Commit graph

6314 commits

Author SHA1 Message Date
Andreas Kling
0ad491a854 ProtocolServer: Use pledge() 2020-01-11 21:35:01 +01:00
Andreas Kling
1c755d848e SystemServer: Use pledge() 2020-01-11 21:35:01 +01:00
Andreas Kling
a84aac86b1 AudioServer: Use pledge() 2020-01-11 21:35:01 +01:00
Andreas Kling
5f5791cac8 TTYServer: Use pledge() 2020-01-11 21:35:01 +01:00
Andreas Kling
7b6b1bae02 MenuApplets: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
457c7d9efd HackStudio: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
c13328bd2b Taskbar: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
f848faeec8 SystemMonitor: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
ec1ae37f69 SystemMonitor+LibCore: Show process pledges in SystemMonitor :^) 2020-01-11 21:33:12 +01:00
Andreas Kling
4132f713c8 Terminal: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
b36608f47c ProcFS: Expose process pledge promises in /proc/all 2020-01-11 21:33:12 +01:00
Andreas Kling
2f880a047f Browser: Use pledge()
This is the first complex app to use pledge(), and it was extremely
easy to get it working.

The main trickiness comes from the RPC sockets that get set up inside
the GApplication constructor. Since it wants to unlink any old RPC
socket with the same filename and change the file mode of the new
socket, it needs both "cpath" and "fattr".

Once the GApplication has been constructed, it seems we can safely
drop those promises. Pretty cool!
2020-01-11 21:33:12 +01:00
Andreas Kling
e131a401e8 cat: Use pledge() 2020-01-11 21:33:12 +01:00
Andreas Kling
1934a1ec0b Shell: Use pledge() 2020-01-11 21:33:07 +01:00
Andreas Kling
8c2009c5be host: Use pledge() 2020-01-11 20:49:31 +01:00
Andreas Kling
d30d3fac6f id: Use pledge() 2020-01-11 20:49:25 +01:00
Andreas Kling
409a4f7756 ping: Use pledge() 2020-01-11 20:48:43 +01:00
Andreas Kling
41c504a33b Kernel: Add pledge() syscall :^)
This patch implements basic support for OpenBSD-style pledge().
pledge() allows programs to incrementally reduce their set of allowed
syscalls, which are divided into categories that each make up a subset
of POSIX functionality.

If a process violates one of its pledged promises by attempting to call
a syscall that it previously said it wouldn't call, the process is
immediately terminated with an uncatchable SIGABRT.

This is by no means complete, and we'll need to add more checks in
various places to ensure that promises are being kept.

But it is pretty cool! :^)
2020-01-11 20:45:51 +01:00
Shannon Booth
529a65c283 WSWindowManager: Improve opening and closing the system menu
The system menu can now be opened by pressing the window key even while
in a focused window. The current menu can also now be closed by pressing
escape.

We still cannot navigate a menu using arrow keys while there is an
active window, but this is another step towards that.
2020-01-11 18:58:59 +01:00
Shannon Booth
2f0eb3e28e WSMenuManager: Fix set_current_menu() not setting the current menu
m_current_menu was being set and then immediately cleared by
close_everyone(). Furthermore, since the menu being set can be a
nullptr, we now also make sure to handle that.

Finally, the logic can be simplified. close on the current menu is not
required, as that is also done by close_everyone().
2020-01-11 18:58:59 +01:00
Sergey Bugaev
b37bd28053 Base: Document mount(2) and mount(8) 2020-01-11 18:57:53 +01:00
Sergey Bugaev
0cb0f54783 Kernel: Implement bind mounts
You can now bind-mount files and directories. This essentially exposes an
existing part of the file system in another place, and can be used as an
alternative to symlinks or hardlinks.

Here's an example of doing this:

    # mkdir /tmp/foo
    # mount /home/anon/myfile.txt /tmp/foo -o bind
    # cat /tmp/foo
    This is anon's file.
2020-01-11 18:57:53 +01:00
Sergey Bugaev
71f1d3f819 Base: Apply some filesystem flags by default
Notably, /tmp is now mounted nodev,nosuid :^)
2020-01-11 18:57:53 +01:00
Sergey Bugaev
29db900887 SystemMonitor: Display mount flags 2020-01-11 18:57:53 +01:00
Sergey Bugaev
a9e6f4a2cd Userland: Support mount flags 2020-01-11 18:57:53 +01:00
Sergey Bugaev
61c1106d9f Kernel+LibC: Implement a few mount flags
We now support these mount flags:
* MS_NODEV: disallow opening any devices from this file system
* MS_NOEXEC: disallow executing any executables from this file system
* MS_NOSUID: ignore set-user-id bits on executables from this file system

The fourth flag, MS_BIND, is defined, but currently ignored.
2020-01-11 18:57:53 +01:00
Sergey Bugaev
2fcbb846fb Kernel+LibC: Add O_EXEC, move exec permission checking to VFS::open()
O_EXEC is mentioned by POSIX, so let's have it. Currently, it is only used
inside the kernel to ensure the process has the right permissions when opening
an executable.
2020-01-11 18:57:53 +01:00
Sergey Bugaev
4566c2d811 Kernel+LibC: Add support for mount flags
At the moment, the actual flags are ignored, but we correctly propagate them all
the way from the original mount() syscall to each custody that resides on the
mounted FS.
2020-01-11 18:57:53 +01:00
Sergey Bugaev
1e6ab0ed22 Kernel: Simplify VFS::Mount handling
No need to pass around RefPtr<>s and NonnullRefPtr<>s and no need to
heap-allocate them.

Also remove VFS::mount(NonnullRefPtr<FS>&&, StringView path) - it has been
unused for a long time.
2020-01-11 18:57:53 +01:00
Andreas Kling
4d77cdf9a8 WindowServer: If a menu can't fit on screen, at least put it at y=0
We're gonna need to handle overflow better than this, but at least this
way we can see the top of the menu, even if we can't scroll down to see
the rest of it.

For #1043.
2020-01-11 14:39:39 +01:00
Andreas Kling
73788d7305 ls: Cache the user and group names instead of looking up every time 2020-01-11 13:30:17 +01:00
Andreas Kling
d0a708fda4 Base: Run ProtocolServer as a separate "protocol" user
This is probably not the final design we'll want for this, but for now
let's run the HTTP client code as a separate user to reduce exposure
for the standard "anon" user account.

Note that "protocol" is also added to the "lookup" group, in order to
allow ProtocolServer to contact LookupServer for DNS requests.
2020-01-11 13:07:32 +01:00
Andreas Kling
83f59419cd Kernel: Oops, recvfrom() is not quite ready for SMAP protections yet 2020-01-11 13:03:44 +01:00
Andreas Kling
eede6cfd06 LibPthread: Fix incompatible pthread_setname_np(), pthread_getname_np()
Other implementations of pthread_setname_np() do not take the name
length as an argument.

For pthread_getname_np(), other implementations take the buffer size
as a size_t.

This patch brings us in line with other implementations.
2020-01-11 12:54:30 +01:00
Andreas Kling
24c736b0e7 Kernel: Use the Syscall string and buffer types more
While I was updating syscalls to stop passing null-terminated strings,
I added some helpful struct types:

    - StringArgument { const char*; size_t; }
    - ImmutableBuffer<Data, Size> { const Data*; Size; }
    - MutableBuffer<Data, Size> { Data*; Size; }

The Process class has some convenience functions for validating and
optionally extracting the contents from these structs:

    - get_syscall_path_argument(StringArgument)
    - validate_and_copy_string_from_user(StringArgument)
    - validate(ImmutableBuffer)
    - validate(MutableBuffer)

There's still so much code around this and I'm wondering if we should
generate most of it instead. Possible nice little project.
2020-01-11 12:47:47 +01:00
Andreas Kling
1434f30f92 Kernel: Remove SmapDisabler in bind() 2020-01-11 12:07:45 +01:00
Andreas Kling
2d7ae42f75 Kernel: Remove SmapDisabler in clock_nanosleep() 2020-01-11 11:51:03 +01:00
Andreas Kling
0ca6d6c8d2 Kernel: Remove validate_read_str() as nothing uses it anymore :^) 2020-01-11 10:57:50 +01:00
Andreas Kling
f5092b1c7e Kernel: Pass a parameter struct to mount()
This was the last remaining syscall that took a null-terminated string
and figured out how long it was by walking it in kernelspace *shudder*.
2020-01-11 10:56:02 +01:00
Andreas Kling
e380142853 Kernel: Pass a parameter struct to rename() 2020-01-11 10:36:54 +01:00
Andreas Kling
46830a0c32 Kernel: Pass a parameter struct to symlink() 2020-01-11 10:31:33 +01:00
Andreas Kling
c97bfbd609 Kernel: Pass a parameter struct to mknod() 2020-01-11 10:27:37 +01:00
Andreas Kling
6536a80aa9 Kernel: Pass a parameter struct to chown() 2020-01-11 10:17:44 +01:00
Andreas Kling
29b3d95004 Kernel: Expose a process's filesystem root as a /proc/PID/root symlink
In order to preserve the absolute path of the process root, we save the
custody used by chroot() before stripping it to become the new "/".
There's probably a better way to do this.
2020-01-10 23:48:44 +01:00
Andreas Kling
3f9e4cd24e chroot: Add a little chroot program
This program changes the current filesystem root and spawns a shell.
2020-01-10 23:23:20 +01:00
Andreas Kling
ddd0b19281 Kernel: Add a basic chroot() syscall :^)
The chroot() syscall now allows the superuser to isolate a process into
a specific subtree of the filesystem. This is not strictly permanent,
as it is also possible for a superuser to break *out* of a chroot, but
it is a useful mechanism for isolating unprivileged processes.

The VFS now uses the current process's root_directory() as the root for
path resolution purposes. The root directory is stored as an uncached
Custody in the Process object.
2020-01-10 23:14:04 +01:00
Andreas Kling
944fbf507a Kernel: Custody::absolute_path() should always return "/" for roots
A Custody with no parent is always *a* root (although not necessarily
the *real* root.)
2020-01-10 23:09:58 +01:00
Andreas Kling
485443bfca Kernel: Pass characters+length to link() 2020-01-10 21:26:47 +01:00
Andreas Kling
416c7ac2b5 Kernel: Rename Syscall::SyscallString => Syscall::StringArgument 2020-01-10 20:16:18 +01:00
Andreas Kling
0695ff8282 Kernel: Pass characters+length to readlink()
Note that I'm developing some helper types in the Syscall namespace as
I go here. Once I settle on some nice types, I will convert all the
other syscalls to use them as well.
2020-01-10 20:13:23 +01:00