| Age | Commit message (Collapse) | Author |
|---|
|
Also add a little "History" section noting that pledge() is an original
OpenBSD invention and that our implementation differs in many ways.
|
|
Nord (specifically Polar Night) is a popular soft dark blue/grey theme.
Personally, I find it to be a very nice middle-ground between the contrast of the
dark and light (default) theme.
|
|
ENOENT means "no such file or directory", not "no such symbol". Return EINVAL
instead, as we already do in other cases.
|
|
This patch adds a new "accept" promise that allows you to call accept()
on an already listening socket. This lets programs set up a socket for
for listening and then dropping "inet" and/or "unix" so that only
incoming (and existing) connections are allowed from that point on.
No new outgoing connections or listening server sockets can be created.
In addition to accept() it also allows getsockopt() with SOL_SOCKET
and SO_PEERCRED, which is used to find the PID/UID/GID of the socket
peer. This is used by our IPC library when creating shared buffers that
should only be accessible to a specific peer process.
This allows us to drop "unix" in WindowServer and LookupServer. :^)
It also makes the debugging/introspection RPC sockets in CEventLoop
based programs work again.
|
|
- tty promise was listed twice.
- Fix a few typos
|
|
Add "Link", "ActiveLink" and "VisitedLink" colors to the system theme
definition, and implement support for them in LibHTML.
Note that <body link="foo" alink="bar" vlink="baz"> takes precedence
over the system colors. Author style also takes precedence, since we
only fetch the system color in case the CSS color is -libhtml-link.
|
|
|
|
Then bind-mount /dev and /bin while adding back the appropriate permissions :^)
|
|
|
|
|
|
|
|
Notably, /tmp is now mounted nodev,nosuid :^)
|
|
This is probably not the final design we'll want for this, but for now
let's run the HTTP client code as a separate user to reduce exposure
for the standard "anon" user account.
Note that "protocol" is also added to the "lookup" group, in order to
allow ProtocolServer to contact LookupServer for DNS requests.
|
|
This program changes the current filesystem root and spawns a shell.
|
|
This new view, backed by a GColumnsView, joins the existing table and icon
views :^) Even though it displays a file tree, its data is provided by the very
same GFileSystemModel that the other two views use.
This commit also includes my attempt at making an icon for the new mode.
|
|
LookupServer now runs as lookup:lookup, allowing connections from other
members of the "lookup" group.
This is enforced through file system permissions by having the service
socket (/tmp/portal/lookup) be mode 0660.
Now the LookupServer program can't overwrite other people's files if it
starts misbehaving. That's pretty cool :^)
|
|
|
|
|
|
|
|
|
|
Only users in this group can access the screen, mouse and keyboard.
|
|
Spawning services with nothing open at all on the standard I/O fds is
way too harsh. We now open /dev/null for them instead.
|
|
We now pick up all the user's extra GIDs from /etc/group and make
sure those are set before exec'ing a service.
This means we finally get to enjoy being in more than one group. :^)
|
|
This fixes an issue where anyone could snoop on the virtual consoles.
|
|
Add missing keymap entries for the dollar sign and escape key and reformat
the Hungarian keymap.
Remove the workaround for "0x08", replace it with '\b'.
Fix the octal/hex mixup in the value of escape key. (033 != 0x33, 033 == 0x1B)
|
|
I don't think we need to give unprivileged users access to what is
essentially a kernel testing mechanism.
|
|
These are system administration commands, not intended for use by
all users. These tend to go in section 8.
|
|
The "idle" priority was never meant to be exposed to userspace, as it's
only used by the kernel's internal idle thread.
|
|
Only the superuser can use these system calls.
|
|
It's still possible to read the TSC via the read_tsc() syscall, but we
will now clear some of the bottom bits for unprivileged users.
|
|
All threads were running with iomapbase=0 in their TSS, which the CPU
interprets as "there's an I/O permission bitmap starting at offset 0
into my TSS".
Because of that, any bits that were 1 inside the TSS would allow the
thread to execute I/O instructions on the port with that bit index.
Fix this by always setting the iomapbase to sizeof(TSS32), and also
setting the TSS descriptor's limit to sizeof(TSS32), effectively making
the I/O permissions bitmap zero-length.
This should make it no longer possible to do I/O from userspace. :^)
|
|
This prevents code running outside of kernel mode from using the
following instructions:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register
There's no need for userspace to be able to use these instructions so
let's just disable them to prevent information leakage.
|
|
|
|
|
|
Add an option "-A", that will run all of the crash types in the crash
program. In this mode, all crash tests are run in a child process so
that the crash program does not crash.
Crash uses the return status of the child process to ascertain whether
the crash happened as expected.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We have clock applet.
|
|
The tool currently supports drawing an elliptical line of a specified
thickness. Further improvements can include adding a fill mode, and
holding down shift to draw a perfect circle.
Closes #375.
|
|
Fill, line, and gradient modes initially supported :^)
|
|
Upscaled with hq3x then cleaned up the glyphs manually.
|
|
This allows the very aesthetic "Hotdog Stand" theme to have quite
reasonable looking menus.
|
|
|
|
|
|
|
|
|
