LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-01-05 01:55:21 +03:00
Code Issues Packages Projects Releases Wiki Activity
591c8d2b68
ladybird/Userland/Services/SystemServer/Service.cpp

387 lines
13 KiB
C++
Raw Normal View History

Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 11:38:21 +03:00
/*
Meta: Claim copyright for files created by me This changes copyright holder to myself for the source code files that I've created or have (almost) completely rewritten. Not included are the files that were significantly changed by others even though it was me who originally created them (think HtmlView), or the many other files I've contributed code to.
2020-01-24 16:45:29 +03:00
* Copyright (c) 2019-2020, Sergey Bugaev <bugaevc@serenityos.org>
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 11:38:21 +03:00
*
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
2021-04-22 11:24:48 +03:00
* SPDX-License-Identifier: BSD-2-Clause
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header.
2020-01-18 11:38:21 +03:00
*/
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
#include "Service.h"
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.
2021-01-17 20:39:00 +03:00
#include <AK/Debug.h>
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
#include <AK/HashMap.h>
#include <AK/JsonArray.h>
#include <AK/JsonObject.h>
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
#include <AK/String.h>
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
#include <AK/StringBuilder.h>
LibCore: Remove leading C from filenames
2020-02-06 17:04:03 +03:00
#include <LibCore/ConfigFile.h>
LibCore+Userland: Remove File::ensure_parent_directories We have a much safer and more powerful alternative now, so let's move the few users over.
2022-04-10 21:51:01 +03:00
#include <LibCore/Directory.h>
SystemServer+LoginServer+Userland: Switch to sid-based sockets This commit does three things atomically: - switch over Core::Account+SystemServer+LoginServer to sid based socket names. - change socket names with %uid to %sid. - add/update necessary pledges and unveils. Userland: Switch over servers to sid based sockets Userland: Properly pledge and unveil for sid based sockets
2022-09-06 09:04:06 +03:00
#include <LibCore/SessionManagement.h>
SystemServer: Remove Socket.h header + use Core::System in some places Various Core::System functions are still missing so not all raw syscalls were converted just yet.
2022-02-06 20:54:24 +03:00
#include <LibCore/SocketAddress.h>
#include <LibCore/System.h>
Everywhere: Use `LibFileSystem` where trivial
2023-03-21 18:35:30 +03:00
#include <LibFileSystem/FileSystem.h>
LibC: Move S_* defines into <fcntl.h> According to the Single UNIX Specification, Version 2 that's where those macros should be defined. This fixes the libiconv port. This also fixes some (but not all) build errors for the diffutils and nano ports.
2021-04-11 06:53:37 +03:00
#include <fcntl.h>
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
#include <sched.h>
#include <stdio.h>
SystemServer: Don't let services inherit standard in/out and TTY We were letting services inherit writable fds for /dev/tty0, as well as having /dev/tty0 as their controlling terminal. Lock this down by closing fds {0,1,2} when spawning a service. We also detach from the controlling terminal. An exception is made for services with an explicit StdIO setting. In those cases, we now switch the controlling terminal to the specified path if possible.
2020-01-04 14:17:13 +03:00
#include <sys/ioctl.h>
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
#include <unistd.h>
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
static HashMap<pid_t, Service*> s_service_map;
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
Service* Service::find_by_pid(pid_t pid)
{
auto it = s_service_map.find(pid);
if (it == s_service_map.end())
return nullptr;
return (*it).value;
}
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
ErrorOr<void> Service::setup_socket(SocketDescriptor& socket)
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
{
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
VERIFY(socket.fd == -1);
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
SystemServer: Unlink before binding a new socket Prevent "Address already in use" issues when restarting a service.
2022-08-07 17:48:26 +03:00
// Note: The purpose of this syscall is to remove potential left-over of previous portal.
// The return value is discarded as sockets are not always there, and unlinking a non-existent path is considered as a failure.
(void)Core::System::unlink(socket.path);
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
TRY(Core::Directory::create(LexicalPath(socket.path).parent(), Core::Directory::CreateDirectories::Yes));
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
// Note: we use SOCK_CLOEXEC here to make sure we don't leak every socket to
// all the clients. We'll make the one we do need to pass down !CLOEXEC later
// after forking off the process.
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
int const socket_fd = TRY(Core::System::socket(AF_LOCAL, SOCK_STREAM | SOCK_NONBLOCK | SOCK_CLOEXEC, 0));
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
socket.fd = socket_fd;
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
SystemServer: Port to Core::Account We now have a handy Core::Account class that we can use instead of iterating over the passwd database ourselves.
2020-12-26 15:12:49 +03:00
if (m_account.has_value()) {
auto& account = m_account.value();
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
TRY(Core::System::fchown(socket_fd, account.uid(), account.gid()));
SystemServer: Make service sockets owned by the configured user Also make the sockets readable and writable only by that user. This fixes a bug where anyone could connect to anyone else's services, most obviously WindowServer.
2020-01-03 22:16:49 +03:00
}
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
TRY(Core::System::fchmod(socket_fd, socket.permissions));
SystemServer: Make service sockets owned by the configured user Also make the sockets readable and writable only by that user. This fixes a bug where anyone could connect to anyone else's services, most obviously WindowServer.
