| Age | Commit message (Collapse) | Author |
|---|
|
The previous version relied on manually setting the amount of data to
read for the next chunk and was overall unclear. The new version uses
the Bytes API to vastly improve readability, and fixes a bug where
reading from files where a single read that wasn't of equal size to the
block size would cause the byte buffer to be incorrectly resized causing
corrupted output.
|
|
file_size was not very clear about what it was being used for, so I
switched it to say expected_file_size to make it clear that it's just a
heuristic.
|
|
|
|
|
|
We previously had at least three different implementations for resolving
executables in the PATH, all of which had slightly different
characteristics.
Merge those into a single implementation to keep the behaviour
consistent, and maybe to make that implementation more configurable in
the future.
|
|
|
|
This deadlock would incorrectly change the queue from almost empty to
full on dequeue because someone else could empty the queue after we had
checked its non-emptyness. The test would deadlock on this, which
doesn't happen anymore.
|
|
This path was changed to the uid templated version without actually
using the template resolver function in Account.
|
|
|
|
|
|
Since we already have the directory open, let's have an API to fchown()
the underlying file descriptor instead of forcing clients to do another
path lookup.
|
|
Other programs use Core::Account::login(), notably su(1), which stopped
working due to a missing "cpath" pledge promise.
This patch moves the /tmp/user/ creation logic to a separate function
that LoginServer can call.
|
|
|
|
|
|
This brings support for user-dependent paths in `unveil`.
|
|
This patch allows to insert "%uid" in `IPC_CLIENT_CONNECTION`
declaration and in SystemServer's ini files. This pattern is replaced
then replaced by the UID of the owner of the service. It opens a path
for seamlessly managed, per-user portal.
|
|
The `/tmp/user` directory is owned by root, this solution prevents
malicious users to interfere with other users' portals.
This commit also moves `launch`'s portal in the user directory.
|
|
Previously, we were incorrectly assuming that the daylight global
variable indicated whether the current time zone is in DST. In reality,
the daylight variable only indicates whether a time zone *can* be in
DST.
Instead, the tm structure has a tm_isdst member that should be used for
this purpose. Ensure our LibC handles tm_isdst, and avoid errant usage
of the daylight variable in Core::DateTime.
|
|
|
|
|
|
|
|
|
|
The audio enqueuer thread goes to sleep when there is no more audio data
present, and through normal Core::EventLoop events it can be woken up.
However, that waking up only happens when the thread is not currently
running, so that the wake-up events don't queue up and cause weirdness.
The atomic variable responsible for keeping track of whether the thread
is active can lead to a racy deadlock however, where the audio enqueuer
thread will never wake up again despite there being audio data to
enqueue. Consider this scenario:
- Main thread calls into async_enqueue. It detects that according to the
atomic variable, the other thread is still running, skipping the event
queue wake.
- Enqueuer thread has just finished playing the last chunk of audio and
detects that there is no audio left. It enters the if block with the
dbgln "Reached end of provided audio data..."
- Main thread enqueues audio, making the user sample queue non-empty.
- Enqueuer thread does not check this condition again, instead setting
the atomic variable to indicate that it is not running. It exits into
an event loop sleep.
- Main thread exits async_enqueue. The calling audio enqueuing system
(see e.g. Piano, but all of them function similarly) will wait until
the enqueuer thread has played enough samples before async_enqueue is
called again. However, since the enqueuer thread will never play any
audio, this condition is never fulfilled and audio playback deadlocks
This commit fixes that by allowing the event loop to not enqueue an
event that already exists, therefore overloading the audio enqueuer
event loop by at maximum one message in weird situations. We entirely
get rid of the atomic variable and the race condition is prevented.
|
|
The existing File::is_device() helpers don't distinguish between
block and char devices. This commit adds File::is_block_device() and
File::is_char_device() helpers which are more specific.
|
|
This extracts the logic of searching for a file in $PATH from
System::exec to a separate function.
|
|
|
|
This keeps us from having to duplicate code for each data type we add.
|
|
This variable does not exist on FreeBSD.
