After looking closely at this, I realized that we've been running
all the service processes under separate user accounts even though
there's actually no need to.
Since we already use pledge() and unveil() to limit the scope and
access of these programs, separating them to another UID doesn't
achieve anything meaningful. So let's bring them back to the "anon"
user account and simplify things.
Programs affected:
- ImageDecoder
- RequestServer
- WebContent
- WebSocket
Longer term, I'd like for all of these to get spawned for the current
desktop user somehow, possibly by some kind of session manager, or
perhaps by the Browser program itself. But for now they remain under
SystemServer's control.
I can't say I like starting yet another thing on boot... but now that
LookupServer provides mDNS (and optionaly DNS) services to other hosts,
we have to start it on boot, not when the first local client connects.
We had some inconsistencies before:
- Sometimes "The", sometimes "the"
- Sometimes trailing ".", sometimes no trailing "."
I picked the most common one (lowecase "the", trailing ".") and applied
it to all copyright headers.
By using the exact same string everywhere we can ensure nothing gets
missed during a global search (and replace), and that these
inconsistencies are not spread any further (as copyright headers are
commonly copied to new files).
The current ProtocolServer was really only used for requests, and with
the recent introduction of the WebSocket service, long-lasting
connections with another server are not part of it. To better reflect
this, this commit renames it to RequestServer.
This commit also changes the existing 'protocol' portal to 'request',
the existing 'protocol' user and group to 'request', and most mentions
of the 'download' aspect of the request to 'request' when relevant, to
make everything consistent across the system.
Note that LibProtocol still exists as-is, but the more generic Client
class and the more specific Download class have both been renamed to a
more accurate RequestClient and Request to match the new names.
This commit only change names, not behaviors.
The WebSocket service isolates communication with a WebSocket to its
own isolated process. Similar to other isolating services, it has its
own user and group.
This is useful for CI where we don't want to spend a minute and a half
benchmarking Vector::append, and we don't have a good way to pass
test-specific arguments yet. :)
With this patch the window manager related functionality is split out
onto a new endpoint pair named WindowManagerServer/Client. This allows
window manager functionality to be potentially privilege separated in
the future. To this end, a new client named WMConnectionClient
is used to maintain a window manager connection. When a process
connects to the endpoint and greets the WindowServer as a window manager
(via Window::make_window_manager(int)), they're subscribed to the events
they requested via the WM event mask.
This patch also removes the hardcoding of the Taskbar WindowType to
receive WM events automatically. However, being a window manager still
requires having an active window, at the moment.
Build a new version of Serenity in CI that doesn't have all the debug
symbols on, or we'd be waiting a very long time to boot.
Insert a TestRunner entry into SystemServer.ini that will run a shell
script that runs tests in /bin and /usr/Tests and shuts down the system
in the new self-test boot mode. Also make sure enough basic services are
started in self-test such that the tests will actually run properly.
LookupServer can now itself server as a DNS server! To service DNS clients, it
uses the exact same lookup logic as it does for LibIPC clients. Namely, it will
synthesize records for data from /etc/hosts on its own (you can use this to
configure host names for your domain!), and forward other questions to
configured upstream DNS servers. On top of that, it implements its own caching,
so once a DNS resource record has been obtained from an upstream server,
LookupServer will cache it locally for faster future lookups.
The DNS server part of LookupServer is disabled by default, because it requires
you to run it as root (for it to bind to the port 53) and on boot, and we don't
want either by default. If you want to try it, modify SystemServer.ini like so:
[LookupServer]
Socket=/tmp/portal/lookup
SocketPermissions=666
Priority=low
KeepAlive=1
User=root
BootModes=text,graphical
and enable server mode in LookupServer.ini like so:
[DNS]
Nameservers=...
EnableServer=1
If in the future we implement socket takeover for IP sockets, these limitations
may be lifted.
This patch adds SymbolServer, a service daemon that provides
symbolication of ELF binaries. It has a very simple IPC API at the
moment that only turns addresses into symbol names.
This can be used to implement symbolication without having to do
in-process ELF parsing yourself. :^)
Since it is owned by root anyway, there is no need for 'additional security' to prevent
modification of that directory. This makes it easier to quickly export files from
Serenity. Fixes#5152.
Until someone has time to implement something for not showing the
very first network change at boot, let's turn off notifications for
network changes by default altogether. Having to dismiss this
notification at every boot gets old fast.
This patch moves the user account password hashes from /etc/passwd,
where they were world-readable, to /etc/shadow, where only root can
access them.
The Core::Account class is extended to support both authentication
against, and modification of /etc/shadow.
The default password for "anon" as of this commit is "foo" :^)
The DevFS along with DevPtsFS give a complete solution for populating
device nodes in /dev. The main purpose of DevFS is to eliminate the
need of device nodes generation when building the system.
Later on, DevFS will assist with exposing disk partition nodes.
This adds the ability to specify cursor attributes as part of their
file names, which allows us to remove hard coded values like the hot
spot from the code. The attributes can be specified between the last
two dots of the file name. Each attribute begins with a character,
followed by one or more digits that specify a uint value.
Supported attributes:
x: The x-coordinate of the cursor hotspot
y: The y-coordinate of the cursor hotspot
f: The number of animated frames horizontally in the image
t: The number of milliseconds per frame
For example, the filename wait.f14t100.png specifies that the image
contains 14 frames that should be cycled through at a rate of 100ms.
The hotspot is not specified, so it defaults to the center.
HackStudio no longer has dedicated project files, so let's get rid of
the *.hsp file concept. It'll eventually produce some files again,
but they won't be the same kind of "project" files.
