1dfc11533SChris Williamson# 2dfc11533SChris Williamson# CDDL HEADER START 3dfc11533SChris Williamson# 4dfc11533SChris Williamson# This file and its contents are supplied under the terms of the 5dfc11533SChris Williamson# Common Development and Distribution License ("CDDL"), version 1.0. 6dfc11533SChris Williamson# You may only use this file in accordance with the terms of version 7dfc11533SChris Williamson# 1.0 of the CDDL. 8dfc11533SChris Williamson# 9dfc11533SChris Williamson# A full copy of the text of the CDDL should have accompanied this 10dfc11533SChris Williamson# source. A copy of the CDDL is also available via the Internet at 11dfc11533SChris Williamson# http://www.illumos.org/license/CDDL. 12dfc11533SChris Williamson# 13dfc11533SChris Williamson# CDDL HEADER END 14dfc11533SChris Williamson# 15dfc11533SChris Williamson 16dfc11533SChris Williamson# 17dfc11533SChris Williamson# Copyright (c) 2017 by Delphix. All rights reserved. 18dfc11533SChris Williamson# 19dfc11533SChris Williamson 20dfc11533SChris WilliamsonIntroduction 21dfc11533SChris Williamson------------ 22dfc11533SChris Williamson 23dfc11533SChris WilliamsonThis README describes the Lua interpreter source code that lives in the ZFS 24dfc11533SChris Williamsonsource tree to enable execution of ZFS channel programs, including its 25dfc11533SChris Williamsonmaintenance policy, the modifications that have been made to it, and how it 26dfc11533SChris Williamsonshould (and should not) be used. 27dfc11533SChris Williamson 28dfc11533SChris WilliamsonFor a description of the Lua language and features exposed by ZFS channel 29*bbf21555SRichard Loweprograms, please refer to the zfs-program(8) man page instead. 30dfc11533SChris Williamson 31dfc11533SChris Williamson 32dfc11533SChris WilliamsonMaintenance policy 33dfc11533SChris Williamson------------------ 34dfc11533SChris Williamson 35dfc11533SChris WilliamsonThe Lua runtime is considered stable software. Channel programs don't need much 36dfc11533SChris Williamsoncomplicated logic, so updates to the Lua runtime from upstream are viewed as 37dfc11533SChris Williamsonnice-to-have, but not required for channel programs to be well-supported. As 38dfc11533SChris Williamsonsuch, the Lua runtime in ZFS should be updated on an as-needed basis for 39dfc11533SChris Williamsonsecurity vulnerabilities, but not much else. 40dfc11533SChris Williamson 41dfc11533SChris Williamson 42dfc11533SChris WilliamsonModifications to Lua 43dfc11533SChris Williamson-------------------- 44dfc11533SChris Williamson 45dfc11533SChris WilliamsonThe version of the Lua runtime we're using in ZFS has been modified in a variety 46dfc11533SChris Williamsonof ways to make it more useful for the specific purpose of running channel 47dfc11533SChris Williamsonprograms. These changes include: 48dfc11533SChris Williamson 49dfc11533SChris Williamson1. "Normal" Lua uses floating point for all numbers it stores, but those aren't 50dfc11533SChris Williamson useful inside ZFS / the kernel. We have changed the runtime to use int64_t 51dfc11533SChris Williamson throughout for all numbers. 52dfc11533SChris Williamson2. Some of the Lua standard libraries do file I/O or spawn processes, but 53dfc11533SChris Williamson neither of these make sense from inside channel programs. We have removed 54dfc11533SChris Williamson those libraries rather than reimplementing them using kernel APIs. 55dfc11533SChris Williamson3. The "normal" Lua runtime handles errors by failing fatally, but since this 56dfc11533SChris Williamson version of Lua runs inside the kernel we must handle these failures and 57dfc11533SChris Williamson return meaningful error codes to userland. We have customized the Lua 58dfc11533SChris Williamson failure paths so that they aren't fatal. 59dfc11533SChris Williamson4. Running poorly-vetted code inside the kernel is always a risk; even if the 60dfc11533SChris Williamson ability to do so is restricted to the root user, it's still possible to write 61dfc11533SChris Williamson an incorrect program that results in an infinite loop or massive memory use. 62dfc11533SChris Williamson We've added new protections into the Lua interpreter to limit the runtime 63dfc11533SChris Williamson (measured in number of Lua instructions run) and memory overhead of running 64dfc11533SChris Williamson a channel program. 65dfc11533SChris Williamson5. The Lua bytecode is not designed to be secure / safe, so it would be easy to 66dfc11533SChris Williamson pass invalid bytecode which can panic the kernel. By comparison, the parser 67dfc11533SChris Williamson is hardened and fails gracefully on invalid input. Therefore, we only accept 68dfc11533SChris Williamson Lua source code at the ioctl level and then interpret it inside the kernel. 69dfc11533SChris Williamson 70dfc11533SChris WilliamsonEach of these modifications have been tested in the zfs-test suite. If / when 71dfc11533SChris Williamsonnew modifications are made, new tests should be added to the suite located in 72dfc11533SChris Williamsonzfs-tests/tests/functional/channel_program/lua_core. 73dfc11533SChris Williamson 74dfc11533SChris Williamson 75dfc11533SChris WilliamsonHow to use this Lua interpreter 76dfc11533SChris Williamson------------------------------- 77dfc11533SChris Williamson 78dfc11533SChris WilliamsonFrom the above, it should be clear that this is not a general-purpose Lua 79dfc11533SChris Williamsoninterpreter. Additional work would be required to extricate this custom version 80dfc11533SChris Williamsonof Lua from ZFS and make it usable by other areas of the kernel. 81