Unfortunately the size will vary when pointer size does so size != sizeof(wcred) isn't right.

I think that ultimately you'll want ABI and version aware copyin helpers that produce the current version of struct setcred with appropriate userspace pointers and then do the copyin for groups and mac from that.

This is missing a _Contains_ptr_.

Blank lines after nonexistent variable declarations were removed from style(9) long ago.

I can see some reasons to do it, but I'm not a fan of exposing the version in the structure name used by the public API. In the likely common case the structure will be extended with things that can be zero. If you want to ensure initialization when the structure changes, then a pthread_attr style API might be appropriate (or just encourage designated initializers.

Maybe add a pad before sc_supp_groups_nb since there will be a pad after on 64-bit systems.

Unfortunately the size will vary when pointer size does so size != sizeof(wcred) isn't right.

I think it is right from the point of view that sys_setcred() is the "native" entry point for the ABI, which isn't supposed to ever change (so pointer size will never change). But yes, I forgot the 32-bit compatibility entry point. If sys_setcred() was to be the single one for both cases, I agree testing for sizeof(wcred) (which would expand to the size of the structure for the 64-bit variant) would be wrong as it would prevent any call from 32-bit processes to work.

I think that ultimately you'll want ABI and version aware copyin helpers that produce the current version of struct setcred with appropriate userspace pointers and then do the copyin for groups and mac from that.

Indeed. I don't think we have any other practical way for now. I would love to use some automatic ABI-specific structure, but we don't have such machinery in place AFAIK.

Does _Contains_ptr_ has any relevance on a void * pointer? I'm asking because all uses of _Contains_ptr_ I have seen are with pointers to structures, which is deliberately not the case here (but might change, see the response to another comment below).

Not really, it still says: "Optionally, insert a blank line at the beginning of functions with no local variables". If for anything, I prefer to put some here for consistency with the rest of the file. I'm not against removing these from the whole file to comply, but as part of a separate commit.

I can see some reasons to do it, but I'm not a fan of exposing the version in the structure name used by the public API.

That's practically compulsory if the structure is to change significantly, which leads me to:

In the likely common case the structure will be extended with things that can be zero.

I'm not really sure if/how setcred() will be extended in the future. I agree that "natural" extensions would be to add more fields controlling more process security attributes (provided we add some more). Another future use case might be to select one set of credentials from an admin-devised stores, where the user can select one among a pre-defined set, in which case however a completely different structure would be called for. I can imagine other scenarios where the passed structure would have to change significantly. However, the probability of such scenarios materializing seems very low as of today. And, if they occur, it might be best to just create another system call.

I chose the current versioning scheme essentially because I think it is the most flexible (and clean for this flexibility), out of caution. It might be going too far and, given also the existing tooling (e.g., see my question regarding _Contains_ptr_) , it might be better to just have a single version of setcred(), and once something quite different is needed we create a new system call. The drawback of this approach is the potential multiplication of related calls with different names, which in itself isn't worse than some stuff we already have, but I would prefer that we stop piling new names for related functionality.

As just an example, we have the old thr_create() and the thr_new() replacement (since 2005), and I have some (not yet submitted to review) code that extends thr_new() to accept POSIX priority specification, using some bits in a flag field to pass a version, and the new version differing by the main structure (struct thr_param) having some of its fields pointing to a different object. Creating another system call in that case feels wrong as thr_new() is the most appropriate name, and versioning by flags (passed in-structure, in that case) actually allows to extend it.

In general, I hate implementing versioning through structure size, I've seen too many ugly hacks done with or because of it. However, for just the addition of some fields to an existing structure, and given that here we also pass flags indicating which structure fields are meaningful, that could be acceptable to me. But is it worth the trouble now given the more involved, but flexible solution has already been coded here?

If you want to ensure initialization when the structure changes, then a pthread_attr style API might be appropriate (...)

That seems a bit overkill since the fields are currently independent (except for sc_supp_groups_nb and sc_supp_groups).

or just encourage designated initializers

Seems the most practical way for "compatible" structure changes. Since access to fields is gated by flags, it's not really necessary, but can improve security slightly (related to your comment in D47621).

I can add a field there later, but at the price of having #ifdefs for 64-bit and 32-bit machines, since the field added there for 64-bit ones would have to be added elsewhere on 32-bit ones. Of course, I agree this would start becoming quite messy.

Else, I can declare the pad unconditionally now, wasting 4 bytes on 32-bit archs (which is not a problem, as this system call is not performance-critical and these archs are going to go away).

I guess you meant the latter. Or were you thinking of something else entirely?

TODO: This line must be conditional on MAC.

_Contains_ptr_ says the thing pointed to (may) contain pointers. If it's possible it contains pointers then special handling is required in (most) compat ABIs.

Ah, less was removed from style than I remembered. I'll propose a cleanup there.

I feel this whole thing is foolish consistency so I don't add the lines and tend to remove nearby ones in passing since they impact the diff, but not blame.

I strongly agree about structure size not being a good key (it's something that's awful about ioctl). I just worry you're spelling out versioning prematurely so taking all the costs today for little value. For example, as long as there's no danger of consuming all the flag bits and you reject disallowed bits, a version of zero is implicit so that code adds nothing today beyond pre-reserving the bits. You can always add code for a version later (even using this exact scheme) when that's needed.

Similarly, embedding the ABI/API in the structure name commits us to supporting code (not just old binaries) using that structure until we're willing to make an API break and removing the structure from the public header. That has some value in that we can break the code to force migration (except that rust/go/etc won't follow so it doesn't achieve that goal.)

I don't feel all that strongly about this, it's just different from other things and not an established pattern.

An explicit pad is what I meant. FWIW it's actually only i386 that wouldn't pad.