2020-01-03 22:16:49 +03:00
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
auto socket_address = Core::SocketAddress::local(socket.path);
LibCore: Prefer strlcpy over strncpy, fix overflow A malicious caller can create a SocketAddress for a local unix socket with an over-long name that does not fit into struct sock_addr_un. - Socket::connet: This caused the 'sun_path' field to overflow, probably overwriting the return pointer of the call frame, and thus crashing the process (in the best case). - SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus crashing the process. Both have been fixed to return a nice error code instead of crashing.
2020-08-23 14:47:52 +03:00
auto un_optional = socket_address.to_sockaddr_un();
if (!un_optional.has_value()) {
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
dbgln("Socket name {} is too long. BUG! This should have failed earlier!", socket.path);
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY_NOT_REACHED();
LibCore: Prefer strlcpy over strncpy, fix overflow A malicious caller can create a SocketAddress for a local unix socket with an over-long name that does not fit into struct sock_addr_un. - Socket::connet: This caused the 'sun_path' field to overflow, probably overwriting the return pointer of the call frame, and thus crashing the process (in the best case). - SocketAddress::to_sockaddr_un: This triggered a RELEASE_ASSERT, and thus crashing the process. Both have been fixed to return a nice error code instead of crashing.
2020-08-23 14:47:52 +03:00
}
auto un = un_optional.value();
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
TRY(Core::System::bind(socket_fd, (sockaddr const*)&un, sizeof(un)));
TRY(Core::System::listen(socket_fd, 16));
return {};
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
}
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
ErrorOr<void> Service::setup_sockets()
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
{
for (SocketDescriptor& socket : m_sockets)
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
TRY(setup_socket(socket));
return {};
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
}
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
void Service::setup_notifier()
{
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(m_lazy);
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
VERIFY(m_sockets.size() == 1);
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(!m_socket_notifier);
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
LibCore: Simplify Core::Notifier by only allowing one event type Not a single client of this API actually used the event mask feature to listen for readability AND writability. Let's simplify the API and have only one hook: on_activation.
2023-04-23 21:59:32 +03:00
m_socket_notifier = Core::Notifier::construct(m_sockets[0].fd, Core::Notifier::Type::Read, this);
m_socket_notifier->on_activation = [this] {
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
if (auto result = handle_socket_connection(); result.is_error())
dbgln("{}", result.release_error());
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
};
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
ErrorOr<void> Service::handle_socket_connection()
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
{
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
VERIFY(m_sockets.size() == 1);
Everywhere: Replace dbgln<flag>(...) with dbgln_if(flag, ...) Replacement made by `find Kernel Userland -name '*.h' -o -name '*.cpp' | sed -i -Ee 's/dbgln\b<(\w+)>\(/dbgln_if(\1, /g'`
2021-02-07 15:03:24 +03:00
dbgln_if(SERVICE_DEBUG, "Ready to read on behalf of {}", name());
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.
2021-01-17 20:39:00 +03:00
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
int socket_fd = m_sockets[0].fd;
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
if (m_accept_socket_connections) {
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
auto const accepted_fd = TRY(Core::System::accept(socket_fd, nullptr, nullptr));
SystemServer: Remove Socket.h header + use Core::System in some places Various Core::System functions are still missing so not all raw syscalls were converted just yet.
2022-02-06 20:54:24 +03:00
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(determine_account(accepted_fd));
TRY(spawn(accepted_fd));
TRY(Core::System::close(accepted_fd));
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
} else {
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
remove_child(*m_socket_notifier);
m_socket_notifier = nullptr;
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(spawn(socket_fd));
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
return {};
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
ErrorOr<void> Service::activate()
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
{
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(m_pid < 0);
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
if (m_lazy)
setup_notifier();
else
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(spawn());
return {};
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
}
SystemServer: Ensure service drop privileges could fail only when root If we try to launch a lazily-spawned service and the SystemServer as a (running --user) session leader is running with root permissions, then if it is instructed to drop the root permissions for a the new service then it will make sense to abort the entire spawn procedure if dropping of privileges failed. For other users, trying to change UID/GID to something else doesn't make sense (and will always actually fail) as we are already running in non root permissions, hence we don't attempt to do this anymore. It should be noted that if an explicit User configuration was actually specified for a Service to be used with, we would still try to login with the requested User option value, which would fail when running as non-root user. This is useful for example when trying to run the pro utility with pls to elevate to root permissions, but the session leader is still the same so trying to "drop" privileges to UID 0 doesn't make sense.
2023-05-24 21:55:17 +03:00
ErrorOr<void> Service::change_privileges()
{
// NOTE: Dropping privileges makes sense when SystemServer is running
// for a root session.
// This could happen when we need to spawn a Service to serve a client with non-user UID/GID.
