| Age | Commit message (Collapse) | Author |
|---|
|
This patch adds a new "accept" promise that allows you to call accept()
on an already listening socket. This lets programs set up a socket for
for listening and then dropping "inet" and/or "unix" so that only
incoming (and existing) connections are allowed from that point on.
No new outgoing connections or listening server sockets can be created.
In addition to accept() it also allows getsockopt() with SOL_SOCKET
and SO_PEERCRED, which is used to find the PID/UID/GID of the socket
peer. This is used by our IPC library when creating shared buffers that
should only be accessible to a specific peer process.
This allows us to drop "unix" in WindowServer and LookupServer. :^)
It also makes the debugging/introspection RPC sockets in CEventLoop
based programs work again.
|
|
- tty promise was listed twice.
- Fix a few typos
|
|
|
|
|
|
|
|
|
|
This program changes the current filesystem root and spawns a shell.
|
|
|
|
Spawning services with nothing open at all on the standard I/O fds is
way too harsh. We now open /dev/null for them instead.
|
|
We now pick up all the user's extra GIDs from /etc/group and make
sure those are set before exec'ing a service.
This means we finally get to enjoy being in more than one group. :^)
|
|
I don't think we need to give unprivileged users access to what is
essentially a kernel testing mechanism.
|
|
These are system administration commands, not intended for use by
all users. These tend to go in section 8.
|
|
The "idle" priority was never meant to be exposed to userspace, as it's
only used by the kernel's internal idle thread.
|
|
Only the superuser can use these system calls.
|
|
It's still possible to read the TSC via the read_tsc() syscall, but we
will now clear some of the bottom bits for unprivileged users.
|
|
All threads were running with iomapbase=0 in their TSS, which the CPU
interprets as "there's an I/O permission bitmap starting at offset 0
into my TSS".
Because of that, any bits that were 1 inside the TSS would allow the
thread to execute I/O instructions on the port with that bit index.
Fix this by always setting the iomapbase to sizeof(TSS32), and also
setting the TSS descriptor's limit to sizeof(TSS32), effectively making
the I/O permissions bitmap zero-length.
This should make it no longer possible to do I/O from userspace. :^)
|
|
This prevents code running outside of kernel mode from using the
following instructions:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register
There's no need for userspace to be able to use these instructions so
let's just disable them to prevent information leakage.
|
|
Add an option "-A", that will run all of the crash types in the crash
program. In this mode, all crash tests are run in a child process so
that the crash program does not crash.
Crash uses the return status of the child process to ascertain whether
the crash happened as expected.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This patch makes it possible to make memory regions non-readable.
This is enforced using the "present" bit in the page tables.
A process that hits an not-present page fault in a non-readable
region will be crashed.
|
|
Processes will now crash with SIGSEGV if they attempt making a syscall
from PROT_WRITE memory.
This neat idea comes from OpenBSD. :^)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
And write section 3 man pages for them.
|
|
We can do this now that we have link support in LibMarkdown and LibHTML ^)
|
|
Also correct minor formatting mistake in TelnetServer.md.
|
|
|
|
|
|
|
|
It ain't much, but it's honest work!
|
