mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 13:27:35 +00:00
Kernel: Allow configuring a Jail to not impose PID isolation restriction
This is quite useful for userspace applications that can't cope with the restriction, but it's still useful to impose other non-configurable restrictions by using jails.
This commit is contained in:
Liav A
Jelle Raaijmakers
parent
cf8875426d
commit
8289759f1d
11 changed files with 62 additions and 23 deletions
17
Kernel/API/Jail.h
Normal file
17
Kernel/API/Jail.h
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
/*
|
||||
* Copyright (c) 2022, Liav A. <liavalb@hotmail.co.il>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-2-Clause
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <AK/EnumBits.h>
|
||||
#include <AK/Types.h>
|
||||
|
||||
enum class JailIsolationFlags : u32 {
|
||||
None = 0,
|
||||
PIDIsolation = 1 << 0,
|
||||
};
|
||||
|
||||
AK_ENUM_BITWISE_OPERATORS(JailIsolationFlags);
|
||||
|
|
@ -343,6 +343,7 @@ struct SC_setkeymap_params {
|
|||
struct SC_jail_create_params {
|
||||
u64 index;
|
||||
StringArgument name;
|
||||
int flags;
|
||||
};
|
||||
|
||||
struct SC_jail_attach_params {
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
#include <AK/IntrusiveList.h>
|
||||
#include <AK/Singleton.h>
|
||||
#include <Kernel/API/Jail.h>
|
||||
#include <Kernel/Jail.h>
|
||||
#include <Kernel/Process.h>
|
||||
|
||||
|
|
@ -19,16 +20,19 @@ static JailIndex generate_jail_id()
|
|||
return s_jail_id.fetch_add(1);
|
||||
}
|
||||
|
||||
NonnullRefPtr<ProcessList> Jail::process_list()
|
||||
RefPtr<ProcessList> Jail::process_list()
|
||||
{
|
||||
return m_process_list;
|
||||
}
|
||||
|
||||
ErrorOr<NonnullRefPtr<Jail>> Jail::create(NonnullOwnPtr<KString> name)
|
||||
ErrorOr<NonnullRefPtr<Jail>> Jail::create(NonnullOwnPtr<KString> name, unsigned flags)
|
||||
{
|
||||
RefPtr<ProcessList> jail_process_list;
|
||||
if (flags & static_cast<unsigned>(JailIsolationFlags::PIDIsolation))
|
||||
jail_process_list = TRY(ProcessList::create());
|
||||
|
||||
return s_all_instances->with([&](auto& list) -> ErrorOr<NonnullRefPtr<Jail>> {
|
||||
auto process_list = TRY(ProcessList::create());
|
||||
auto jail = TRY(adopt_nonnull_ref_or_enomem(new (nothrow) Jail(move(name), generate_jail_id(), move(process_list))));
|
||||
auto jail = TRY(adopt_nonnull_ref_or_enomem(new (nothrow) Jail(move(name), generate_jail_id(), jail_process_list)));
|
||||
list.append(jail);
|
||||
return jail;
|
||||
});
|
||||
|
|
@ -61,10 +65,10 @@ RefPtr<Jail> Jail::find_by_index(JailIndex index)
|
|||
});
|
||||
}
|
||||
|
||||
Jail::Jail(NonnullOwnPtr<KString> name, JailIndex index, NonnullRefPtr<ProcessList> process_list)
|
||||
Jail::Jail(NonnullOwnPtr<KString> name, JailIndex index, RefPtr<ProcessList> process_list)
|
||||
: m_name(move(name))
|
||||
, m_index(index)
|
||||
, m_process_list(move(process_list))
|
||||
, m_process_list(process_list)
|
||||
{
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -28,10 +28,10 @@ AK_TYPEDEF_DISTINCT_ORDERED_ID(u64, JailIndex);
|
|||
class Jail : public AtomicRefCounted<Jail> {
|
||||
|
||||
public:
|
||||
NonnullRefPtr<ProcessList> process_list();
|
||||
RefPtr<ProcessList> process_list();
|
||||
|
||||
static RefPtr<Jail> find_by_index(JailIndex);
|
||||
static ErrorOr<NonnullRefPtr<Jail>> create(NonnullOwnPtr<KString> name);
|
||||
static ErrorOr<NonnullRefPtr<Jail>> create(NonnullOwnPtr<KString> name, unsigned flags);
|
||||
static ErrorOr<void> for_each_when_process_is_not_jailed(Function<ErrorOr<void>(Jail const&)> callback);
|
||||
|
||||
StringView name() const { return m_name->view(); }
|
||||
|
|
@ -41,7 +41,7 @@ public:
|
|||
SpinlockProtected<size_t, LockRank::None>& attach_count() { return m_attach_count; }
|
||||
|
||||
private:
|
||||
Jail(NonnullOwnPtr<KString>, JailIndex, NonnullRefPtr<ProcessList>);
|
||||
Jail(NonnullOwnPtr<KString>, JailIndex, RefPtr<ProcessList>);
|
||||
|
||||
NonnullOwnPtr<KString> m_name;
|
||||
JailIndex const m_index;
|
||||
|
|
@ -52,7 +52,7 @@ public:
|
|||
using List = IntrusiveListRelaxedConst<&Jail::m_list_node>;
|
||||
|
||||
private:
|
||||
NonnullRefPtr<ProcessList> const m_process_list;
|
||||
RefPtr<ProcessList> const m_process_list;
|
||||
|
||||
SpinlockProtected<size_t, LockRank::None> m_attach_count { 0 };
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
|
||||
#include <AK/Userspace.h>
|
||||
#include <Kernel/API/Ioctl.h>
|
||||
#include <Kernel/API/Jail.h>
|
||||
#include <Kernel/Jail.h>
|
||||
#include <Kernel/Process.h>
|
||||
#include <Kernel/StdLib.h>
|
||||
|
|
@ -30,7 +30,7 @@ ErrorOr<FlatPtr> Process::sys$jail_create(Userspace<Syscall::SC_jail_create_para
|
|||
// any info leak about the "outside world" jail metadata.
|
||||
if (my_jail)
|
||||
return Error::from_errno(EPERM);
|
||||
auto jail = TRY(Jail::create(move(jail_name)));
|
||||
auto jail = TRY(Jail::create(move(jail_name), static_cast<unsigned>(params.flags)));
|
||||
return jail->index().value();
|
||||
}));
|
||||
// Note: We do the copy_to_user outside of the m_attached_jail Spinlock locked scope because
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue