1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-10 11:07:34 +00:00
Commit graph

3011 commits

Author SHA1 Message Date
Andreas Kling
69af59d061 Base: Only allow members of the "wheel" group to use /bin/su 2020-01-04 13:35:25 +01:00
Andreas Kling
f558c8e36a Base: Add an "audio" group that gets to write to /dev/audio 2020-01-04 13:25:13 +01:00
Andreas Kling
498659773c Base: Add a "phys" group for users with physical access
Only users in this group can access the screen, mouse and keyboard.
2020-01-04 13:21:33 +01:00
Andreas Kling
12eb1f5d74 Kernel: Entries in /dev/pts should be accessible only to the owner
This fixes an issue where anyone could snoop on any pseudoterminal.
2020-01-04 12:46:48 +01:00
Andreas Kling
c6254916ba Base: Make /dev/hd{a,b,c,d} superuser-only 2020-01-04 12:46:45 +01:00
Andreas Kling
20ac4e44d1 Base: Add "tty" group and make /dev/tty* be root:tty mode 610
This fixes an issue where anyone could snoop on the virtual consoles.
2020-01-04 12:46:09 +01:00
Andreas Kling
b5da0b78eb Kernel: File::open() should apply r/w mode from the provided options
This has been a FIXME for a long time. We now apply the provided
read/write permissions to the constructed FileDescription when opening
a File object via File::open().
2020-01-04 12:30:55 +01:00
Andreas Kling
e79c33eabb Kernel: The root inode of a TmpFS should have the sticky bit set
We were running without the sticky bit and mode 777, which meant that
the /tmp directory was world-writable *without* protection.

With this fixed, it's no longer possible for everyone to steal root's
files in /tmp.
2020-01-04 11:33:36 +01:00
Andreas Kling
4398eec03c Build: Lock down the /mod and /boot directories
Make these directories accessible to root only. Unprivileged users have
no need to look at the kernel binary or kernel modules.
2020-01-04 11:12:59 +01:00
Conrad Pankoff
85b95f472d Kernel: Remove unused PCI.{h,cpp} 2020-01-04 10:06:07 +01:00
erf
53733be5fd Kernel: Make LocalSocket pre-bind GID be gid_t (#1012) 2020-01-04 10:05:01 +01:00
Andreas Kling
d84299c7be Kernel: Allow fchmod() and fchown() on pre-bind() local sockets
In order to ensure a specific owner and mode when the local socket
filesystem endpoint is instantiated, we need to be able to call
fchmod() and fchown() on a socket fd between socket() and bind().

This is because until we call bind(), there is no filesystem inode
for the socket yet.
2020-01-03 20:14:56 +01:00
Andreas Kling
4abbedb6e4 Kernel: Allow passing initial UID and GID when creating new inodes
If we're creating something that should have a different owner than the
current process's UID/GID, we need to plumb that all the way through
VFS down to the FS functions.
2020-01-03 20:13:21 +01:00
Andreas Kling
82760998a9 Ext2FS: Take the inode lock in Ext2FSInode::metadata()
Remove an unnecessary InterruptDisabler to make this not assert. :^)
2020-01-03 17:48:02 +01:00
Andreas Kling
aba7829724 Kernel: InodeVMObject can't call Inode::size() with interrupts disabled
Inode::size() may try to take a lock, so we can't be calling it with
interrupts disabled.

This fixes a kernel hang when trying to execute a binary in a TmpFS.
2020-01-03 15:40:03 +01:00
Andreas Kling
1dc64ec064 Kernel: Remove unnecessary logic in kill() and killpg() syscalls
As Sergey pointed out, do_killpg() already interprets PID 0 as the
PGID of the calling process.
2020-01-03 12:58:59 +01:00
Andreas Kling
f081990717 Kernel: Use get_fast_random() for the random syscall stack offset 2020-01-03 12:48:28 +01:00
Andreas Kling
9026598999 Kernel: Add a more expressive API for getting random bytes
We now have these API's in <Kernel/Random.h>:

    - get_fast_random_bytes(u8* buffer, size_t buffer_size)
    - get_good_random_bytes(u8* buffer, size_t buffer_size)
    - get_fast_random<T>()
    - get_good_random<T>()

Internally they both use x86 RDRAND if available, otherwise they fall
back to the same LCG we had in RandomDevice all along.

The main purpose of this patch is to give kernel code a way to better
express its needs for random data.

Randomness is something that will require a lot more work, but this is
hopefully a step in the right direction.
2020-01-03 12:43:07 +01:00
Andreas Kling
24cc67d199 Kernel: Remove read_tsc() syscall
Since nothing is using this, let's just remove it. That's one less
thing to worry about.
2020-01-03 09:27:09 +01:00
Andreas Kling
889ecd1375 Kernel: The superuser is allowed to utime() on any file
Before this patch, root was not able to "touch" someone else's file.
2020-01-03 04:14:41 +01:00
Andreas Kling
3f74e66e82 Kernel: rename() should fail with EXDEV for cross-device requests
POSIX does not support rename() from one file system to another.
2020-01-03 04:10:05 +01:00
Andreas Kling
3be1c7b514 Kernel: Fix awkward bug where "touch /foo/bar/baz" could create "/baz"
To accomodate file creation, path resolution optionally returns the
last valid parent directory seen while traversing the path.

