1*61145dc2SMartin Matuska# SPDX-License-Identifier: CDDL-1.0 2eda14cbcSMatt Macy# 3eda14cbcSMatt Macy# CDDL HEADER START 4eda14cbcSMatt Macy# 5eda14cbcSMatt Macy# This file and its contents are supplied under the terms of the 6eda14cbcSMatt Macy# Common Development and Distribution License ("CDDL"), version 1.0. 7eda14cbcSMatt Macy# You may only use this file in accordance with the terms of version 8eda14cbcSMatt Macy# 1.0 of the CDDL. 9eda14cbcSMatt Macy# 10eda14cbcSMatt Macy# A full copy of the text of the CDDL should have accompanied this 11eda14cbcSMatt Macy# source. A copy of the CDDL is also available via the Internet at 12eda14cbcSMatt Macy# http://www.illumos.org/license/CDDL. 13eda14cbcSMatt Macy# 14eda14cbcSMatt Macy# CDDL HEADER END 15eda14cbcSMatt Macy# 16eda14cbcSMatt Macy 17eda14cbcSMatt Macy# 18eda14cbcSMatt Macy# Copyright (c) 2017 by Delphix. All rights reserved. 19eda14cbcSMatt Macy# 20eda14cbcSMatt Macy 21eda14cbcSMatt MacyIntroduction 22eda14cbcSMatt Macy------------ 23eda14cbcSMatt Macy 24eda14cbcSMatt MacyThis README describes the Lua interpreter source code that lives in the ZFS 25eda14cbcSMatt Macysource tree to enable execution of ZFS channel programs, including its 26eda14cbcSMatt Macymaintenance policy, the modifications that have been made to it, and how it 27eda14cbcSMatt Macyshould (and should not) be used. 28eda14cbcSMatt Macy 29eda14cbcSMatt MacyFor a description of the Lua language and features exposed by ZFS channel 30eda14cbcSMatt Macyprograms, please refer to the zfs-program(1m) man page instead. 31eda14cbcSMatt Macy 32eda14cbcSMatt Macy 33eda14cbcSMatt MacyMaintenance policy 34eda14cbcSMatt Macy------------------ 35eda14cbcSMatt Macy 36eda14cbcSMatt MacyThe Lua runtime is considered stable software. Channel programs don't need much 37eda14cbcSMatt Macycomplicated logic, so updates to the Lua runtime from upstream are viewed as 38eda14cbcSMatt Macynice-to-have, but not required for channel programs to be well-supported. As 39eda14cbcSMatt Macysuch, the Lua runtime in ZFS should be updated on an as-needed basis for 40eda14cbcSMatt Macysecurity vulnerabilities, but not much else. 41eda14cbcSMatt Macy 42eda14cbcSMatt Macy 43eda14cbcSMatt MacyModifications to Lua 44eda14cbcSMatt Macy-------------------- 45eda14cbcSMatt Macy 46eda14cbcSMatt MacyThe version of the Lua runtime we're using in ZFS has been modified in a variety 47eda14cbcSMatt Macyof ways to make it more useful for the specific purpose of running channel 48eda14cbcSMatt Macyprograms. These changes include: 49eda14cbcSMatt Macy 50eda14cbcSMatt Macy1. "Normal" Lua uses floating point for all numbers it stores, but those aren't 51eda14cbcSMatt Macy useful inside ZFS / the kernel. We have changed the runtime to use int64_t 52eda14cbcSMatt Macy throughout for all numbers. 53eda14cbcSMatt Macy2. Some of the Lua standard libraries do file I/O or spawn processes, but 54eda14cbcSMatt Macy neither of these make sense from inside channel programs. We have removed 55eda14cbcSMatt Macy those libraries rather than reimplementing them using kernel APIs. 56eda14cbcSMatt Macy3. The "normal" Lua runtime handles errors by failing fatally, but since this 57eda14cbcSMatt Macy version of Lua runs inside the kernel we must handle these failures and 58eda14cbcSMatt Macy return meaningful error codes to userland. We have customized the Lua 59eda14cbcSMatt Macy failure paths so that they aren't fatal. 60eda14cbcSMatt Macy4. Running poorly-vetted code inside the kernel is always a risk; even if the 61eda14cbcSMatt Macy ability to do so is restricted to the root user, it's still possible to write 62eda14cbcSMatt Macy an incorrect program that results in an infinite loop or massive memory use. 63eda14cbcSMatt Macy We've added new protections into the Lua interpreter to limit the runtime 64eda14cbcSMatt Macy (measured in number of Lua instructions run) and memory overhead of running 65eda14cbcSMatt Macy a channel program. 66eda14cbcSMatt Macy5. The Lua bytecode is not designed to be secure / safe, so it would be easy to 67eda14cbcSMatt Macy pass invalid bytecode which can panic the kernel. By comparison, the parser 68eda14cbcSMatt Macy is hardened and fails gracefully on invalid input. Therefore, we only accept 69eda14cbcSMatt Macy Lua source code at the ioctl level and then interpret it inside the kernel. 70eda14cbcSMatt Macy 71eda14cbcSMatt MacyEach of these modifications have been tested in the zfs-test suite. If / when 72eda14cbcSMatt Macynew modifications are made, new tests should be added to the suite located in 73eda14cbcSMatt Macyzfs-tests/tests/functional/channel_program/lua_core. 74eda14cbcSMatt Macy 75eda14cbcSMatt Macy 76eda14cbcSMatt MacyHow to use this Lua interpreter 77eda14cbcSMatt Macy------------------------------- 78eda14cbcSMatt Macy 79eda14cbcSMatt MacyFrom the above, it should be clear that this is not a general-purpose Lua 80eda14cbcSMatt Macyinterpreter. Additional work would be required to extricate this custom version 81eda14cbcSMatt Macyof Lua from ZFS and make it usable by other areas of the kernel. 82