Commit graph

2122 commits

Author SHA1 Message Date
Andreas Kling
e362b56b4f Kernel: Move kernel above the 3GB virtual address mark
The kernel and its static data structures are no longer identity-mapped
in the bottom 8MB of the address space, but instead move above 3GB.

The first 8MB above 3GB are pseudo-identity-mapped to the bottom 8MB of
the physical address space. But things don't have to stay this way!

Thanks to Jesse who made an earlier attempt at this, it was really easy
to get device drivers working once the page tables were in place! :^)

Fixes #734.
2020-01-17 22:34:26 +01:00
Sergey Bugaev
4417bd97d7 Kernel: Misc tweaks 2020-01-17 21:49:58 +01:00
Sergey Bugaev
064cd2278c Kernel: Remove the use of FileSystemPath in sys$realpath()
Now that VFS::resolve_path() canonicalizes paths automatically, we don't need to
do that here anymore.
2020-01-17 21:49:58 +01:00
Sergey Bugaev
68aeefa49b ProcFS: Implement symlink magic 2020-01-17 21:49:58 +01:00
Sergey Bugaev
8642a7046c Kernel: Let inodes provide pre-open file descriptions
Some magical inodes, such as /proc/pid/fd/fileno, are going to want to open() to
a custom FileDescription, so add a hook for that.
2020-01-17 21:49:58 +01:00
Sergey Bugaev
ae64fd1b27 Kernel: Let symlinks resolve themselves
Symlink resolution is now a virtual method on an inode,
Inode::resolve_as_symlink(). The default implementation just reads the stored
inode contents, treats them as a path and calls through to VFS::resolve_path().

This will let us support other, magical files that appear to be plain old
symlinks but resolve to something else. This is particularly useful for ProcFS.
2020-01-17 21:49:58 +01:00
Sergey Bugaev
e0013a6b4c Kernel+LibC: Unify sys$open() and sys$openat()
The syscall is now called sys$open(), but it behaves like the old sys$openat().
In userspace, open_with_path_length() is made a wrapper over openat_with_path_length().
2020-01-17 21:49:58 +01:00
Sergey Bugaev
d6184afcae Kernel: Simplify VFS::resolve_path() further
It turns out we don't even need to store the whole custody chain, as we only
ever access its last element. So we can just store one custody. This also fixes
a performance FIXME :^)

Also, rename parent_custody to out_parent.
2020-01-17 21:49:58 +01:00
Andreas Kling
4d4d5e1c07 Kernel: Drop futex queues/state on exec()
This state is not meaningful to the new process image so just drop it.
2020-01-17 16:08:00 +01:00
Andreas Kling
26a31c7efb Kernel: Add "accept" pledge promise for accepting incoming connections
This patch adds a new "accept" promise that allows you to call accept()
on an already listening socket. This lets programs set up a socket for
for listening and then dropping "inet" and/or "unix" so that only
incoming (and existing) connections are allowed from that point on.
No new outgoing connections or listening server sockets can be created.

In addition to accept() it also allows getsockopt() with SOL_SOCKET
and SO_PEERCRED, which is used to find the PID/UID/GID of the socket
peer. This is used by our IPC library when creating shared buffers that
should only be accessible to a specific peer process.

This allows us to drop "unix" in WindowServer and LookupServer. :^)

It also makes the debugging/introspection RPC sockets in CEventLoop
based programs work again.
2020-01-17 11:19:06 +01:00
Andreas Kling
a9b24ebbe8 Kernel: Reindent linker script 2020-01-17 11:07:02 +01:00
Andreas Kling
c6e552ac8f Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication
It was possible to craft a custom ELF executable that when symbolicated
would cause the kernel to read from user-controlled addresses anywhere
in memory. You could then fetch this memory via /proc/PID/stack

We fix this by making ELFImage hand out StringView rather than raw
const char* for symbol names. In case a symbol offset is outside the
ELF image, you get a null StringView. :^)

