Commit Graph

5949 Commits

Author SHA1 Message Date
Andreas Kling
20ac4e44d1 Base: Add "tty" group and make /dev/tty* be root:tty mode 610
This fixes an issue where anyone could snoop on the virtual consoles.
2020-01-04 12:46:09 +01:00
Andreas Kling
4f4dc47ec3 TTYServer: Use fork+exec instead of system()
No point in spawning an extra shell process just to spawn a shell. :^)
2020-01-04 12:33:34 +01:00
Andreas Kling
b5da0b78eb Kernel: File::open() should apply r/w mode from the provided options
This has been a FIXME for a long time. We now apply the provided
read/write permissions to the constructed FileDescription when opening
a File object via File::open().
2020-01-04 12:30:55 +01:00
Andreas Kling
32d0967f5f SystemServer: Don't let services inherit standard in/out and TTY
We were letting services inherit writable fds for /dev/tty0, as well as
having /dev/tty0 as their controlling terminal.

Lock this down by closing fds {0,1,2} when spawning a service. We also
detach from the controlling terminal. An exception is made for services
with an explicit StdIO setting. In those cases, we now switch the
controlling terminal to the specified path if possible.
2020-01-04 12:17:13 +01:00
Andreas Kling
755938c650 ls: Show directories with the sticky bit in a special color
This makes /tmp show up with a green background in "ls" output.
2020-01-04 11:38:02 +01:00
Andreas Kling
e79c33eabb Kernel: The root inode of a TmpFS should have the sticky bit set
We were running without the sticky bit and mode 777, which meant that
the /tmp directory was world-writable *without* protection.

With this fixed, it's no longer possible for everyone to steal root's
files in /tmp.
2020-01-04 11:33:36 +01:00
Andreas Kling
4398eec03c Build: Lock down the /mod and /boot directories
Make these directories accessible to root only. Unprivileged users have
no need to look at the kernel binary or kernel modules.
2020-01-04 11:12:59 +01:00
Andreas Kling
2d244a70a1 WindowServer+LibGUI: Simplify handling of paint event rects
Now that Vector<T> is convertible to Vector<T, n>, we don't have to
manually copy the paint event rectangles.
2020-01-04 11:03:37 +01:00
Andreas Kling
6dec88c7fa AK: Allow copying a Vector from a Vector with different inline capacity 2020-01-04 10:57:30 +01:00
Andreas Kling
4f11528a65 WindowServer: Remove some unused WSClientConnection functions 2020-01-04 10:41:42 +01:00
Andrew Kaster
767f4c7421 LibELF+LibC: Split ELFDynamicObject into a Loader + Object
Separate some responsibilities:

ELFDynamicLoader is responsible for loading elf binaries from disk and
performing relocations, calling init functions, and eventually calling
finalizer functions.

ELFDynamicObject is a helper class to parse the .dynamic section of an
elf binary, or the table of Elf32_Dyn entries at the _DYNAMIC symbol.
ELFDynamicObject now owns the helper classes for Relocations, Symbols,
Sections and the like that ELFDynamicLoader will use to perform
relocations and symbol lookup.

Because these new helpers are constructed from offsets into the .dynamic
section within the loaded .data section of the binary, we don't need the
ELFImage for nearly as much of the loading processes as we did before.
Therefore we can remove most of the extra DynamicXXX classes and just
keep the one that lets us find the location of _DYNAMIC in the new ELF.

And finally, since we changed the name of the class that dlopen/dlsym
care about, we need to compile/link and use the new ELFDynamicLoader
class in LibC.
2020-01-04 10:39:04 +01:00
Conrad Pankoff
85b95f472d Kernel: Remove unused PCI.{h,cpp} 2020-01-04 10:06:07 +01:00
erf
53733be5fd Kernel: Make LocalSocket pre-bind GID be gid_t (#1012) 2020-01-04 10:05:01 +01:00
Andreas Kling
70a41420a9 LibCore: Fix crash on RPC client disconnect
The RPC client management was not updated for the changes that made
CObject reference-counted it seems. :^)
2020-01-03 20:27:48 +01:00
Andreas Kling
e76e533a69 LibCore: Stop making the RPC sockets go=rw
Now that we can fchmod() on a pre-bind() socket, use that to lock down
the RPC sockets we publish in all CEventLoop-driven programs.
2020-01-03 20:21:39 +01:00
Andreas Kling
15b57488d9 SystemServer: Make service sockets owned by the configured user
Also make the sockets readable and writable only by that user.