// However, in case the user explicitly specified a username via the User= option, then we must
// try to login as at that user, so we can't ignore the failure when it was requested to change
// privileges.
if (auto current_uid = getuid(); m_account.has_value() && m_account.value().uid() != current_uid) {
if (current_uid != 0 && !m_must_login)
return {};
auto& account = m_account.value();
if (auto error_or_void = account.login(); error_or_void.is_error()) {
dbgln("Failed to drop privileges (tried to change to GID={}, UID={}), due to {}\n", account.gid(), account.uid(), error_or_void.error());
exit(1);
}
TRY(Core::System::setenv("HOME"sv, account.home_directory(), true));
}
return {};
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
ErrorOr<void> Service::spawn(int socket_fd)
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
{
Everywhere: Use `LibFileSystem` where trivial
2023-03-21 18:35:30 +03:00
if (!FileSystem::exists(m_executable_path)) {
SystemServer: Handle missing service executable gracefully I use the `configure-components` functionality locally during development. There are a few services (SpiceAgent) which aren't marked as required components, and hence aren't built in all configurations, but we still try to launch them in all configurations. Instead of letting the forked SystemServer process crash, lets gracefully handle the situation of a missing binary and provide a message to the user.
2021-08-07 13:10:45 +03:00
dbgln("{}: binary \"{}\" does not exist, skipping service.", name(), m_executable_path);
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
return Error::from_errno(ENOENT);
SystemServer: Handle missing service executable gracefully I use the `configure-components` functionality locally during development. There are a few services (SpiceAgent) which aren't marked as required components, and hence aren't built in all configurations, but we still try to launch them in all configurations. Instead of letting the forked SystemServer process crash, lets gracefully handle the situation of a missing binary and provide a message to the user.
2021-08-07 13:10:45 +03:00
}
Everywhere: Replace dbgln<flag>(...) with dbgln_if(flag, ...) Replacement made by `find Kernel Userland -name '*.h' -o -name '*.cpp' | sed -i -Ee 's/dbgln\b<(\w+)>\(/dbgln_if(\1, /g'`
2021-02-07 15:03:24 +03:00
dbgln_if(SERVICE_DEBUG, "Spawning {}", name());
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
m_run_timer.start();
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
pid_t pid = TRY(Core::System::fork());
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
if (pid == 0) {
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
// We are the child.
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
if (m_working_directory.has_value())
TRY(Core::System::chdir(*m_working_directory));
SystemServer: Add WorkingDirectory support Services can now have their initial working directory configured via `SystemServer.ini`. This commit also configures Terminal's working directory to be /home/anon
2020-03-16 23:21:02 +03:00
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
struct sched_param p;
p.sched_priority = m_priority;
int rc = sched_setparam(0, &p);
if (rc < 0) {
perror("sched_setparam");
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY_NOT_REACHED();
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
}
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
if (m_stdio_file_path.has_value()) {
SystemServer: Don't let services inherit standard in/out and TTY We were letting services inherit writable fds for /dev/tty0, as well as having /dev/tty0 as their controlling terminal. Lock this down by closing fds {0,1,2} when spawning a service. We also detach from the controlling terminal. An exception is made for services with an explicit StdIO setting. In those cases, we now switch the controlling terminal to the specified path if possible.
2020-01-04 14:17:13 +03:00
close(STDIN_FILENO);
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
auto const fd = TRY(Core::System::open(*m_stdio_file_path, O_RDWR, 0));
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
VERIFY(fd == 0);
SystemServer: Don't let services inherit standard in/out and TTY We were letting services inherit writable fds for /dev/tty0, as well as having /dev/tty0 as their controlling terminal. Lock this down by closing fds {0,1,2} when spawning a service. We also detach from the controlling terminal. An exception is made for services with an explicit StdIO setting. In those cases, we now switch the controlling terminal to the specified path if possible.
2020-01-04 14:17:13 +03:00
dup2(STDIN_FILENO, STDOUT_FILENO);
dup2(STDIN_FILENO, STDERR_FILENO);
if (isatty(STDIN_FILENO)) {
ioctl(STDIN_FILENO, TIOCSCTTY);
}
} else {
if (isatty(STDIN_FILENO)) {
ioctl(STDIN_FILENO, TIOCNOTTY);
}
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
SystemServer: Explicitly open /dev/null for services without StdIO Spawning services with nothing open at all on the standard I/O fds is way too harsh. We now open /dev/null for them instead.
2020-01-04 15:15:01 +03:00
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
auto const fd = TRY(Core::System::open("/dev/null"sv, O_RDWR));
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(fd == STDIN_FILENO);
SystemServer: Explicitly open /dev/null for services without StdIO Spawning services with nothing open at all on the standard I/O fds is way too harsh. We now open /dev/null for them instead.
2020-01-04 15:15:01 +03:00
dup2(STDIN_FILENO, STDOUT_FILENO);
dup2(STDIN_FILENO, STDERR_FILENO);
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
StringBuilder socket_takeover_builder;
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
if (socket_fd >= 0) {
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
// We were spawned by socket activation. We currently only support
// single sockets for socket activation, so make sure that's the case.
