This class had slightly confusing semantics and the added weirdness
doesn't seem worth it just so we can say "." instead of "->" when
iterating over a vector of NNRPs.
This patch replaces NonnullRefPtrVector<T> with Vector<NNRP<T>>.
This also removes DirIterator::error_string(), since the same strerror()
string will be included when you print the Error itself. Except in `ls`
which is still using fprintf() for now.
This subdirectory is meant to hold all constant data related to the
kernel. This means that this data is never meant to updated and is
relevant from system boot to system shutdown.
Move the inodes of "load_base", "cmdline" and "system_mode" to that
directory. All nodes under this new subdirectory are generated during
boot, and therefore don't require calling kmalloc each time we need to
read them. Locking is also not necessary, because these nodes and their
data are completely static once being generated.
This reverts the SystemServer exec() logic to how it was before
81bd91c, but now with some extra TRY()s. This allows the HOME var
to always be propagated from LoginServer which prevents needing
to unveil() /etc/passwd everywhere.
This filesystem is based on the code of the long-lived TmpFS. It differs
from that filesystem in one keypoint - its root inode doesn't have a
sticky bit on it.
Therefore, we mount it on /dev, to ensure only root can modify files on
that directory. In addition to that, /tmp is mounted directly in the
SystemServer main (start) code, so it's no longer specified in the fstab
file. We ensure that /tmp has a sticky bit and has the value 0777 for
root directory permissions, which is certainly a special case when using
RAM-backed (and in general other) filesystems.
Because of these 2 changes, it's no longer needed to maintain the TmpFS
filesystem, hence it's removed (renamed to RAMFS), because the RAMFS
represents the purpose of this filesystem in a much better way - it
relies on being backed by RAM "storage", and therefore it's easy to
conclude it's temporary and volatile, so its content is gone on either
system shutdown or unmounting of the filesystem.
To do this properly, we also create Strings with formatting of device
nodes' names, taking into consideration errors when doing that.
Also, we use LibCore System mknod method instead of raw LibC functions
to be able to propagate errors from these calls too.
This patch also includes some changes in the way that the environment
and arguments are passed to `exec`. It was needed to fit the signature
of `Core::System::exec`. That's beneficial though, as we are now doing
`String` manipulation in a fallible environment, so we can propagate
more errors.
Simplify a lot of uses of ElapsedTimer by converting the callers to
elapsed_time from elapsed, as the AK::Time returned is better for unit
conversions and comparisons against constants.
This will make it easier to support both string types at the same time
while we convert code, and tracking down remaining uses.
One big exception is Value::to_string() in LibJS, where the name is
dictated by the ToString AO.
We have a new, improved string type coming up in AK (OOM aware, no null
state), and while it's going to use UTF-8, the name UTF8String is a
mouthful - so let's free up the String name by renaming the existing
class.
Making the old one have an annoying name will hopefully also help with
quick adoption :^)
Instead, allow userspace to decide on the coredump directory path. By
default, SystemServer sets it to the /tmp/coredump directory, but users
can now change this by writing a new path to the sysfs node at
/sys/kernel/variables/coredump_directory, and also to read this node to
check where coredumps are currently generated at.
Otherwise, we end up propagating those dependencies into targets that
link against that library, which creates unnecessary link-time
dependencies.
Also included are changes to readd now missing dependencies to tools
that actually need them.
In theory our peer process could die between the call to getsockopt()
and Core::system::stat() and another process could end up with the same
PID which would result in us incorrectly launching the service as
another user (e.g. root).
For SystemServer, we simply ensure that the /dev mount is now mounted
with MS_NOREGULAR flag to ensure only non-regular files are created,
thus, achieving what DevTmpFS provided in its implementation, but in a
much more sane and clean way than how DevTmpFS did that.
For other userland applications, we simply make them being aware of this
flag so they can show an indication about this flag being used to the
user.
In case of failure when trying to read the system_mode global node, just
use as a default the text mode, so we have bootable system with degraded
functionality.
This commit does three things atomically:
- switch over Core::Account+SystemServer+LoginServer to sid based socket
names.
- change socket names with %uid to %sid.
- add/update necessary pledges and unveils.
Userland: Switch over servers to sid based sockets
Userland: Properly pledge and unveil for sid based sockets
Because HID devices are not always present in quantities of one per type
it is more elegant and correct to put the representative device nodes in
subdirectories for each HID device type.
This patch allows to insert "%uid" in `IPC_CLIENT_CONNECTION`
declaration and in SystemServer's ini files. This pattern is replaced
then replaced by the UID of the owner of the service. It opens a path
for seamlessly managed, per-user portal.
Various changes are needed to support this:
- The directory is created by Core::Account on login (and located in
/tmp).
- Service's sockets are now deleted on exit (to allow re-creation)
- SystemServer needs to handle SIGTERM to correctly destroy services.
Each of these strings would previously rely on StringView's char const*
constructor overload, which would call __builtin_strlen on the string.
Since we now have operator ""sv, we can replace these with much simpler
versions. This opens the door to being able to remove
StringView(char const*).
No functional changes.
SystemServer now invokes services with the same uid as the process that
made the request.
This allows the superuser to have a normal GUI workflow. For example,
read and write its own files in TextEditor.
New propagated errors comes from an endgrent call, and all chown+chmod
calls all over the file. For the two last functions, custom C++ wrappers
were used.
Those wrappers were discarding `ENOENT` errors and naively crashing on
other errors, this change introduced in 76e12a48 was used to prevent a
crash if a mouse wasn't detected. There are no reasons to discard and to
not propagate other errors.
Previously, the device wasn't being created.
The new numbers correspond to those in the FullDevice (which is also
a Linux's full device number).
Also, I've tweaked the permissions to give everyone read-write access
to it.
As the framebuffer devices are gone by now, searching for them makes no
sense, so instead, let's remove this check now. If the user requested to
boot into text mode, he probably knows what he is doing and we should
not try to warn him about this.
SystemServer had safety fallbacks to boot into text mode if the user
errorneously specified graphical mode but no video hardware was present.
As it's now possible to do exactly this intentionally, we should allow
it. This would of course make WindowServer fall over and die if
configured improperly, but if you're messing with the kernel command
line in strange ways, you should be able to fix that.
I've attempted to handle the errors gracefully where it was clear how to
do so, and simple, but a lot of this was just adding
`release_value_but_fixme_should_propagate_errors()` in places.
We first create the /dev/devctl based on the information from the SysFS.
Then, we create block devices and character devices based on the events
we read from that device.
