mirror of
https://github.com/RGBCube/serenity
synced 2025-07-24 17:27:35 +00:00
Kernel: Move process pledge promises into protected data
This commit is contained in:
parent
37ad880660
commit
de6c5128fd
4 changed files with 31 additions and 31 deletions
|
@ -124,6 +124,10 @@ class Process
|
||||||
gid_t sgid { 0 };
|
gid_t sgid { 0 };
|
||||||
Vector<gid_t> extra_gids;
|
Vector<gid_t> extra_gids;
|
||||||
bool dumpable { false };
|
bool dumpable { false };
|
||||||
|
bool has_promises { false };
|
||||||
|
u32 promises { 0 };
|
||||||
|
bool has_execpromises { false };
|
||||||
|
u32 execpromises { 0 };
|
||||||
};
|
};
|
||||||
|
|
||||||
// Helper class to temporarily unprotect a process's protected data so you can write to it.
|
// Helper class to temporarily unprotect a process's protected data so you can write to it.
|
||||||
|
@ -441,14 +445,8 @@ public:
|
||||||
Custody& root_directory_relative_to_global_root();
|
Custody& root_directory_relative_to_global_root();
|
||||||
void set_root_directory(const Custody&);
|
void set_root_directory(const Custody&);
|
||||||
|
|
||||||
bool has_promises() const
|
bool has_promises() const { return protected_data().has_promises; }
|
||||||
{
|
bool has_promised(Pledge pledge) const { return protected_data().promises & (1u << (u32)pledge); }
|
||||||
return m_has_promises;
|
|
||||||
}
|
|
||||||
bool has_promised(Pledge pledge) const
|
|
||||||
{
|
|
||||||
return m_promises & (1u << (u32)pledge);
|
|
||||||
}
|
|
||||||
|
|
||||||
VeilState veil_state() const
|
VeilState veil_state() const
|
||||||
{
|
{
|
||||||
|
@ -600,11 +598,6 @@ private:
|
||||||
|
|
||||||
RefPtr<Timer> m_alarm_timer;
|
RefPtr<Timer> m_alarm_timer;
|
||||||
|
|
||||||
bool m_has_promises { false };
|
|
||||||
u32 m_promises { 0 };
|
|
||||||
bool m_has_execpromises { false };
|
|
||||||
u32 m_execpromises { 0 };
|
|
||||||
|
|
||||||
VeilState m_veil_state { VeilState::None };
|
VeilState m_veil_state { VeilState::None };
|
||||||
UnveilNode m_unveiled_paths { "/", { .full_path = "/", .unveil_inherited_from_root = true } };
|
UnveilNode m_unveiled_paths { "/", { .full_path = "/", .unveil_inherited_from_root = true } };
|
||||||
|
|
||||||
|
|
|
@ -536,12 +536,6 @@ KResult Process::do_exec(NonnullRefPtr<FileDescription> main_program_description
|
||||||
m_arguments = arguments;
|
m_arguments = arguments;
|
||||||
m_environment = environment;
|
m_environment = environment;
|
||||||
|
|
||||||
m_promises = m_execpromises;
|
|
||||||
m_has_promises = m_has_execpromises;
|
|
||||||
|
|
||||||
m_execpromises = 0;
|
|
||||||
m_has_execpromises = false;
|
|
||||||
|
|
||||||
m_veil_state = VeilState::None;
|
m_veil_state = VeilState::None;
|
||||||
m_unveiled_paths.clear();
|
m_unveiled_paths.clear();
|
||||||
|
|
||||||
|
@ -603,8 +597,18 @@ KResult Process::do_exec(NonnullRefPtr<FileDescription> main_program_description
|
||||||
m_name = parts.take_last();
|
m_name = parts.take_last();
|
||||||
new_main_thread->set_name(m_name);
|
new_main_thread->set_name(m_name);
|
||||||
|
|
||||||
// FIXME: PID/TID ISSUE
|
{
|
||||||
MutableProtectedData(*this)->pid = new_main_thread->tid().value();
|
MutableProtectedData protected_data { *this };
|
||||||
|
protected_data->promises = protected_data->execpromises;
|
||||||
|
protected_data->has_promises = protected_data->has_execpromises;
|
||||||
|
|
||||||
|
protected_data->execpromises = 0;
|
||||||
|
protected_data->has_execpromises = false;
|
||||||
|
|
||||||
|
// FIXME: PID/TID ISSUE
|
||||||
|
protected_data->pid = new_main_thread->tid().value();
|
||||||
|
}
|
||||||
|
|
||||||
auto tsr_result = new_main_thread->make_thread_specific_region({});
|
auto tsr_result = new_main_thread->make_thread_specific_region({});
|
||||||
if (tsr_result.is_error()) {
|
if (tsr_result.is_error()) {
|
||||||
// FIXME: We cannot fail this late. Refactor this so the allocation happens before we commit to the new executable.
