| 165 |
|
|
.BR "l4_capability_control"(7)
|