Test: Kernel/elf-symbolication-kernel-read-exploit.cpp
2020-01-16 22:11:31 +01:00
Andreas Kling
806f19d647 run: Bump default RAM size from 128 MB to 256 MB 2020-01-15 23:14:20 +01:00
Andreas Kling
d4d17ce423 Kernel: Trying to sys$link() a directory should fail with EPERM 2020-01-15 22:11:44 +01:00
Andreas Kling
e91f03cb39 Ext2FS: Assert that inline symlink read/write always uses offset=0 2020-01-15 22:11:44 +01:00
Andreas Kling
5a13a5416e Kernel: Avoid an extra call to read_bytes() in Inode::read_entire()
If we slurp up the entire inode in a single read_bytes(), no need to
call read_bytes() again.
2020-01-15 22:11:44 +01:00
Andreas Kling
9e54c7c17f Ext2FS: Don't allow creating new files in removed directories
Also don't uncache inodes when they reach i_links_count==0 unless they
also have no ref counts other than the +1 from the inode cache.
This prevents the FS from deleting the on-disk inode too soon.
2020-01-15 22:11:44 +01:00
joshua stein
0fa38e4a4a Build: use $SUDO_[UG]ID in build-image-* instead of relying on makeall 2020-01-15 21:52:09 +01:00
Andreas Kling
d79de38bd2 Kernel: Don't allow userspace to sys$open() literal symlinks
The O_NOFOLLOW_NOERROR is an internal kernel mechanism used for the
implementation of sys$readlink() and sys$lstat().

There is no reason to allow userspace to open symlinks directly.
2020-01-15 21:19:26 +01:00
Andreas Kling
e23536d682 Kernel: Use Vector::unstable_remove() in a couple of places 2020-01-15 19:26:41 +01:00
Liav A
bd3b64efb7 Kernel: Fix run script to enable networking on Q35 machines
Also, we enable KVM to accelerate the execution when booting with
q35_cmd or qcmd options in the run script.
2020-01-14 15:38:58 +01:00
Liav A
2da8aba48d Kernel: Change ACPI & DMI definitions a bit
Structures declarations changed __attribute__((__packed__))
to [[gnu::packed]] in ACPI & DMI definitions.
Also, declarations of array of pointers in ACPI RSDT/XSDT are correct
now. In addition to that, now we have a declaration of the ACPI MADT
table & the table entries.
2020-01-14 15:38:58 +01:00
Liav A
c2ef7f740b Kernel: Move DMI decoder initialization method to init_stage2
Also, PCI Initializer dismiss() now deletes the object correctly, and
the PCI initialization process no longer use the DMI decoder to
determine if PCI is supported.
grub configuration files include an entry to boot the OS without
ACPI support.
2020-01-14 15:38:58 +01:00
Liav A
918097ae94 Kernel: Fixing E1000 MMIO access
Now E1000 driver no longer use identity-mapping to do IO operations.
Also, print messages were fixed, and debug messages were added for IO
methods.
2020-01-14 15:38:58 +01:00
Liav A
a9884fbbe5 Kernel: Remove problematic memory mapping methods
mmap() & mmap_region() methods are removed from ACPI & DMI components,
and we replace them with the new MM.allocate_kernel_region() helper.

Instead of doing a raw calculation for each VM address, from now on we
can use helper functions to do perform those calculations in a neat,
reusable and readable way.
2020-01-14 15:38:58 +01:00
Liav A
d2b41010c5 Kernel: Change Region allocation helpers
We now can create a cacheable Region, so when map() is called, if a
Region is cacheable then all the virtual memory space being allocated
to it will be marked as not cache disabled.

In addition to that, OS components can create a Region that will be
mapped to a specific physical address by using the appropriate helper
method.
2020-01-14 15:38:58 +01:00
Sergey Bugaev
b913e30011 Kernel: Refactor/rewrite VFS::resolve_path()
This makes the implementation easier to follow, but also fixes multiple issues
with the old implementation. In particular, it now deals properly with . and ..
in paths, including around mount points.

