Add ProcessInfo capsule that allows userspace to inspect and control processes
#4411
Conversation
| pub struct Capability; | ||
| unsafe impl capabilities::ProcessManagementCapability for Capability {} |
There was a problem hiding this comment.
This came up as a concern on the core call today.
While the decision to require a capability makes sense to highlight this as an "unsafe for untrusted userspace" capsule, creating the capability in the component hides this concern from board authors. Authoring or reviewing a board, it would be easy to miss this.
@alevy Brought up that probably components shouldn't create capabilities as a general rule. In practice, at the moment, they almost-exclusively create MemoryAllocationCapabilitys. Excepting the sequential process loader, every other creation of ProcessManagementCapability is done in the top-level board file.
For this PR, the only thing to change would be lifting the ProcessManagementCapability out of the component here and taking a reference (e.g., still creating MemoryAllocationCapability "like every other component" is fine).
I will open a separate issue for the more general question of capability creation in components.
| } | ||
| } | ||
|
|
||
| pub struct Capability; |
There was a problem hiding this comment.
I noticed something while looking at the Rust compiler recently. They include a private field into structs such that they cannot be (safely) constructed from outside the current crate:
https://doc.rust-lang.org/beta/nightly-rustc/rustc_span/struct.ErrorGuaranteed.html
This seems desirable and important for the safety of Tock's capabilities as well. If they're public types, then anyone can name them, and we must prevent them from being constructed without the use of an unsafe constructor.
I'll check our other uses of capabilities whether that's a problem we have across the Tock kernel.
This allows userspace to list which processes are active.
Also change the command num to 6, return the app name length, and better handled a too-short allow buffer.
8a51f5a to
a288387
Compare
|
@lschuermann @ppannuto satisfied? |
Pull Request Overview
This capsule is used for the dynamic process loading tutorial by allowing users to list the processes on a screen and start/stop/inspect the processes.
Testing Strategy
There is a libtock-c implementation that uses this capsule.
TODO or Help Wanted
n/a
Documentation Updated
/docs, or no updates are required.Formatting
make prepush.