From owner-freebsd-current@FreeBSD.ORG Mon Sep 29 18:15:09 2014 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5717BC2C; Mon, 29 Sep 2014 18:15:09 +0000 (UTC) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 8BB33F5A; Mon, 29 Sep 2014 18:15:08 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 66BF37302E; Mon, 29 Sep 2014 20:20:08 +0200 (CEST) Date: Mon, 29 Sep 2014 20:20:08 +0200 From: Luigi Rizzo To: Brooks Davis Subject: Re: capsicum and netmap ? Message-ID: <20140929182008.GD78397@onelab2.iet.unipi.it> References: <20140929153043.GA78397@onelab2.iet.unipi.it> <20140929172709.GC99239@spindle.one-eyed-alien.net> MIME-Version: 1.0 In-Reply-To: <20140929172709.GC99239@spindle.one-eyed-alien.net> User-Agent: Mutt/1.5.20 (2009-06-14) Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 18:15:09 -0000 On Mon, Sep 29, 2014 at 05:27:09PM +0000, Brooks Davis wrote: > On Mon, Sep 29, 2014 at 05:30:43PM +0200, Luigi Rizzo wrote: > > > > Hi, > > while trying the netmap-enabled libpcap library with tcpdump, i > > noticed it fails to return data on a kernel with capsicum (the > > string "capability mode sandbox enabled" made me suspicious, and > > removing the cap_*() calls from tcpdump.c seems to make things > > work again). > > > > Would anyone be able to point me what should be done in the netmap > > kernel module to make it work with capsicum ? > > > > I am sure the cambridge folks are very interested in this :) > > Without knowing what modifications have been made to libpcap, it's hard > to say what you need to change, but the short version is that once > cap_enter is called, you must not attempt to open any file handles as > that's won't work. I can't think of any other likely cause. Are all > the returns of all open(), socket(), etc calls checked? Hi Brooks, thanks for the feedback. The change (attached, with some debugging code; it dates back to december and i am trying to upstream it into FreeBSD now) is a set of methods called to open, dispatch and inject packets. > In practice that means that either opening files must come earlier, or > a singling mechanism needs to be added to tcpdump and libpcap to tell > tcpdump not to enter capability mode when using netmap. The nm_open() (which includes open and mmap) occurs before the cap_enter() call, and poll() works fine until we do the cap_enter()/cap_sandboxed() calls. I was wondering whether I should somewhat annotate the file descriptor (in the netmap kernel module) indicating that it is right to access it after cap_enter(). poll() returns 1 and errno=0 when polling for POLLIN on the netmap file descriptor, while it should return 0 (there is no traffic queued). I haven't investigated in detail but it almost looks like the underlying netmap_poll() in the device driver is not called. cheers luigi