Just ignore all these environment flags if the AT_SECURE flag is set in
the program's auxiliary vector.
This prevents a user from tricking set-uid programs into dumping debug
information via environment flags.
load_from_image() becomes map() and link(). This allows us to map
an object before mapping its dependencies.
This solves an issue where fixed-position executables (like GCC)
would clash with the ASLR placement of their own shared libraries.
Refactor DynamicLoader construction with a try_create() helper so that
we can call mmap() before making a loader. This way the loader doesn't
need to have an "mmap failed" state.
This patch also takes care of determining the ELF file size in
try_create() instead of expecting callers to provide it.
Remap the list of atexit handlers as read-only while we're not actively
writing to it. This prevents an attacker from using a memory write
primitive to gain code execution via the atexit list.
This is based on a technique used in OpenBSD. :^)
This can be used to request random VM placement instead of the highly
predictable regular mmap(nullptr, ...) VM allocation strategy.
It will soon be used to implement ASLR in the dynamic loader. :^)
A C++ source file containing just
#include <LibFoo/Bar.h>
should always compile cleanly.
This patch adds missing header inclusions that could have caused weird error
messages if they were used in a different context. Also, this confused QtCreator.
This allows us to implement mkstemp() with open() directly, instead of
first lstat()'ing, and then open()'ing the filename.
Also implement tmpfile() in terms of mkstemp() instead of mktemp().
..and allow implicit creation of KResult and KResultOr from ErrnoCode.
This means that kernel functions that return those types can finally
do "return EINVAL;" and it will just work.
There's a handful of functions that still deal with signed integers
that should be converted to return KResults.
Quoting POSIX:
https://pubs.opengroup.org/onlinepubs/009695399/functions/tzset.html
The tzset() function also shall set the external variable daylight
to 0 if Daylight Savings Time conversions should never be applied
for the timezone in use; otherwise, non-zero.
We're already pretending to be in UTC+0 and setting timezone to 0
accordingly, we can also fake the absence of Daylight Savings Time.
Since tzset() itself pretends to succeed (it just sets timezone = 0 for
now), it seems unwise to leave tzname uninitialized. Since Serenity
already assumes UTC pretty much everywhere time is used, let's continue
that trend here. Quoting POSIX:
https://pubs.opengroup.org/onlinepubs/009695399/functions/tzset.html
The tzset() function shall use the value of the environment variable
TZ to set time conversion information used by ctime(), localtime(),
mktime(), and strftime(). If TZ is absent from the environment,
implementation-defined default timezone information shall be used.
So we still don't care about TZ at all, but the program doesn't need to
know! :^)
This matches what musl libc ("UTC") and glibc ("GMT") do, see:
- https://sourceware.org/git/?p=glibc.git;a=blob;f=time/tzset.c
- https://git.musl-libc.org/cgit/musl/tree/src/time/__tz.c
This adds support for FUTEX_WAKE_OP, FUTEX_WAIT_BITSET, FUTEX_WAKE_BITSET,
FUTEX_REQUEUE, and FUTEX_CMP_REQUEUE, as well well as global and private
futex and absolute/relative timeouts against the appropriate clock. This
also changes the implementation so that kernel resources are only used when
a thread is blocked on a futex.
Global futexes are implemented as offsets in VMObjects, so that different
processes can share a futex against the same VMObject despite potentially
being mapped at different virtual addresses.
All users of this mechanism have been switched to anonymous files and
passing file descriptors with sendfd()/recvfd().
Shbufs got us where we are today, but it's time we say good-bye to them
and welcome a much more idiomatic replacement. :^)
The realpath syscall can attempt to return arbitrarily long paths, in particular
paths that are longer than PATH_MAX. The only way to detect this case is
checking whether 'rc', the true length of the returned path including NUL byte,
exceeds our buffer length. In such a case, the buffer contains invalid data.
All Serenity code calls LibC's realpath() with a nullptr buffer, meaning that
realpath is supposed to allocate memory on its own. All Serenity code can handle
arbitrarily long paths returned by LibC's realpath, so it is safe to "do the
dance" and repeat the syscall with a new buffer.
Ports are likely to be graceful in this regard, too. If a Port calls realpath()
with a pre-allocated buffer, however, there is nothing better we can do than
return a truncated buffer.
The priority boosting mechanism has been broken for a very long time.
Let's remove it from the codebase and we can bring it back the day
someone feels like implementing it in a working way. :^)
64 was cutting it pretty close, especially now as we start using file
descriptor passing more and more.
This (1024) matches many other systems, and if we need more there's
always sys$poll().
This patch adds a new AnonymousFile class which is a File backed by
an AnonymousVMObject that can only be mmap'ed and nothing else, really.
I'm hoping that this can become a replacement for shbufs. :^)
This API was a mostly gratuitous deviation from POSIX that gave up some
portability in exchange for avoiding the occasional strlen().
I don't think that was actually achieving anything valuable, so let's
just chill out and have the same open() API as everyone else. :^)