|
// FIXME: We cannot fail this late. Refactor this so the allocation happens before we commit to the new executable.
|
||||||
|
|
|
@ -41,10 +41,6 @@ KResultOr<pid_t> Process::sys$fork(RegisterState& regs)
|
||||||
return ENOMEM;
|
return ENOMEM;
|
||||||
child->m_root_directory = m_root_directory;
|
child->m_root_directory = m_root_directory;
|
||||||
child->m_root_directory_relative_to_global_root = m_root_directory_relative_to_global_root;
|
child->m_root_directory_relative_to_global_root = m_root_directory_relative_to_global_root;
|
||||||
child->m_promises = m_promises;
|
|
||||||
child->m_execpromises = m_execpromises;
|
|
||||||
child->m_has_promises = m_has_promises;
|
|
||||||
child->m_has_execpromises = m_has_execpromises;
|
|
||||||
child->m_veil_state = m_veil_state;
|
child->m_veil_state = m_veil_state;
|
||||||
child->m_unveiled_paths = m_unveiled_paths.deep_copy();
|
child->m_unveiled_paths = m_unveiled_paths.deep_copy();
|
||||||
child->m_fds = m_fds;
|
child->m_fds = m_fds;
|
||||||
|
@ -54,6 +50,10 @@ KResultOr<pid_t> Process::sys$fork(RegisterState& regs)
|
||||||
|
|
||||||
{
|
{
|
||||||
MutableProtectedData child_data { *child };
|
MutableProtectedData child_data { *child };
|
||||||
|
child_data->promises = protected_data().promises;
|
||||||
|
child_data->execpromises = protected_data().execpromises;
|
||||||
|
child_data->has_promises = protected_data().has_promises;
|
||||||
|
child_data->has_execpromises = protected_data().has_execpromises;
|
||||||
child_data->sid = this->sid();
|
child_data->sid = this->sid();
|
||||||
child_data->extra_gids = this->extra_gids();
|
child_data->extra_gids = this->extra_gids();
|
||||||
}
|
}
|
||||||
|
|
|
@ -67,24 +67,27 @@ KResultOr<int> Process::sys$pledge(Userspace<const Syscall::SC_pledge_params*> u
|
||||||
return true;
|
return true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
MutableProtectedData mutable_protected_data { *this };
|
||||||
|
|
||||||
if (!promises.is_null()) {
|
if (!promises.is_null()) {
|
||||||
u32 new_promises = 0;
|
u32 new_promises = 0;
|
||||||
if (!parse_pledge(promises, new_promises))
|
if (!parse_pledge(promises, new_promises))
|
||||||
return EINVAL;
|
return EINVAL;
|
||||||
if (m_promises && (!new_promises || new_promises & ~m_promises))
|
if (protected_data().promises && (!new_promises || new_promises & ~protected_data().promises))
|
||||||
return EPERM;
|
return EPERM;
|
||||||
m_has_promises = true;
|
|
||||||
m_promises = new_promises;
|
mutable_protected_data->has_promises = true;
|
||||||
|
mutable_protected_data->promises = new_promises;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!execpromises.is_null()) {
|
if (!execpromises.is_null()) {
|
||||||
u32 new_execpromises = 0;
|
u32 new_execpromises = 0;
|
||||||
if (!parse_pledge(execpromises, new_execpromises))
|
if (!parse_pledge(execpromises, new_execpromises))
|
||||||
return EINVAL;
|
return EINVAL;
|
||||||
if (m_execpromises && (!new_execpromises || new_execpromises & ~m_execpromises))
|
if (protected_data().execpromises && (!new_execpromises || new_execpromises & ~protected_data().execpromises))
|
||||||
return EPERM;
|
return EPERM;
|
||||||
m_has_execpromises = true;
|
mutable_protected_data->has_execpromises = true;
|
||||||
m_execpromises = new_execpromises;
|
mutable_protected_data->execpromises = new_execpromises;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue