This has been a FIXME for a long time. We now apply the provided
read/write permissions to the constructed FileDescription when opening
a File object via File::open().
We were letting services inherit writable fds for /dev/tty0, as well as
having /dev/tty0 as their controlling terminal.
Lock this down by closing fds {0,1,2} when spawning a service. We also
detach from the controlling terminal. An exception is made for services
with an explicit StdIO setting. In those cases, we now switch the
controlling terminal to the specified path if possible.
We were running without the sticky bit and mode 777, which meant that
the /tmp directory was world-writable *without* protection.
With this fixed, it's no longer possible for everyone to steal root's
files in /tmp.
Separate some responsibilities:
ELFDynamicLoader is responsible for loading elf binaries from disk and
performing relocations, calling init functions, and eventually calling
finalizer functions.
ELFDynamicObject is a helper class to parse the .dynamic section of an
elf binary, or the table of Elf32_Dyn entries at the _DYNAMIC symbol.
ELFDynamicObject now owns the helper classes for Relocations, Symbols,
Sections and the like that ELFDynamicLoader will use to perform
relocations and symbol lookup.
Because these new helpers are constructed from offsets into the .dynamic
section within the loaded .data section of the binary, we don't need the
ELFImage for nearly as much of the loading processes as we did before.
Therefore we can remove most of the extra DynamicXXX classes and just
keep the one that lets us find the location of _DYNAMIC in the new ELF.
And finally, since we changed the name of the class that dlopen/dlsym
care about, we need to compile/link and use the new ELFDynamicLoader
class in LibC.
Also make the sockets readable and writable only by that user.
This fixes a bug where anyone could connect to anyone else's services,
most obviously WindowServer.
In order to ensure a specific owner and mode when the local socket
filesystem endpoint is instantiated, we need to be able to call
fchmod() and fchown() on a socket fd between socket() and bind().
This is because until we call bind(), there is no filesystem inode
for the socket yet.
If we're creating something that should have a different owner than the
current process's UID/GID, we need to plumb that all the way through
VFS down to the FS functions.
Inode::size() may try to take a lock, so we can't be calling it with
interrupts disabled.
This fixes a kernel hang when trying to execute a binary in a TmpFS.
We now have these API's in <Kernel/Random.h>:
- get_fast_random_bytes(u8* buffer, size_t buffer_size)
- get_good_random_bytes(u8* buffer, size_t buffer_size)
- get_fast_random<T>()
- get_good_random<T>()
Internally they both use x86 RDRAND if available, otherwise they fall
back to the same LCG we had in RandomDevice all along.
The main purpose of this patch is to give kernel code a way to better
express its needs for random data.
Randomness is something that will require a lot more work, but this is
hopefully a step in the right direction.
To accomodate file creation, path resolution optionally returns the
last valid parent directory seen while traversing the path.
Clients will then interpret "ENOENT, but I have a parent for you" as
meaning that the file doesn't exist, but its immediate parent directory
does. The client then goes ahead and creates a new file.
In the case of "/foo/bar/baz" where there is no "/foo", it would fail
with ENOENT and "/" as the last seen parent directory, causing e.g the
open() syscall to create "/baz".
Covered by test_io.
It was previously possible to write to read-only file descriptors,
and read from write-only file descriptors.
All FileDescription objects now start out non-readable + non-writable,
and whoever is creating them has to "manually" enable reading/writing
by calling set_readable() and/or set_writable() on them.
Add missing keymap entries for the dollar sign and escape key and reformat
the Hungarian keymap.
Remove the workaround for "0x08", replace it with '\b'.
Fix the octal/hex mixup in the value of escape key. (033 != 0x33, 033 == 0x1B)
Also add error checking and bail out if either call fails.
Doing it the wrong way around was causing us to retain GID=0 for all
processes (oops!)
Thanks to Chris Ball for reporting the bug. :^)
During initialization of PCI MMIO access mechanism we ensure that we
have an allocation from the kernel virtual address space that cannot be
taken by other components in the OS.
Also, now we ensure that interrupts are disabled so mapping the region
doesn't fail.
In order to reduce overhead, map_device() will map the requested PCI
address only if it's not mapped already.
The run script has been changed so now we can boot a Q35 machine, that
supports PCI ECAM.
To ensure we will be able to load the machine, a PIIX3 IDE controller
was added to the Q35 machine configuration in the run script.
An AHCI controller was added to the i440fx machine configuration.
This fixes an issue in SystemMonitor where old data would linger in the
table views after selecting a process owned by another user.
Since we can no longer read /proc/PID/* unless PID belongs to us,
we will now present empty views for these processes. :^)