I'd further suggest that the tone of this exchange is a bit too combative. You don't need to use such strong words to push back. Just remove the line and accept that "common practice" isn't perfectly reflected in style(9) and the point of code reviews is to communicate the imperfect match that will always be there.

Is this a pointer to a user structure we later copy in? That's going to be fun to emulate and translate. I'm not a fan of new instances of interfaces like that, but don't see much of a better way to do that.

Doesn't this need to be protected by #if __BSD_VISIBLE?

FYI, my proposed change to style(9) is in D47887 and apparently I wasn't the only one surprised by the current state.

I suppose you could embed the struct mac, but you'd still have to translate it so probably no gain.

FYI, my proposed change to style(9) is in D47887 and apparently I wasn't the only one surprised by the current state.

Thanks! I've answered there.

You don't need to use such strong words to push back.

If this is directed to me also, then would you please make these words explicit, as I don't see any?

Just remove the line and accept that "common practice" isn't perfectly reflected in style(9) and the point of code reviews is to communicate the imperfect match that will always be there.

I've essentially answered this for the most part in a comment in D47887. Additionally, how this very style matter had been handled before the creation of D47887 is in itself already ample evidence that such a(n absence of) process does not scale.

I'd further suggest that the tone of this exchange is a bit too combative.

That may just be over-interpretation. My first comment just reflects reality and doesn't read as combative/offensive AFAICT. I don't think @brooks
took it as such (perhaps I'm mistaken?), and myself I have not been offended by stronger words like "foolish consistency" either.

You can always add code for a version later (even using this exact scheme) when that's needed.

That's right for the "versioning through flags" part.

Similarly, embedding the ABI/API in the structure name commits us to supporting code (not just old binaries) using that structure until we're willing to make an API break and removing the structure from the public header. That has some value in that we can break the code to force migration (except that rust/go/etc won't follow so it doesn't achieve that goal.)

I agree, except I don't think that what Rust or Go is doing can take away that value. If the version is embedded in the structure name, then we are free to release new versions as we see fit without breaking the API for consumers that have not evolved, as all these old and new APIs can coexist, and we can remove the old ones again as we see fit. In the other case, application code will automatically use the latest API version, which then has to evolve in a compatible way (and then, it is harder to spot breakage as it may not be visible at compile time).

Anyway, I'll back out all the versioning for now as explained in the answer to @imp's similar concern in my main comment.

FWIW it's actually only i386 that wouldn't pad.

Sorry, I don't understand. Why is i386 special here, e.g., compared to some ARM 32-bit platform? If I'm not mistaken, all fields of struct setcred have same length and offset on all 32-bit platforms on one side, and on all 64-bit platforms on the other, and between these two sides only the last two fields (pointers) differ, both in size and alignment.

Is this a pointer to a user structure we later copy in?

Yes. I don't see a better way either at the moment.

Given setcred() is not standard, I'd say yes. Changed.

Sure, that was unintentional.

In the final commit, I'll probably move sys_setcred_common()/user_setcred() after kern_setcred(), but just didn't do it here so that you can compare versions more easily within Phabricator.

I'd probably name this user_setcred. There's a small amount of in tree precedence and quite a lot of these in CheriBSD.

Oh great, I wasn't aware, and was wondering how I should establish a precedent. AFAIU, kern_XXX() functions are to only get arguments that point to kernel structures, and thus should not include copyin()/copyout() code. The wrappers around kern_setcred() doing copyin()/copyout() were mostly duplicate code, and it was indeed best to factorize the code somewhere (even if it leads to slightly more spaghetti). I didn't have any clue about that "somewhere", so just came up with something ad hoc.

I'll look into it.

You don't have to do this as it doesn't effect FreeBSD today, but rather than bool is_32bit, I'd make this function take two function pointers. One for each of the copyin cases. In FreeBSD today this doesn't matter, but with CHERI we have additional ABIs to support so a bool won't do the job.

I see, but I'm not sure if I completely understand the implications. I can propose something, but would rather do it in a separate revision once the full series here has been committed.

I could (still using PTRIN(), as wcred.sc_label is set to NULL below, before being set to the read-in value in the MAC case only), but isn't it better for the reader's understanding if MAC-specific code is clearly delineated as such? Also, if doing that, could we get a warning from the compiler saying that umac is assigned to but never read?

My thought is that you'd populate wcred unconditionally and then you'd change the bit below the if block to:

#ifdef MAC
umac = wcred.sc_label;
#endif
wcred.sc_label = NULL; /* Defensive measure on !MAC */

I'm not sure I'd keep the comment.

OK, didn't understand initially. I've reworked the comment a bit, but prefer to keep it to ensure the corresponding line is not deleted.

I've removed this addition for the time being. That change I made was incomplete (if setcred() is gated, then so should struct setcred), and in the end I thought that gating with __BSD_VISIBLE was not really necessary as the whole sys/ucred.h header is non-standard anyway. Feel free to correct me if this is not the expected practice (I'm not too sure about visibility matters).

Funny you say that, as I normally don't put braces around a single line. I still did it here for consistency with the braces after the else, which I think are some kind of useful visual hint that the code after the #endif is syntactically tied to the code before it, which might be overlooked. Unless removing the latter also, I feel it's more readable to keep braces for the if as well.

The #if makes it a bit awkward but IMO leaving the braces out is more clear, e.g.

#ifdef MAC
        if ((flags & SETCREDF_MAC_LABEL) != 0) {

#ifdef COMPAT_FREEBSD32
                if (is_32bit) 
                        error = mac_label_copyin32(umac, &mac, NULL);
                else
#endif           
                        error = mac_label_copyin(umac, &mac, NULL);

                if (error != 0)
                        goto free_groups;
                wcred.sc_label = &mac;
        }
#endif

That was my initial version. Noting it is fine to do that. Changed in my tree.