Co-Authored-By: Al Hoang <13622+hoanga@users.noreply.github.com>
|
|
FreeBSD implements the Linux API, so this was very simple luckily.
|
|
Various changes are needed to support this:
- The directory is created by Core::Account on login (and located in
/tmp).
- Service's sockets are now deleted on exit (to allow re-creation)
- SystemServer needs to handle SIGTERM to correctly destroy services.
|
|
This is a simple helper to debounce a function call, such as
an event handler. It avoids the function being called until
the event as settled down (i.e. after the timeout).
|
|
Most changes are around user and group management, which are exposed in
the Android NDK differently than other Unices.
We require version 30 for memfd_create, version 28 for posix_spawn, and
so on. It's possible a shim for memfd_create could be used, but since
Google is mandating new apps use API level 30 as of Nov 2022, this seems
suitable.
|
|
|
|
|
|
|
|
Replacement conditions for `requires_argument` have been chosen based
on what would be most convenient for implementing an eventual optional
argument mode.
|
|
This fixes a misconception in our current `ArgsParser` implementation.
If `requires_argument` is false, it doesn't mean that the argument is
optional (i.e. "not required"). It means that there is no argument at
all.
|
|
This prevents a bunch of utilities from using StringView for their
arguments.
|
|
This prevents us from needing a sv suffix, and potentially reduces the
need to run generic code for a single character (as contains,
starts_with, ends_with etc. for a char will be just a length and
equality check).
No functional changes.
|
|
Each of these strings would previously rely on StringView's char const*
constructor overload, which would call __builtin_strlen on the string.
Since we now have operator ""sv, we can replace these with much simpler
versions. This opens the door to being able to remove
StringView(char const*).
No functional changes.
|
|
Error::from_string_literal now takes direct char const*s, while
Error::from_string_view does what Error::from_string_literal used to do:
taking StringViews. This change will remove the need to insert `sv`
after error strings when returning string literal errors once
StringView(char const*) is removed.
No functional changes.
|
|
This commit moves the length calculations out to be directly on the
StringView users. This is an important step towards the goal of removing
StringView(char const*), as it moves the responsibility of calculating
the size of the string to the user of the StringView (which will prevent
naive uses causing OOB access).
|
|
These convenience templates allow the following to be written as before:
TRY(Core::System::pledge("promises..."));
TRY(Core::System::pledge("promises...", "execpromises..."));
TRY(Core::System::unveil("path", "permissions"));
TRY(Core::System::unveil(nullptr, nullptr));
Other uses must now append sv to any literal string passed to pledge and
unveil.
|
|
These were accidental (or leftover) uses of String::characters() to
construct StringViews through its StringView(char const*) constructor.
Since this constructor is due to be removed, this will no longer work.
Plus this prevents strlen from being run on these strings unnecessarily.
|
|
These are mostly minor mistakes I've encountered while working on the
removal of StringView(char const*). The usage of builder.put_string over
Format<FormatString>::format is preferrable as it will avoid the
indirection altogether when there's no formatting to be done. Similarly,
there is no need to do format(builder, "{}", number) when
builder.put_u64(number) works equally well.
Additionally a few Strings where only constant strings were used are
replaced with StringViews.
|
|
This moves out the calculation of the char* out to the formatter.
Additionally, we now print (null) when a null pointer is passed.
|
|
The extra argument to fcntl is a pointer in the case of F_GETLK/F_SETLK
and we were pulling out a u32, leading to pointer truncation on x86_64.
Among other things, this fixes Assistant on x86_64 :^)
|
|
For some reason we used raw char pointers sometimes, which caused at
least one heap buffer overflow detected in fuzzing.
|
|
|
|
Stub out the FileWatcher class with ENOTSUP stubs to let Services that
require it to compile for Lagom. Later we should add real code for this
using techniques like Linux's inotify(7).
|
