This could be used in a scenario when it is expected that a user program
will be invoked with a specific option multiple times, for example:
"program --a-option=example --a-option=anotherexample ..."
To accomplish this, we add another VeilState which is called
LockedInherited. The idea is to apply exec unveil data, similar to
execpromises of the pledge syscall, on the current exec'ed program
during the execve sequence. When applying the forced unveil data, the
veil state is set to be locked but the special state of LockedInherited
ensures that if the new program tries to unveil paths, the request will
silently be ignored, so the program will continue running without
receiving an error, but is still can only use the paths that were
unveiled before the exec syscall. This in turn, allows us to use the
unveil syscall with a special utility to sandbox other userland programs
in terms of what is visible to them on the filesystem, and is usable on
both programs that use or don't use the unveil syscall in their code.
This allows rectangle specifications in the form [x, y, width, height],
which mirrors margin properties and is much more convenient than the
JSON object specifications that were allowed before. Those are still
allowed, of course.
These lambdas were marked mutable as they captured a Ptr wrapper
class by value, which then only returned const-qualified references
to the value they point from the previous const pointer operators.
Nothing is actually mutating in the lambdas state here, and now
that the Ptr operators don't add extra const qualifiers these
can be removed.
In order to avoid the base encode/decode methods from being used (and
failing a static assertion), we must be sure to declare/define the
custom type implementations as template specializations.
After this, LibIPC is no longer sensitive to include order.
This hasn't been an issue on Serenity, but on Linux, if a program opens
a TCPServer on some port and then exits, that program can't be re-run
until the OS makes the port available again. This is usually ~2x the TCP
socket's maximum segment lifetime, upwards of a minute.
Add an option to TCPServer to allow re-using the port after the program
exits.
We still log the error (perhaps in the future, we will only want to log
the error if there is no handler). But this allows callers to actually
handle errors to e.g. unblock waiters.
This happens in two ways:
1. LibCore now has two new methods for creating Jails and attaching
processes to a Jail.
2. We introduce 3 new utilities - lsjails, jail-create and jails-attach,
which list jails, create jails and attach processes to a Jail,
respectively.
This method was taken from the pls utility and its purpose is to execute
a given command with all the required requirements such as providing a
suitable exec environment.
Otherwise, we end up propagating those dependencies into targets that
link against that library, which creates unnecessary link-time
dependencies.
Also included are changes to readd now missing dependencies to tools
that actually need them.
Even though the toolchain implicitly links against -lc, it does not know
where it should get LibC from except for the sysroot. In the case of
Clang this causes it to pick up the LibC stub instead, which might be
slightly outdated and feature missing symbols.
This is currently not an issue that manifests because we pass through
the dependency on LibC and other libraries by accident, which causes
CMake to link against the LibC target (instead of just the library),
and thus points the linker at the build output directory.
Since we are looking to fix that in the upcoming commits, let's make
sure that everything will still be able to find the proper LibC first.
Previously, this would cause an assert to fail if one reads a completely
buffered line into a buffer that is smaller than the Stream's internal
buffer.
We should not rely on the Kernel to unveil this for us, so if a program
needs to execute another program it should unveil the dynamic loader too
to prevent crashing.
To do this, we check if the user program tried to unveil a binary with
at least using the 'x' permission, so we will try to also unveil the
dynamic loader too.
Depending on what OS LibCore is being built for (either SerenityOS or
not-SerenityOS), the library does not just wrap functions from LibC,
but it also implements syscalls itself. Therefore, it needs to link
against LibSystem, as that is the only library that is allowed to do
syscalls.
When cross-compiling the OS this is currently not an issue because
LibC links against LibSystem, and CMake passes that dependency through
transitively by accident. However, on Lagom, LibC is just a dummy
INTERFACE library, so the LibSystem dependency is never pulled in,
resulting in undefined symbols whenever we build LibCore on SerenityOS
as a part of Lagom.
By deferring to the CMakeLists in each of these libraries' directories,
we can get rid of a lot of curious GLOB patterns and list removals in
the Lagom CMakeLists.
This was being used as a default version argument in a couple of APIs,
so those need to change signature and the caller always needs to provide
a version.
By passing AF_UNSPEC to getaddrinfo, we're telling the system's
implementation that we are ok getting either (or both) IPv4 and IPv6
addresses in our result. On my Ubuntu 22.04 system, the first addrinfo
returned for "www.google.com" holds an IPv6 address, which when
interpreted as an IPv4 sockaddr_in gives an address of 0.0.0.0.
This fixes TestTLSHandshake in Lagom locally.
All the required bits were already there. Also, this would probably
work on FreeBSD without modification but I don't currently have
a system to test this on.
This commit does three things atomically:
- switch over Core::Account+SystemServer+LoginServer to sid based socket
names.
- change socket names with %uid to %sid.
- add/update necessary pledges and unveils.
Userland: Switch over servers to sid based sockets
Userland: Properly pledge and unveil for sid based sockets
Plumbs synchronous calls for adding and removing group entries to
config files. This is useful for services like SystemServer which
default to group names for executable paths, and for removing all
keys at once.
This check happens very often in LibGUI code. 25% of time spent
layouting the emoji input dialog was wasted on RTTI. Adding a simple
fast_is<Widget>() melts almost all of that away.
Core::Acount is only used within ``#ifdef __serenity__`` blocks in these
files, so guard the inclusion of Account.h in the same way.
This fixes the Android build of these files.