Hopefully there aren't many new bugs this introduces :^)
2020-01-14 12:24:19 +01:00
Andreas Kling
65cb406327 Kernel: Allow unlocking a held Lock with interrupts disabled
This is needed to eliminate a race in Thread::wait_on() where we'd
otherwise have to wait until after unlocking the process lock before
we can disable interrupts.
2020-01-13 18:56:46 +01:00
Andrew Kaster
7a7e7c82b5 Kernel: Tighten up exec/do_exec and allow for PT_INTERP iterpreters
This patch changes how exec() figures out which program image to
actually load. Previously, we opened the path to our main executable in
find_shebang_interpreter_for_executable, read the first page (or less,
if the file was smaller) and then decided whether to recurse with the
interpreter instead. We then then re-opened the main executable in
do_exec.

However, since we now want to parse the ELF header and Program Headers
of an elf image before even doing any memory region work, we can change
the way this whole process works. We open the file and read (up to) the
first page in exec() itself, then pass just the page and the amount read
to find_shebang_interpreter_for_executable. Since we now have that page
and the FileDescription for the main executable handy, we can do a few
things. First, validate the ELF header and ELF program headers for any
shenanigans. ELF32 Little Endian i386 only, please. Second, we can grab
the PT_INTERP interpreter from any ET_DYN files, and open that guy right
away if it exists. Finally, we can pass the main executable's and
optionally the PT_INTERP interpreter's file descriptions down to do_exec
and not have to feel guilty about opening the file twice.

In do_exec, we now have a choice. Are we going to load the main
executable, or the interpreter? We could load both, but it'll be way
easier for the inital pass on the RTLD if we only load the interpreter.
Then it can load the main executable itself like any old shared object,
just, the one with main in it :). Later on we can load both of them
into memory and the RTLD can relocate itself before trying to do
anything. The way it's written now the RTLD will get dibs on its
requested virtual addresses being the actual virtual addresses.
2020-01-13 13:03:30 +01:00
Andrew Kaster
fe0eb04a22 Kernel: Overload dbgputstr for char array literals in C++
This just seems like something we should be able to do. The compiler
knows how long my "string literal" is, passing it along manually seems
siilly.
2020-01-13 13:03:30 +01:00
Brian Gianforcaro
4cee441279 Kernel: Combine validate and copy of user mode pointers (#1069)
Right now there is a significant amount of boiler plate code required
to validate user mode parameters in syscalls. In an attempt to reduce
this a bit, introduce validate_read_and_copy_typed which combines the
usermode address check and does the copy internally if the validation
passes. This cleans up a little bit of code from a significant amount
of syscalls.
2020-01-13 11:19:17 +01:00
Brian Gianforcaro
9cac205d67 Kernel: Fix SMAP in setkeymap syscall
It looks like setkeymap was missed when
the SMAP functionality was introduced.

Disable SMAP only in the scope where we
actually read the usermode addresses.
2020-01-13 11:17:10 +01:00
Brian Gianforcaro
02704a73e9 Kernel: Use the templated copy_from_user where possible
Now that the templated version of copy_from_user exists
their is normally no reason to use the version which
takes the number of bytes to copy. Move to the templated
version where possible.
2020-01-13 11:07:39 +01:00
Brian Gianforcaro
46c60fd451 Debugging: Add kernel debugging support
Introduce the 'debug-kernel' script to allow developers to
quickly attach a debugger to the QEMU debug remote. The
setting (-s) is already enabled by ./run today when using
QEMU for virtualisation.

If the system is running under QEMU, the debugger
will break in when the script is run. If you add
the -S option to QEMU it will wait for the debugger
to connect before booting the kernel. This allows
you to debug the init/boot process.

Personally I use cgdb instead of gdb, so I opted
to make the debugger used by the script customizable
via an environment variable.

This change also adds -g3 to the kernel build so that
rich debug symbols are available in the kernel binary.
2020-01-13 11:06:42 +01:00
Andreas Kling
0c44a12247 Kernel: read() and write() should EOVERFLOW if (offset+size) overflows 2020-01-12 20:20:17 +01:00
Andreas Kling
20b2bfcafd Kernel: Fix SMAP violation in sys$getrandom() 2020-01-12 20:10:53 +01:00
Andreas Kling
14d4b1058e Kernel: Add a basic lock to FileDescription
Let's prevent two processes sharing a FileDescription from messing with
it at the same time for now.
2020-01-12 20:09:44 +01:00
Sergey Bugaev
33c0dc08a7 Kernel: Don't forget to copy & destroy root_directory_for_procfs
Also, rename it to root_directory_relative_to_global_root.
2020-01-12 20:02:11 +01:00
Sergey Bugaev
dd54d13d8d Kernel+LibC: Allow passing mount flags to chroot()
Since a chroot is in many ways similar to a separate root mount, we can also
apply mount flags to it as if it was an actual mount. These flags will apply
whenever the chrooted process accesses its root directory, but not when other
processes access this same directory for the outside. Since it's common to
chdir("/") immediately after chrooting (so that files accessed through the
current directory inherit the same mount flags), this effectively allows one to
apply additional limitations to a process confined inside a chroot.