Clients will then interpret "ENOENT, but I have a parent for you" as
meaning that the file doesn't exist, but its immediate parent directory
does. The client then goes ahead and creates a new file.

In the case of "/foo/bar/baz" where there is no "/foo", it would fail
with ENOENT and "/" as the last seen parent directory, causing e.g the
open() syscall to create "/baz".

Covered by test_io.
2020-01-03 03:57:10 +01:00
Andreas Kling
8cc5fa5598 Kernel: Unbreak module loading (broke with NX bit changes)
Modules are now mapped fully RWX. This can definitely be improved,
but at least it unbreaks the feature for now.
2020-01-03 03:44:55 +01:00
Andreas Kling
0a1865ebc6 Kernel: read() and write() should fail with EBADF for wrong mode fd's
It was previously possible to write to read-only file descriptors,
and read from write-only file descriptors.

All FileDescription objects now start out non-readable + non-writable,
and whoever is creating them has to "manually" enable reading/writing
by calling set_readable() and/or set_writable() on them.
2020-01-03 03:29:59 +01:00
Andreas Kling
064e46e581 Kernel: Don't allow open() with (O_CREAT | O_DIRECTORY) 2020-01-03 03:16:29 +01:00
Andreas Kling
15f3abc849 Kernel: Handle O_DIRECTORY in VFS::open() instead of in each syscall
Just taking care of some FIXMEs.
2020-01-03 03:16:29 +01:00
Andreas Kling
05653a9189 Kernel: killpg() with pgrp=0 should signal every process in the group
In the same group as the calling process, that is.
2020-01-03 03:16:29 +01:00
Andreas Kling
005313df82 Kernel: kill() with signal 0 should not actually send anything
Also kill() with pid 0 should send to everyone in the same process
group as the calling process.
2020-01-03 03:16:29 +01:00
Andreas Kling
8345f51a24 Kernel: Remove unnecessary wraparound check in Process::validate_read()
This will be checked moments later by MM.validate_user_read().
2020-01-03 03:16:29 +01:00
Andreas Kling
fdde5cdf26 Kernel: Don't include the process GID in the "extra GIDs" table
Process::m_extra_gids is for supplementary GIDs only.
2020-01-02 23:45:52 +01:00
Andreas Kling
0f9800ca57 Kernel: Make the loop that marks the bottom 1MB NX a little less busy 2020-01-02 22:02:29 +01:00
Liav A
2a4a19aed8 Kernel: Fixing PCI MMIO access mechanism
During initialization of PCI MMIO access mechanism we ensure that we
have an allocation from the kernel virtual address space that cannot be
taken by other components in the OS.
Also, now we ensure that interrupts are disabled so mapping the region
doesn't fail.
In order to reduce overhead, map_device() will map the requested PCI
address only if it's not mapped already.

The run script has been changed so now we can boot a Q35 machine, that
supports PCI ECAM.
To ensure we will be able to load the machine, a PIIX3 IDE controller
was added to the Q35 machine configuration in the run script.
An AHCI controller was added to the i440fx machine configuration.
2020-01-02 21:45:04 +01:00
joshua stein
5e430e4eb4 Build: add support for building on OpenBSD
This requires gcc8 from ports to build the Toolchain.
2020-01-02 21:03:53 +01:00
Andreas Kling
32ec1e5aed Kernel: Mask kernel addresses in backtraces and profiles
Addresses outside the userspace virtual range will now show up as
0xdeadc0de in backtraces and profiles generated by unprivileged users.
2020-01-02 20:51:31 +01:00
Andreas Kling
8eb20bdfa2 Kernel: Move kernel symbols to /res/kernel.map and make it root-only
Let's lock down access to the kernel symbol table, since it trivializes
learning where the kernel functions are.