VERIFY(m_sockets.size() == 1);
int fd = dup(socket_fd);
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(socket_takeover_builder.try_appendff("{}:{}", m_sockets[0].path, fd));
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
} else {
// We were spawned as a regular process, so dup every socket for this
// service and let the service know via SOCKET_TAKEOVER.
for (unsigned i = 0; i < m_sockets.size(); i++) {
SocketDescriptor& socket = m_sockets.at(i);
int new_fd = dup(socket.fd);
if (i != 0)
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(socket_takeover_builder.try_append(';'));
TRY(socket_takeover_builder.try_appendff("{}:{}", socket.path, new_fd));
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
}
}
if (!m_sockets.is_empty()) {
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
// The new descriptor is !CLOEXEC here.
SystemServer: Revert back to inheriting environments again This reverts the SystemServer exec() logic to how it was before 81bd91c, but now with some extra TRY()s. This allows the HOME var to always be propagated from LoginServer which prevents needing to unveil() /etc/passwd everywhere.
2023-02-04 18:45:06 +03:00
TRY(Core::System::setenv("SOCKET_TAKEOVER"sv, socket_takeover_builder.string_view(), true));
SystemServer+LibCore: Implement socket takeover SystemServer can now create sockets on behalf of services before spawning any of them, and pass the open socket fd as fd 3. CLocalServer gains a method to complete the takeover and listen on the passed fd. This is not used by any services at the moment.
2019-11-26 19:27:21 +03:00
}
SystemServer: Ensure service drop privileges could fail only when root If we try to launch a lazily-spawned service and the SystemServer as a (running --user) session leader is running with root permissions, then if it is instructed to drop the root permissions for a the new service then it will make sense to abort the entire spawn procedure if dropping of privileges failed. For other users, trying to change UID/GID to something else doesn't make sense (and will always actually fail) as we are already running in non root permissions, hence we don't attempt to do this anymore. It should be noted that if an explicit User configuration was actually specified for a Service to be used with, we would still try to login with the requested User option value, which would fail when running as non-root user. This is useful for example when trying to run the pro utility with pls to elevate to root permissions, but the session leader is still the same so trying to "drop" privileges to UID 0 doesn't make sense.
2023-05-24 21:55:17 +03:00
TRY(change_privileges());
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
SystemServer: Revert back to inheriting environments again This reverts the SystemServer exec() logic to how it was before 81bd91c, but now with some extra TRY()s. This allows the HOME var to always be propagated from LoginServer which prevents needing to unveil() /etc/passwd everywhere.
2023-02-04 18:45:06 +03:00
TRY(m_environment.view().for_each_split_view(' ', SplitBehavior::Nothing, [&](auto env) {
return Core::System::putenv(env);
}));
Vector<StringView, 10> arguments;
TRY(arguments.try_append(m_executable_path));
TRY(m_extra_arguments.view().for_each_split_view(' ', SplitBehavior::Nothing, [&](auto arg) {
return arguments.try_append(arg);
}));
SystemServer: Add BootModes and Environment service options SystemServer will now look at the boot mode, as specified on the kernel command line, and only launch the services configured for that boot mode.
2020-05-27 00:41:01 +03:00
SystemServer: Revert back to inheriting environments again This reverts the SystemServer exec() logic to how it was before 81bd91c, but now with some extra TRY()s. This allows the HOME var to always be propagated from LoginServer which prevents needing to unveil() /etc/passwd everywhere.
2023-02-04 18:45:06 +03:00
TRY(Core::System::exec(m_executable_path, arguments, Core::System::SearchInPath::No));
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
} else if (!m_multi_instance) {
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
// We are the parent.
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
m_pid = pid;
s_service_map.set(pid, this);
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
return {};
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
}
SystemServer: Handle `waitpid`'s status correctly We used to call `did_exit()` directly with the status returned from `waitpid` but the function expected an exit code. We now use several of `wait`-related macros to deduce the correct information.
2023-05-06 07:41:01 +03:00
ErrorOr<void> Service::did_exit(int status)
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
{
Everywhere: Use ElapsedTimer::elapsed_time() for comparisons Simplify a lot of uses of ElapsedTimer by converting the callers to elapsed_time from elapsed, as the AK::Time returned is better for unit conversions and comparisons against constants.
2023-01-02 08:38:53 +03:00
using namespace AK::TimeLiterals;
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(m_pid > 0);
VERIFY(!m_multi_instance);
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
SystemServer: Handle `waitpid`'s status correctly We used to call `did_exit()` directly with the status returned from `waitpid` but the function expected an exit code. We now use several of `wait`-related macros to deduce the correct information.
2023-05-06 07:41:01 +03:00
if (WIFEXITED(status))
dbgln("Service {} has exited with exit code {}", name(), WEXITSTATUS(status));
if (WIFSIGNALED(status))
dbgln("Service {} terminated due to signal {}", name(), WTERMSIG(status));
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
s_service_map.remove(m_pid);
m_pid = -1;
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
if (!m_keep_alive)
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
return {};
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
Everywhere: Use ElapsedTimer::elapsed_time() for comparisons Simplify a lot of uses of ElapsedTimer by converting the callers to elapsed_time from elapsed, as the AK::Time returned is better for unit conversions and comparisons against constants.