To this effect, sys$chroot() gains a mount_flags argument (exposed as
chroot_with_mount_flags() in userspace) which can be set to all the same values
as the flags argument for sys$mount(), and additionally to -1 to keep the flags
set for that file system. Note that passing 0 as mount_flags will unset any
flags that may have been set for the file system, not keep them.
2020-01-12 20:02:11 +01:00
Sergey Bugaev
fee6d0a3a6 Kernel+Base: Mount root as nodev,nosuid
Then bind-mount /dev and /bin while adding back the appropriate permissions :^)
2020-01-12 20:02:11 +01:00
Sergey Bugaev
93ff911473 Kernel: Properly propagate bind mount flags
Previously, when performing a bind mount flags other than MS_BIND were ignored.
Now, they're properly propagated the same way a for any other mount.
2020-01-12 20:02:11 +01:00
Sergey Bugaev
b620ed25ab Kernel: Simplify Ext2FS mount code path
Instead of looking up device metadata and then looking up a device by that
metadata explicitly, just use VFS::open(). This also means that attempting to
mount a device residing on a MS_NODEV file system will properly fail.
2020-01-12 20:02:11 +01:00
Sergey Bugaev
3393b78623 Kernel: Allow getting a Device from a FileDescription
Like we already do for other kinds of files.
2020-01-12 20:02:11 +01:00
Sergey Bugaev
35b0f10f20 Kernel: Don't dump backtrace on successful exits
This was getting really annoying.
2020-01-12 20:02:11 +01:00
Andreas Kling
41376d4662 Kernel: Fix Lock racing to the WaitQueue
There was a time window between releasing Lock::m_lock and calling into
the lock's WaitQueue where someone else could take m_lock and bring two
threads into a deadlock situation.

Fix this issue by holding Lock::m_lock until interrupts are disabled by
either Thread::wait_on() or WaitQueue::wake_one().
2020-01-12 19:04:16 +01:00
Andreas Kling
8b54ba0d61 Kernel: Dispatch pending signals when returning from a syscall
It was quite easy to put the system into a heavy churn state by doing
e.g "cat /dev/zero".

It was then basically impossible to kill the "cat" process, even with
"kill -9", since signals are only delivered in two conditions:

a) The target thread is blocked in the kernel
b) The target thread is running in userspace

However, since "cat /dev/zero" command spends most of its time actively
running in the kernel, not blocked, the signal dispatch code just kept
postponing actually handling the signal indefinitely.

To fix this, we now check before returning from a syscall if there are
any pending unmasked signals, and if so, we take a dramatic pause by
blocking the current thread, knowing it will immediately be unblocked
by signal dispatch anyway. :^)
2020-01-12 15:04:33 +01:00
Andreas Kling
62a191b59a Kernel: Require "tty" for ioctl() on TTY and MasterPTY
SystemServer now pledges "tty" since it's used when spawning services.
2020-01-12 13:29:51 +01:00
Andreas Kling
35c84504cd IPv4: Require "inet" promise for ioctl() on an IPv4Socket 2020-01-12 13:28:07 +01:00
Andreas Kling
d1839ae0c9 Kernel: Clearing promises with pledge("") should fail
Thanks Sergey for catching this brain-fart. :^)
2020-01-12 12:16:17 +01:00
Andreas Kling
114a770c6f Kernel: Reduce pledge requirement for recvfrom()+sendto() to "stdio"
Since these only operate on already-open sockets, we should treat them
the same as we do read() and write() by putting them into "stdio".
2020-01-12 11:52:37 +01:00