Kernel: Support read-only filesystem mounts

This adds support for MS_RDONLY, a mount flag that tells the kernel to disallow
any attempts to write to the newly mounted filesystem. As this flag is
per-mount, and different mounts of the same filesystems (such as in case of bind
mounts) can have different mutability settings, you have to go though a custody
to find out if the filesystem is mounted read-only, instead of just asking the
filesystem itself whether it's inherently read-only.

This also adds a lot of checks we were previously missing; and moves some of
them to happen after more specific checks (such as regular permission checks).

One outstanding hole in this system is sys$mprotect(PROT_WRITE), as there's no
way we can know if the original file description this region has been mounted
from had been opened through a readonly mount point. Currently, we always allow
such sys$mprotect() calls to succeed, which effectively allows anyone to
circumvent the effect of MS_RDONLY. We should solve this one way or another.

1 files changed, 3 insertions, 0 deletions

diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index 68aadab1e6..f7c4b5a9cd 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -318,6 +318,9 @@ static bool validate_inode_mmap_prot(const Process& process, int prot, const Ino
         return false;
 
     if (map_shared) {
+        // FIXME: What about readonly filesystem mounts? We cannot make a
+        // decision here without knowing the mount flags, so we would need to
+        // keep a Custody or something from mmap time.
         if ((prot & PROT_WRITE) && !metadata.may_write(process))
             return false;
         InterruptDisabler disabler;