This fixes a bug where anyone could connect to anyone else's services,
most obviously WindowServer.
2020-01-03 20:16:49 +01:00
Andreas Kling
d84299c7be Kernel: Allow fchmod() and fchown() on pre-bind() local sockets
In order to ensure a specific owner and mode when the local socket
filesystem endpoint is instantiated, we need to be able to call
fchmod() and fchown() on a socket fd between socket() and bind().

This is because until we call bind(), there is no filesystem inode
for the socket yet.
2020-01-03 20:14:56 +01:00
Andreas Kling
4abbedb6e4 Kernel: Allow passing initial UID and GID when creating new inodes
If we're creating something that should have a different owner than the
current process's UID/GID, we need to plumb that all the way through
VFS down to the FS functions.
2020-01-03 20:13:21 +01:00
Andreas Kling
82760998a9 Ext2FS: Take the inode lock in Ext2FSInode::metadata()
Remove an unnecessary InterruptDisabler to make this not assert. :^)
2020-01-03 17:48:02 +01:00
Andreas Kling
aba7829724 Kernel: InodeVMObject can't call Inode::size() with interrupts disabled
Inode::size() may try to take a lock, so we can't be calling it with
interrupts disabled.

This fixes a kernel hang when trying to execute a binary in a TmpFS.
2020-01-03 15:40:03 +01:00
Andreas Kling
1dc64ec064 Kernel: Remove unnecessary logic in kill() and killpg() syscalls
As Sergey pointed out, do_killpg() already interprets PID 0 as the
PGID of the calling process.
2020-01-03 12:58:59 +01:00
Andreas Kling
f081990717 Kernel: Use get_fast_random() for the random syscall stack offset 2020-01-03 12:48:28 +01:00
Andreas Kling
9026598999 Kernel: Add a more expressive API for getting random bytes
We now have these API's in <Kernel/Random.h>:

    - get_fast_random_bytes(u8* buffer, size_t buffer_size)
    - get_good_random_bytes(u8* buffer, size_t buffer_size)
    - get_fast_random<T>()
    - get_good_random<T>()

Internally they both use x86 RDRAND if available, otherwise they fall
back to the same LCG we had in RandomDevice all along.

The main purpose of this patch is to give kernel code a way to better
express its needs for random data.

Randomness is something that will require a lot more work, but this is
hopefully a step in the right direction.
2020-01-03 12:43:07 +01:00
Andreas Kling
24cc67d199 Kernel: Remove read_tsc() syscall
Since nothing is using this, let's just remove it. That's one less
thing to worry about.
2020-01-03 09:27:09 +01:00
Andreas Kling
23e4e03233 Lib: Remove Stopwatch class
This was a hack used to profile things before we had a proper profiler.
Since RDTSC is not available in userspace, this is not useful anymore.
2020-01-03 09:10:55 +01:00
Andreas Kling
889ecd1375 Kernel: The superuser is allowed to utime() on any file
Before this patch, root was not able to "touch" someone else's file.
2020-01-03 04:14:41 +01:00
Andreas Kling
3f74e66e82 Kernel: rename() should fail with EXDEV for cross-device requests
POSIX does not support rename() from one file system to another.
2020-01-03 04:10:05 +01:00
Andreas Kling
bbedad1197 test_io: Test that seeking past EOF and then reading returns 0 2020-01-03 04:03:52 +01:00
Andreas Kling
3be1c7b514 Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz"
To accomodate file creation, path resolution optionally returns the
last valid parent directory seen while traversing the path.

Clients will then interpret "ENOENT, but I have a parent for you" as
meaning that the file doesn't exist, but its immediate parent directory
does. The client then goes ahead and creates a new file.

In the case of "/foo/bar/baz" where there is no "/foo", it would fail
with ENOENT and "/" as the last seen parent directory, causing e.g the
open() syscall to create "/baz".

Covered by test_io.
2020-01-03 03:57:10 +01:00
Andreas Kling
8cc5fa5598 Kernel: Unbreak module loading (broke with NX bit changes)
Modules are now mapped fully RWX. This can definitely be improved,
but at least it unbreaks the feature for now.
2020-01-03 03:44:55 +01:00
Andreas Kling
93e9a42bf0 test_io: Verify that write() on an O_RDONLY fd fails with EBADF 2020-01-03 03:36:17 +01:00
Andreas Kling
c19f840f32 test_io: Verify that read() on an O_WRONLY fd fails with EBADF 2020-01-03 03:34:06 +01:00
Andreas Kling
0a1865ebc6 Kernel: read() and write() should fail with EBADF for wrong mode fd's
It was previously possible to write to read-only file descriptors,
and read from write-only file descriptors.

All FileDescription objects now start out non-readable + non-writable,
and whoever is creating them has to "manually" enable reading/writing
by calling set_readable() and/or set_writable() on them.
2020-01-03 03:29:59 +01:00
Andreas Kling
2da3edb3d0 test_io: Add a simple test program that abuses some I/O syscalls
This exposes some very bad behaviors that will need fixing.
2020-01-03 03:18:49 +01:00
Andreas Kling
064e46e581 Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY) 2020-01-03 03:16:29 +01:00
Andreas Kling
15f3abc849 Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall
Just taking care of some FIXMEs.
2020-01-03 03:16:29 +01:00
Andreas Kling
05653a9189 Kernel: killpg() with pgrp=0 should signal every process in the group
In the same group as the calling process, that is.
2020-01-03 03:16:29 +01:00
Andreas Kling
005313df82 Kernel: kill() with signal 0 should not actually send anything
Also kill() with pid 0 should send to everyone in the same process
group as the calling process.
2020-01-03 03:16:29 +01:00
Andreas Kling
8345f51a24 Kernel: Remove unnecessary wraparound check in Process::validate_read()
This will be checked moments later by MM.validate_user_read().
2020-01-03 03:16:29 +01:00
elodotwe
587b80bf0f Ports: Add missing ' after timestamp in GCC patch (#1004)
Looks like this got missed, maybe a messy `git add --patch` job? It
caused packaging of the gcc port to fail.
2020-01-03 02:09:53 +01:00
Tibor Nagy
790eaab6f5 Keymap+Base: Keycode fixes, remove workaround
Add missing keymap entries for the dollar sign and escape key and reformat
the Hungarian keymap.

Remove the workaround for "0x08", replace it with '\b'.

Fix the octal/hex mixup in the value of escape key. (033 != 0x33, 033 == 0x1B)
2020-01-03 01:20:47 +01:00
Andreas Kling
fdde5cdf26 Kernel: Don't include the process GID in the "extra GIDs" table
Process::m_extra_gids is for supplementary GIDs only.
2020-01-02 23:45:52 +01:00
Andreas Kling
0958d826d6 SystemServer: Call setgid() before setuid() when dropping privileges
Also add error checking and bail out if either call fails.
Doing it the wrong way around was causing us to retain GID=0 for all
processes (oops!)

Thanks to Chris Ball for reporting the bug. :^)
2020-01-02 23:36:21 +01:00
Andreas Kling
0f9800ca57 Kernel: Make the loop that marks the bottom 1MB NX a little less busy 2020-01-02 22:02:29 +01:00
Liav A
2a4a19aed8 Kernel: Fixing PCI MMIO access mechanism
During initialization of PCI MMIO access mechanism we ensure that we
have an allocation from the kernel virtual address space that cannot be
taken by other components in the OS.
Also, now we ensure that interrupts are disabled so mapping the region
doesn't fail.
In order to reduce overhead, map_device() will map the requested PCI
address only if it's not mapped already.

The run script has been changed so now we can boot a Q35 machine, that
supports PCI ECAM.
To ensure we will be able to load the machine, a PIIX3 IDE controller
was added to the Q35 machine configuration in the run script.
An AHCI controller was added to the i440fx machine configuration.
2020-01-02 21:45:04 +01:00
joshua stein
5e430e4eb4 Build: add support for building on OpenBSD
This requires gcc8 from ports to build the Toolchain.
2020-01-02 21:03:53 +01:00
joshua stein
d61131945d Build: HOST_CXX -> USE_HOST_CXX
Allow HOST_CXX to be passed to make which will be the actual host
C++ compiler used, such as 'make HOST_CXX=clang++'.
2020-01-02 21:03:53 +01:00
Andreas Kling
c6170070ed LibGUI: Clear out a GJsonArrayModel if it fails to open the JSON source
This fixes an issue in SystemMonitor where old data would linger in the
table views after selecting a process owned by another user.

Since we can no longer read /proc/PID/* unless PID belongs to us,
we will now present empty views for these processes. :^)
2020-01-02 20:57:55 +01:00
Andreas Kling
efbdaaaa65 ProfileViewer: Interpret addresses >= 0xc0000000 as kernel frames 2020-01-02 20:51:31 +01:00
Andreas Kling
32ec1e5aed Kernel: Mask kernel addresses in backtraces and profiles
Addresses outside the userspace virtual range will now show up as
0xdeadc0de in backtraces and profiles generated by unprivileged users.
2020-01-02 20:51:31 +01:00