Of course, you can just build the same revision yourself locally and
learn the information, but we're taking one step at a time here. :^)
2020-01-02 20:51:31 +01:00
Andreas Kling
9fe316c2d8 Kernel: Add some missing error checks to the setpgid() syscall 2020-01-02 19:40:04 +01:00
Andreas Kling
285130cc55 Kernel: Remove debug spam about marking threads for death 2020-01-02 13:45:22 +01:00
Andreas Kling
7f843ef3b2 Kernel: Make the purge() syscall superuser-only
I don't think we need to give unprivileged users access to what is
essentially a kernel testing mechanism.
2020-01-02 13:39:49 +01:00
Andreas Kling
c01f766fb2 Kernel: writev() should fail with EINVAL if total length > INT32_MAX 2020-01-02 13:01:41 +01:00
Andreas Kling
7f04334664 Kernel: Remove broken implementation of Unix SHM
This code never worked, as was never used for anything. We can build
a much better SHM implementation on top of TmpFS or similar when we
get to the point when we need one.
2020-01-02 12:44:21 +01:00
Andrew Kaster
bc50a10cc9 Kernel: sys$mprotect protects sub-regions as well as whole ones
Split a region into two/three if the desired mprotect range is a strict
subset of an existing region. We can then set the access bits on a new
region that is just our desired range and add both the new
desired subregion and the leftovers back to our page tables.
2020-01-02 12:27:13 +01:00
Andreas Kling
3f7de2713e Kernel: Make mknod() respect the process umask
Otherwise the /bin/mknod command would create world-writable inodes
by default (when run by superuser) which you probably don't want.
2020-01-02 02:40:43 +01:00
Andreas Kling
c7eb3ff1b3 Kernel: mknod() should not allow unprivileged users to create devices
In fact, unless you are superuser, you may only create a regular file,
a named pipe, or a local domain socket. Anything else should EPERM.
2020-01-02 02:36:12 +01:00
Andreas Kling
3dcec260ed Kernel: Validate the full range of user memory passed to syscalls
We now validate the full range of userspace memory passed into syscalls
instead of just checking that the first and last byte of the memory are
in process-owned regions.

This fixes an issue where it was possible to avoid rejection of invalid
addresses that sat between two valid ones, simply by passing a valid
address and a size large enough to put the end of the range at another
valid address.

I added a little test utility that tries to provoke EFAULT in various
ways to help verify this. I'm sure we can think of more ways to test
this but it's at least a start. :^)

Thanks to mozjag for pointing out that this code was still lacking!

Incidentally this also makes backtraces work again.

Fixes #989.
2020-01-02 02:17:12 +01:00
Liav A
e5ffa960d7 Kernel: Create support for PCI ECAM
The new PCI subsystem is initialized during runtime.
PCI::Initializer is supposed to be called during early boot, to
perform a few tests, and initialize the proper configuration space
access mechanism. Kernel boot parameters can be specified by a user to
determine what tests will occur, to aid debugging on problematic
machines.
After that, PCI::Initializer should be dismissed.

PCI::IOAccess is a class that is derived from PCI::Access
class and implements PCI configuration space access mechanism via x86
IO ports.
PCI::MMIOAccess is a class that is derived from PCI::Access
and implements PCI configurtaion space access mechanism via memory
access.

The new PCI subsystem also supports determination of IO/MMIO space
needed by a device by checking a given BAR.
In addition, Every device or component that use the PCI subsystem has
changed to match the last changes.
2020-01-02 00:50:09 +01:00
Liav A
d85874be4b Kernel: Create a basic SMBIOS Decoder
We use DMI decoding now just to determine if PCI is available.
The DMIDecoder is initialized during early boot, thus making it possible
to probe useful data about the machine.

Other purposes are not supported yet.
2020-01-02 00:50:09 +01:00
Liav A
1e1a6a57ed Kernel: Introduce the ACPI subsystem
ACPI subsystem includes 3 types of parsers that are created during
runtime, each one capable of parsing ACPI tables at different level.

ACPIParser is the most basic parser which is essentialy a parser that
can't parse anything useful, due to a user request to disable ACPI
support in a kernel boot parameter.

ACPIStaticParser is a derived class from ACPIParser, which is able to
parse only static data (e.g. FADT, HPET, MCFG and other tables), thus
making it not able to parse AML (ACPI Machine Language) nor to support
handling of hardware events and power management. This type of parser
can be created with a kernel boot parameter.

ACPIDynamicParser is a derived class from ACPIStaticParser, which
includes all the capabilities of the latter, but *should* implement an
AML interpretation, (by building the ACPI AML namespace) and handling
power & hardware events. Currently the methods to support AML
interpretation are not implemented.
This type of parser is created automatically during runtime if the user
didn't specify a boot parameter related to ACPI initialization.

Also, adding strncmp function definition in StdLib.h, to be able to use
it in ACPIStaticParser class.
2020-01-02 00:50:09 +01:00
joshua stein
5fa0291a05 Build: fix building Kernel/TestModule object 2020-01-01 23:33:03 +01:00
Andreas Kling
1d94b5eb04 Kernel: Add a random offset to kernel stacks upon syscall entry
When entering the kernel from a syscall, we now insert a small bit of
stack padding after the RegisterDump. This makes kernel stacks less
deterministic across syscalls and may make some bugs harder to exploit.

Inspired by Elena Reshetova's talk on kernel stack exploitation.
2020-01-01 23:21:24 +01:00
Andreas Kling
ea1911b561 Kernel: Share code between Region::map() and Region::remap_page()
These were doing mostly the same things, so let's just share the code.
2020-01-01 19:32:55 +01:00