2023-01-02 08:38:53 +03:00
auto run_time = m_run_timer.elapsed_time();
SystemServer: Correct logic for services exiting successfully WIFEXITED() returns a bool, so previously we were setting exited_successfully to true when the service was terminated by a signal, and false if it exited, regardless of the exit status. To test the exit status, we have to use WEXITSTATUS() instead. This causes us to correctly use the "3 tries then give up" logic for services that crash, instead of infinitely attempting to respawn them.
2024-02-01 19:03:58 +03:00
bool exited_successfully = WIFEXITED(status) && WEXITSTATUS(status) == 0;
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
Everywhere: Use ElapsedTimer::elapsed_time() for comparisons Simplify a lot of uses of ElapsedTimer by converting the callers to elapsed_time from elapsed, as the AK::Time returned is better for unit conversions and comparisons against constants.
2023-01-02 08:38:53 +03:00
if (!exited_successfully && run_time < 1_sec) {
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
switch (m_restart_attempts) {
case 0:
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.Everything: The modifications in this commit were automatically made using the following command: find . -name '*.cpp' -exec sed -i -E 's/dbg\(\) << ("[^"{]*");/dbgln\(\1\);/' {} \;
2021-01-09 20:51:44 +03:00
dbgln("Trying again");
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
break;
case 1:
SystemServer: Fixed grammatical error "a charm"
2021-12-19 23:39:12 +03:00
dbgln("Third time's the charm?");
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
break;
default:
Everywhere: Replace a bundle of dbg with dbgln. These changes are arbitrarily divided into multiple commits to make it easier to find potentially introduced bugs with git bisect.
2021-01-17 20:39:00 +03:00
dbgln("Giving up on {}. Good luck!", name());
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
return {};
SystemServer: Limit service restarts SystemServer will now track the number of restart attempts and the run time of a service, and will also pay attention to its exit code. If a service exits unsuccessfully and too quickly (in less than a second), SystemServer will only attempt to restart it twice. This means that if WindowServer crashes on startup, we will now see just a few copies of the crash instead of the quickly scrolling log flashing with colors :^)
2020-02-07 13:32:14 +03:00
}
m_restart_attempts++;
}
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
TRY(activate());
return {};
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
}
Everywhere: Run clang-format
2022-04-01 20:58:27 +03:00
Service::Service(Core::ConfigFile const& config, StringView name)
Userland: Rename Core::Object to Core::EventReceiver This is a more precise description of what this class actually does.
2023-08-06 19:09:39 +03:00
: Core::EventReceiver(nullptr)
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
{
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(config.has_group(name));
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
set_name(name);
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only | grep \.cpp\|\.h) $ gn format $(git ls-files '*.gn' '*.gni')
2023-12-16 17:19:34 +03:00
m_executable_path = config.read_entry(name, "Executable", ByteString::formatted("/bin/{}", this->name()));
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
m_extra_arguments = config.read_entry(name, "Arguments");
m_stdio_file_path = config.read_entry_optional(name, "StdIO");
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
auto prio = config.read_entry_optional(name, "Priority");
Kernel: Refactor scheduler to use dynamic thread priorities Threads now have numeric priorities with a base priority in the 1-99 range. Whenever a runnable thread is *not* scheduled, its effective priority is incremented by 1. This is tracked in Thread::m_extra_priority. The effective priority of a thread is m_priority + m_extra_priority. When a runnable thread *is* scheduled, its m_extra_priority is reset to zero and the effective priority returns to base. This means that lower-priority threads will always eventually get scheduled to run, once its effective priority becomes high enough to exceed the base priority of threads "above" it. The previous values for ThreadPriority (Low, Normal and High) are now replaced as follows: Low -> 10 Normal -> 30 High -> 50 In other words, it will take 20 ticks for a "Low" priority thread to get to "Normal" effective priority, and another 20 to reach "High". This is not perfect, and I've used some quite naive data structures, but I think the mechanism will allow us to build various new and interesting optimizations, and we can figure out better data structures later on. :^)
2019-12-30 20:46:17 +03:00
if (prio == "low")
m_priority = 10;
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
else if (prio == "normal" || !prio.has_value())
Kernel: Refactor scheduler to use dynamic thread priorities Threads now have numeric priorities with a base priority in the 1-99 range. Whenever a runnable thread is *not* scheduled, its effective priority is incremented by 1. This is tracked in Thread::m_extra_priority. The effective priority of a thread is m_priority + m_extra_priority. When a runnable thread *is* scheduled, its m_extra_priority is reset to zero and the effective priority returns to base. This means that lower-priority threads will always eventually get scheduled to run, once its effective priority becomes high enough to exceed the base priority of threads "above" it. The previous values for ThreadPriority (Low, Normal and High) are now replaced as follows: Low -> 10 Normal -> 30 High -> 50 In other words, it will take 20 ticks for a "Low" priority thread to get to "Normal" effective priority, and another 20 to reach "High". This is not perfect, and I've used some quite naive data structures, but I think the mechanism will allow us to build various new and interesting optimizations, and we can figure out better data structures later on. :^)
2019-12-30 20:46:17 +03:00
m_priority = 30;
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
else if (prio == "high")
Kernel: Refactor scheduler to use dynamic thread priorities Threads now have numeric priorities with a base priority in the 1-99 range. Whenever a runnable thread is *not* scheduled, its effective priority is incremented by 1. This is tracked in Thread::m_extra_priority. The effective priority of a thread is m_priority + m_extra_priority. When a runnable thread *is* scheduled, its m_extra_priority is reset to zero and the effective priority returns to base. This means that lower-priority threads will always eventually get scheduled to run, once its effective priority becomes high enough to exceed the base priority of threads "above" it. The previous values for ThreadPriority (Low, Normal and High) are now replaced as follows: Low -> 10 Normal -> 30 High -> 50 In other words, it will take 20 ticks for a "Low" priority thread to get to "Normal" effective priority, and another 20 to reach "High". This is not perfect, and I've used some quite naive data structures, but I think the mechanism will allow us to build various new and interesting optimizations, and we can figure out better data structures later on. :^)
2019-12-30 20:46:17 +03:00
m_priority = 50;
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
else
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY_NOT_REACHED();
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
m_keep_alive = config.read_bool_entry(name, "KeepAlive");
SystemServer: Implement lazy spawning For services explicitly configured as lazy, SystemServer will now listen on the socket and only spawn the service once a client attempts to connect to the socket.
