net: sockets: add API to fetch an fd's ctx object

Andrew Boie · carlescufi · commit 04bba6772ba9 · 2020-06-03T22:33:32.000+02:00
Zephyr running on MPU devices have a different memory model than
process-oriented OSes like Linux and require a method to set
kernel object permissions on a file descriptor's underlying
context object. Add this, and a test to show that it is working.

Signed-off-by: Andrew Boie &lt;andrew.p.boie@intel.com&gt;
diff --git a/include/net/socket.h b/include/net/socket.h
@@ -145,6 +145,44 @@ struct zsock_addrinfo {
 	char _ai_canonname[DNS_MAX_NAME_SIZE + 1];
 };
 
+/**
+ * @brief Obtain a file descriptor's associated net context
+ *
+ * With CONFIG_USERSPACE enabled, the kernel's object permission system
+ * must apply to socket file descriptors. When a socket is opened, by default
+ * only the caller has permission, access by other threads will fail unless
+ * they have been specifically granted permission.
+ *
+ * This is achieved by tagging data structure definitions that implement the
+ * underlying object associated with a network socket file descriptor with
+ * '__net_socket`. All pointers to instances of these will be known to the
+ * kernel as kernel objects with type K_OBJ_NET_SOCKET.
+ *
+ * This API is intended for threads that need to grant access to the object
+ * associated with a particular file descriptor to another thread. The
+ * returned pointer represents the underlying K_OBJ_NET_SOCKET  and
+ * may be passed to APIs like k_object_access_grant().
+ *
+ * In a system like Linux which has the notion of threads running in processes
+ * in a shared virtual address space, this sort of management is unnecessary as
+ * the scope of file descriptors is implemented at the process level.
+ *
+ * However in Zephyr the file descriptor scope is global, and MPU-based systems
+ * are not able to implement a process-like model due to the lack of memory
+ * virtualization hardware. They use discrete object permissions and memory
+ * domains instead to define thread access scope.
+ *
+ * User threads will have no direct access to the returned object
+ * and will fault if they try to access its memory; the pointer can only be
+ * used to make permission assignment calls, which follow exactly the rules
+ * for other kernel objects like device drivers and IPC.
+ *
+ * @param sock file descriptor
+ * @return pointer to associated network socket object, or NULL if the
+ *         file descriptor wasn't valid or the caller had no access permission
+ */
+__syscall void *zsock_get_context_object(int sock);
+
 /**
  * @brief Create a network socket
  *
@@ -156,6 +194,11 @@ struct zsock_addrinfo {
  * This function is also exposed as ``socket()``
  * if :option:`CONFIG_NET_SOCKETS_POSIX_NAMES` is defined.
  * @endrst
+ *
+ * If CONFIG_USERSPACE is enabled, the caller will be granted access to the
+ * context object associated with the returned file descriptor.
+ * @see zsock_get_context_object()
+ *
  */
 __syscall int zsock_socket(int family, int type, int proto);
 
diff --git a/subsys/net/lib/sockets/sockets.c b/subsys/net/lib/sockets/sockets.c
@@ -49,6 +49,23 @@ static inline void *get_sock_vtable(
 				       (const struct fd_op_vtable **)vtable);
 }
 
+void *z_impl_zsock_get_context_object(int sock)
+{
+	const struct socket_op_vtable *ignored;
+
+	return get_sock_vtable(sock, &ignored);
+}
+
+#ifdef CONFIG_USERSPACE
+void *z_vrfy_zsock_get_context_object(int sock)
+{
+	/* All checking done in implementation */
+	return z_impl_zsock_get_context_object(sock);
+}
+
+#include <syscalls/zsock_get_context_object_mrsh.c>
+#endif
+
 static void zsock_received_cb(struct net_context *ctx,
 			      struct net_pkt *pkt,
 			      union net_ip_header *ip_hdr,
