1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-28 00:47:45 +00:00

SystemServer+LoginServer+Userland: Switch to sid-based sockets

This commit does three things atomically:
- switch over Core::Account+SystemServer+LoginServer to sid based socket
  names.
- change socket names with %uid to %sid.
- add/update necessary pledges and unveils.

Userland: Switch over servers to sid based sockets

Userland: Properly pledge and unveil for sid based sockets
This commit is contained in:
Peter Elliott 2022-09-06 00:04:06 -06:00 committed by Andreas Kling
parent 1df4cc1926
commit 7af5eef0dd
50 changed files with 134 additions and 130 deletions

View file

@ -17,12 +17,12 @@ ErrorOr<int> serenity_main(Main::Arguments)
{
Core::EventLoop event_loop;
TRY(Core::System::pledge("stdio unix accept"));
TRY(Core::System::pledge("stdio unix accept rpath proc"));
auto server = TRY(IPC::MultiServer<InspectorServer::ConnectionFromClient>::try_create("/tmp/user/%uid/portal/inspector"));
auto server = TRY(IPC::MultiServer<InspectorServer::ConnectionFromClient>::try_create("/tmp/session/%sid/portal/inspector"));
auto inspectables_server = TRY(Core::LocalServer::try_create());
TRY(inspectables_server->take_over_from_system_server("/tmp/user/%uid/portal/inspectables"));
TRY(inspectables_server->take_over_from_system_server("/tmp/session/%sid/portal/inspectables"));
inspectables_server->on_accept = [&](auto client_socket) {
auto pid = client_socket->peer_pid().release_value_but_fixme_should_propagate_errors();

View file

@ -6,6 +6,7 @@
#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/SessionManagement.h>
#include <LibCore/System.h>
#include <LibGUI/Application.h>
#include <LibGUI/MessageBox.h>
@ -18,8 +19,14 @@
static void child_process(Core::Account const& account)
{
if (auto result = account.create_user_temporary_directory_if_needed(); result.is_error()) {
dbgln("Failed to create temporary directory for user {}: {}", account.username(), result.error());
pid_t rc = setsid();
if (rc == -1) {
dbgln("failed to setsid: {}", strerror(errno));
exit(1);
}
auto result = Core::SessionManagement::create_session_temporary_directory_if_needed(account.uid(), account.gid());
if (result.is_error()) {
dbgln("Failed to create temporary directory for session: {}", result.error());
exit(1);
}
@ -29,11 +36,6 @@ static void child_process(Core::Account const& account)
}
setenv("HOME", account.home_directory().characters(), true);
pid_t rc = setsid();
if (rc == -1) {
dbgln("failed to setsid: {}", strerror(errno));
exit(1);
}
dbgln("login with sid={}", rc);
execlp("/bin/SystemServer", "SystemServer", "--user", nullptr);
@ -68,6 +70,7 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
TRY(Core::System::unveil("/etc/shadow", "r"));
TRY(Core::System::unveil("/etc/group", "r"));
TRY(Core::System::unveil("/bin/SystemServer", "x"));
TRY(Core::System::unveil("/proc/all", "r"));
TRY(Core::System::unveil("/res", "r"));
TRY(Core::System::unveil(nullptr, nullptr));

View file

@ -13,6 +13,7 @@
#include <LibCore/ConfigFile.h>
#include <LibCore/Directory.h>
#include <LibCore/File.h>
#include <LibCore/SessionManagement.h>
#include <LibCore/SocketAddress.h>
#include <LibCore/System.h>
#include <fcntl.h>
@ -322,17 +323,21 @@ Service::Service(Core::ConfigFile const& config, StringView name)
// Need i here to iterate along with all other vectors.
for (unsigned i = 0; i < socket_paths.size(); i++) {
auto const path = Core::Account::parse_path_with_uid(socket_paths.at(i), m_account.has_value() ? m_account.value().uid() : Optional<uid_t> {});
auto const path = Core::SessionManagement::parse_path_with_sid(socket_paths.at(i));
if (path.is_error()) {
// FIXME: better error handling for this case.
TODO();
}
// Socket path (plus NUL) must fit into the structs sent to the Kernel.
VERIFY(path.length() < UNIX_PATH_MAX);
VERIFY(path.value().length() < UNIX_PATH_MAX);
// This is done so that the last permission repeats for every other
// socket. So you can define a single permission, and have it
// be applied for every socket.
mode_t permissions = strtol(socket_perms.at(min(socket_perms.size() - 1, (long unsigned)i)).characters(), nullptr, 8) & 0777;
m_sockets.empend(path, -1, permissions);
m_sockets.empend(path.value(), -1, permissions);
}
}

View file

@ -22,12 +22,13 @@
ErrorOr<int> serenity_main(Main::Arguments)
{
Core::EventLoop event_loop;
TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath"));
TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath proc"));
TRY(Core::System::unveil("/proc/all", "r"));
TRY(Core::System::unveil("/res", "r"));
TRY(Core::System::unveil("/etc/timezone", "r"));
TRY(Core::System::unveil("/tmp/user/%uid/portal/request", "rw"));
TRY(Core::System::unveil("/tmp/user/%uid/portal/image", "rw"));
TRY(Core::System::unveil("/tmp/user/%uid/portal/websocket", "rw"));
TRY(Core::System::unveil("/tmp/session/%sid/portal/request", "rw"));
TRY(Core::System::unveil("/tmp/session/%sid/portal/image", "rw"));
TRY(Core::System::unveil("/tmp/session/%sid/portal/websocket", "rw"));
TRY(Core::System::unveil(nullptr, nullptr));
Web::Platform::EventLoopPlugin::install(*new Web::Platform::EventLoopPluginSerenity);