2019-11-26 19:41:16 +03:00
m_lazy = config.read_bool_entry(name, "Lazy");
SystemServer: Implement keepalive When reaping a child, SystemServer will now match up child's pid with its own record of the services, and respawn the service if keepalive is enabled for it. For example, we want to restart the WindowServer if it crashes, but we wouldn't want to restart the Terminal if it gets closed.
2019-11-26 19:19:59 +03:00
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
m_user = config.read_entry_optional(name, "User");
if (m_user.has_value()) {
auto result = Core::Account::from_name(*m_user, Core::Account::Read::PasswdOnly);
SystemServer: Ensure service drop privileges could fail only when root If we try to launch a lazily-spawned service and the SystemServer as a (running --user) session leader is running with root permissions, then if it is instructed to drop the root permissions for a the new service then it will make sense to abort the entire spawn procedure if dropping of privileges failed. For other users, trying to change UID/GID to something else doesn't make sense (and will always actually fail) as we are already running in non root permissions, hence we don't attempt to do this anymore. It should be noted that if an explicit User configuration was actually specified for a Service to be used with, we would still try to login with the requested User option value, which would fail when running as non-root user. This is useful for example when trying to run the pro utility with pls to elevate to root permissions, but the session leader is still the same so trying to "drop" privileges to UID 0 doesn't make sense.
2023-05-24 21:55:17 +03:00
if (result.is_error()) {
SystemServer: Port to Core::Account We now have a handy Core::Account class that we can use instead of iterating over the passwd database ourselves.
2020-12-26 15:12:49 +03:00
warnln("Failed to resolve user {}: {}", m_user, result.error());
SystemServer: Ensure service drop privileges could fail only when root If we try to launch a lazily-spawned service and the SystemServer as a (running --user) session leader is running with root permissions, then if it is instructed to drop the root permissions for a the new service then it will make sense to abort the entire spawn procedure if dropping of privileges failed. For other users, trying to change UID/GID to something else doesn't make sense (and will always actually fail) as we are already running in non root permissions, hence we don't attempt to do this anymore. It should be noted that if an explicit User configuration was actually specified for a Service to be used with, we would still try to login with the requested User option value, which would fail when running as non-root user. This is useful for example when trying to run the pro utility with pls to elevate to root permissions, but the session leader is still the same so trying to "drop" privileges to UID 0 doesn't make sense.
2023-05-24 21:55:17 +03:00
} else {
m_must_login = true;
SystemServer: Port to Core::Account We now have a handy Core::Account class that we can use instead of iterating over the passwd database ourselves.
2020-12-26 15:12:49 +03:00
m_account = result.value();
SystemServer: Ensure service drop privileges could fail only when root If we try to launch a lazily-spawned service and the SystemServer as a (running --user) session leader is running with root permissions, then if it is instructed to drop the root permissions for a the new service then it will make sense to abort the entire spawn procedure if dropping of privileges failed. For other users, trying to change UID/GID to something else doesn't make sense (and will always actually fail) as we are already running in non root permissions, hence we don't attempt to do this anymore. It should be noted that if an explicit User configuration was actually specified for a Service to be used with, we would still try to login with the requested User option value, which would fail when running as non-root user. This is useful for example when trying to run the pro utility with pls to elevate to root permissions, but the session leader is still the same so trying to "drop" privileges to UID 0 doesn't make sense.
2023-05-24 21:55:17 +03:00
}
SystemServer: Port to Core::Account We now have a handy Core::Account class that we can use instead of iterating over the passwd database ourselves.
2020-12-26 15:12:49 +03:00
}
SystemServer: Make service sockets owned by the configured user Also make the sockets readable and writable only by that user. This fixes a bug where anyone could connect to anyone else's services, most obviously WindowServer.
2020-01-03 22:16:49 +03:00
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
m_working_directory = config.read_entry_optional(name, "WorkingDirectory");
SystemServer: Propagate errors This patch also includes some changes in the way that the environment and arguments are passed to `exec`. It was needed to fit the signature of `Core::System::exec`. That's beneficial though, as we are now doing `String` manipulation in a fallible environment, so we can propagate more errors.
2023-01-08 02:19:16 +03:00
m_environment = config.read_entry(name, "Environment");
SystemServer: Rename 'BootModes' config option to 'SystemModes'
2021-10-23 20:15:01 +03:00
m_system_modes = config.read_entry(name, "SystemModes", "graphical").split(',');
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
m_multi_instance = config.read_bool_entry(name, "MultiInstance");
SystemServer: Add support for accepting socket connections :^) You can now ask SystemServer to not only listen for connections on the socket, but to actually accept them, and to spawn an instance of the service for each client connection. In this case, it's the accepted, not listening, socket that the service processes will receive using socket takeover. This mode obviously requires the service to be a multi-instance service.
2020-06-08 23:50:21 +03:00
m_accept_socket_connections = config.read_bool_entry(name, "AcceptSocketConnections");
SystemServer: Add BootModes and Environment service options SystemServer will now look at the boot mode, as specified on the kernel command line, and only launch the services configured for that boot mode.
2020-05-27 00:41:01 +03:00
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only | grep \.cpp\|\.h) $ gn format $(git ls-files '*.gn' '*.gni')
2023-12-16 17:19:34 +03:00
ByteString socket_entry = config.read_entry(name, "Socket");
ByteString socket_permissions_entry = config.read_entry(name, "SocketPermissions", "0600");
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
AK+Everywhere: Remove the null state of DeprecatedString This commit removes DeprecatedString's "null" state, and replaces all its users with one of the following: - A normal, empty DeprecatedString - Optional<DeprecatedString> Note that null states of DeprecatedFlyString/StringView/etc are *not* affected by this commit. However, DeprecatedString::empty() is now considered equal to a null StringView.
2023-10-10 14:30:58 +03:00
if (!socket_entry.is_empty()) {
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only | grep \.cpp\|\.h) $ gn format $(git ls-files '*.gn' '*.gni')
2023-12-16 17:19:34 +03:00
Vector<ByteString> socket_paths = socket_entry.split(',');
Vector<ByteString> socket_perms = socket_permissions_entry.split(',');
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
m_sockets.ensure_capacity(socket_paths.size());
// Need i here to iterate along with all other vectors.
for (unsigned i = 0; i < socket_paths.size(); i++) {
SystemServer+LoginServer+Userland: Switch to sid-based sockets This commit does three things atomically: - switch over Core::Account+SystemServer+LoginServer to sid based socket names. - change socket names with %uid to %sid. - add/update necessary pledges and unveils. Userland: Switch over servers to sid based sockets Userland: Properly pledge and unveil for sid based sockets
2022-09-06 09:04:06 +03:00
auto const path = Core::SessionManagement::parse_path_with_sid(socket_paths.at(i));
if (path.is_error()) {
// FIXME: better error handling for this case.
TODO();
}
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
// Socket path (plus NUL) must fit into the structs sent to the Kernel.
SystemServer+LoginServer+Userland: Switch to sid-based sockets This commit does three things atomically: - switch over Core::Account+SystemServer+LoginServer to sid based socket names. - change socket names with %uid to %sid. - add/update necessary pledges and unveils. Userland: Switch over servers to sid based sockets Userland: Properly pledge and unveil for sid based sockets
2022-09-06 09:04:06 +03:00
VERIFY(path.value().length() < UNIX_PATH_MAX);
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
// This is done so that the last permission repeats for every other
// socket. So you can define a single permission, and have it
// be applied for every socket.
mode_t permissions = strtol(socket_perms.at(min(socket_perms.size() - 1, (long unsigned)i)).characters(), nullptr, 8) & 0777;
SystemServer+LoginServer+Userland: Switch to sid-based sockets This commit does three things atomically: - switch over Core::Account+SystemServer+LoginServer to sid based socket names. - change socket names with %uid to %sid. - add/update necessary pledges and unveils. Userland: Switch over servers to sid based sockets Userland: Properly pledge and unveil for sid based sockets
2022-09-06 09:04:06 +03:00
m_sockets.empend(path.value(), -1, permissions);
SystemServer+LibCore: Allow service to request multiple sockets SystemServer only allowed a single socket to be created for a service before this. Now, SystemServer will allow any amount of sockets. The sockets can be defined like so: [SomeService] Socket=/tmp/portal/socket1,/tmp/portal/socket2,/tmp/portal/socket3 SocketPermissions=660,600 The last item in SocketPermissions is applied to the remainder of the sockets in the Socket= line, so multiple sockets can have the same permissions without having to repeat them. Defining multiple sockets is not allowed for socket-activated services at the moment, and wouldn't make much sense anyway. This patch also makes socket takeovers more robust by removing the assumption that the socket will always be passed in fd 3. Now, the SOCKET_TAKEOVER environment variable carries information about which endpoint corresponds to which socket, like so: SOCKET_TAKEOVER=/tmp/portal/socket1:3 /tmp/portal/socket2:4 and LocalServer/LocalService will parse this automatically and select the correct one. The old behavior of getting the default socket is preserved so long as the service only requests a single socket in SystemServer.ini.
2021-04-15 00:35:49 +03:00
}
}
// Lazy requires Socket, but only one.
VERIFY(!m_lazy || m_sockets.size() == 1);
// AcceptSocketConnections always requires Socket (single), Lazy, and MultiInstance.
VERIFY(!m_accept_socket_connections || (m_sockets.size() == 1 && m_lazy && m_multi_instance));
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
// MultiInstance doesn't work with KeepAlive.
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT.
2021-02-23 22:42:32 +03:00
VERIFY(!m_multi_instance || !m_keep_alive);
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
}
SystemServer: Add support for multi-instance services For this kind of services, there's no single PID of a running instance; there may be multiple, or no instances of the service running at any time. No keepalive functionality is available in this mode, since "alive" doesn't make sense for multi-instance services. At the moment, there's no way to actually create multiple instances of a service; this is going to be added in the next commit.
2020-06-08 23:47:10 +03:00
SystemServer: Add Service::try_create to propagate errors This static method is used to propagate errors at the creation of the object.
2022-06-08 19:29:08 +03:00
ErrorOr<NonnullRefPtr<Service>> Service::try_create(Core::ConfigFile const& config, StringView name)
{
SystemServer: Make decision on whether to enable a service more readable This change ensures that code in the Service class doesn't try to check the g_system_mode variable, but instead is asked on whether it supports a given system mode string value. Also, don't assume that we should create sockets for any new Service instance, but instead do that only if the Service should run in the current system mode.
2023-06-25 13:45:56 +03:00
return TRY(adopt_nonnull_ref_or_enomem(new (nothrow) Service(config, name)));
SystemServer: Read service list from a config file This replaces the hardcoded services list with a very simple config file in /etc/SystemServer.ini :^) Closes https://github.com/SerenityOS/serenity/issues/610
2019-11-26 19:05:09 +03:00
}
SystemServer: Make decision on whether to enable a service more readable This change ensures that code in the Service class doesn't try to check the g_system_mode variable, but instead is asked on whether it supports a given system mode string value. Also, don't assume that we should create sockets for any new Service instance, but instead do that only if the Service should run in the current system mode.
2023-06-25 13:45:56 +03:00
bool Service::is_enabled_for_system_mode(StringView mode) const
SystemServer: Add BootModes and Environment service options SystemServer will now look at the boot mode, as specified on the kernel command line, and only launch the services configured for that boot mode.
2020-05-27 00:41:01 +03:00
{
SystemServer: Make decision on whether to enable a service more readable This change ensures that code in the Service class doesn't try to check the g_system_mode variable, but instead is asked on whether it supports a given system mode string value. Also, don't assume that we should create sockets for any new Service instance, but instead do that only if the Service should run in the current system mode.
2023-06-25 13:45:56 +03:00
return m_system_modes.contains_slow(mode);
SystemServer: Add BootModes and Environment service options SystemServer will now look at the boot mode, as specified on the kernel command line, and only launch the services configured for that boot mode.
2020-05-27 00:41:01 +03:00
}
SystemServer: Detect spawning user for AcceptSocketConnections services SystemServer now invokes services with the same uid as the process that made the request. This allows the superuser to have a normal GUI workflow. For example, read and write its own files in TextEditor.
2022-06-09 18:26:05 +03:00
ErrorOr<void> Service::determine_account(int fd)
{
struct ucred creds = {};
socklen_t creds_size = sizeof(creds);
TRY(Core::System::getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &creds, &creds_size));
SystemServer: Fix race condition in Service::determine_account() In theory our peer process could die between the call to getsockopt() and Core::system::stat() and another process could end up with the same PID which would result in us incorrectly launching the service as another user (e.g. root).
2022-10-22 20:52:53 +03:00
m_account = TRY(Core::Account::from_uid(creds.uid, Core::Account::Read::PasswdOnly));
SystemServer: Detect spawning user for AcceptSocketConnections services SystemServer now invokes services with the same uid as the process that made the request. This allows the superuser to have a normal GUI workflow. For example, read and write its own files in TextEditor.
2022-06-09 18:26:05 +03:00
return {};
}
LaunchServer+SystemServer: Move the portal to a user-specific directory Various changes are needed to support this: - The directory is created by Core::Account on login (and located in /tmp). - Service's sockets are now deleted on exit (to allow re-creation) - SystemServer needs to handle SIGTERM to correctly destroy services.
2022-07-17 16:41:01 +03:00
Service::~Service()
{
for (auto& socket : m_sockets) {
if (auto rc = remove(socket.path.characters()); rc != 0)
dbgln("{}", Error::from_errno(errno));
}
}
Reference in New Issue Copy Permalink