This moves file extension to icon mappings from compile time macros to an
INI config file (/etc/FileIconProvider.ini), so file icons can easily be
customized and extended :^)
I also switched the format from a static file extension (".foo") to
glob-like patterns ("*.foo", using StringUtils::matches()), which allows
us to assign icons to specific exactly matching file names, like many
IDEs do - e.g. "CMakeLists.txt" or ".prettierrc".
The configuration key [DNS] Nameserver has been renamed to Nameservers
and accepts a comma-separated list of nameserver addresses, which will
be queried in the given order until a response has been received.
The new default value is still Cloudflare's 1.1.1.1 as well as their
secondary DNS server 1.0.0.1.
The language server keeps track of the content of currently edited
files by receiving updates about edit actions.
Also, C++ autocompletion is no longer tied to HackStudio itself and
moved to be part of the language server.
To keep track of ongoing terminal sessions, we now have a sort-of
traditional /var/run/utmp file, like other Unix systems.
Unlike other Unix systems however, ours is of course JSON. :^)
The /bin/utmpupdate program is used to update the file, which is
not writable by regular user accounts. This helper program is
set-GID "utmp".
This introduces a new X86 CPU emulator for running SerenityOS userspace
programs in a virtualized interpreter environment.
The main goal is to be able to instrument memory accesses and catch
interesting bugs that are very hard to find otherwise. But before we
can do fancy things like that, we have to build a competent emulator
able to actually run programs.
This initial version is able to run a very small program that makes
some tiny syscalls, but nothing more.
Everyone who connects to ProtocolServer now gets his own instance.
This means that different users can no longer talk to the same exact
ProtocolServer process, enhanching security and stability.
The new ImageDecoder service (available for members of "image" via
/tmp/portal/image) allows you to decode images in a separate process.
This will allow programs to confidently load untrusted images, since
the bulk of the security concerns are sandboxed to a separate process.
The only API right now is a synchronous IPC DecodeImage() call that
takes a shbuf with encoded image data and returns a shared buffer and
metadata for the decoded image.
It also comes with a very simple library for interfacing with the
ImageDecoder service: LibImageDecoderClient. The name is a bit of a
mouthful but I guess we can rename it later if we think of something
nicer to call it.
There's obviously a bit of overhead to spawning a separate process
for every image decode, so this is mostly only appropriate for
untrusted images (e.g stuff downloaded from the web) and not necessary
for trusted local images (e.g stuff in /res)
Port the WebContent service to the new MultiInstance mechanism that
Sergey added. This means that every new WebContentView gets its very
own segregated WebContent process.
The "WebContent" service provides a very restricted instance of LibWeb
running as an unprivileged user account. This will be used to implement
process separation in Browser, among other things.
This first cut of the service only spawns a single WebContent process
when someone connects to /tmp/portal/webcontent. We will soon switch
this over to spawning a new process for each connection.
Since this feature is very immature, we'll be bringing it up inside of
Demos/WebView as a separate demo program. Eventually this will become
a reusable widget that anyone can embed and easily get out-of-process
web content in their GUI.
This is pretty, pretty cool! :^)
We were getting a little overly memey in some places, so let's scale
things back to business-casual.
Informal language is fine in comments, commits and debug logs,
but let's keep the runtime nice and presentable. :^)
Now that we have SystemServer that can (re)spawn the Shell, we don't need a
separate server just for that.
The two shells (on tty0 and tty1) are configured to only be started when booting
in text mode. This means you can now simply say boot_mode=text on the kernel
command line, and SystemServer will set up the system and spawn a comfy root
shell for you :^)
It will listen for clipboard content changes in the backgroud. Once you click
on its icon, it will pop up a window listing all recorded clipboard contents.
You can then double-click on an item to copy it again.
This commit moves the clipboard from WindowServer into a new Clipboard
service program. Clipboard runs as the unprivileged "clipboard" user
and with a much tighter pledge than WindowServer.
To keep things working as before, all GUI::Application users now make
a connection to Clipboard after making the connection to WindowServer.
It could be interesting to connect to Clipboard on demand, but right
now that would necessitate expanding every GUI app's pledge to include
"unix" and also unveiling the clipboard portal, which I prefer not to.
Step one of moving DesktopServices::open handling out of process. This
makes it easier to do things like read in associations for which program
opens which files or protocols. This gives users the ability to modify
the associations without having to rebuild :^)
The ResourceGraph menu applet now supports a few command line options:
--cpu / -C to display a CPU usage graph
--memory / -M to display a memory usage graph
--name / -n to set a name which is used to order applets
--color / -c to set the graph color (supports anything
Gfx::Color::from_string() understands)
The SystemServer.ini and WindowServer.ini config files have been updated
to spawn and show two ResourceGraph menu applets, one for CPU usage
(green) and one for memory usage (cyan) - this matches the colors in the
SystemMonitor graphs.
The plan is to extend what currently is known as "CPUGraph" and let the
SystemServer spawn multiple instances of it - which then can show memory
or network usages as well :^)
Simply renaming the applet is the first step.
Prior to this, we ran the DHCP client as a high-priority service, but
making the system feel laggy "for some network stuff" is not the
greatest of ideas :^)
Services can now have their initial working directory
configured via `SystemServer.ini`.
This commit also configures Terminal's working directory
to be /home/anon
I probably would've done INI config removal in another commit, but it
fit well here because I didn't want to pledge wpath for SystemMenu if I
didn't need to.
Frankly, that's something that I think should be done: allow ConfigFile
to be used read-only.
This patch adds NotificationServer, which runs as the "notify" user
and provides an IPC API for desktop notifications.
LibGUI gains the GUI::Notification class for showing notifications.
NotificationServer is spawned on demand and will unspawn after
dimissing all visible notifications. :^)
Finally, this also comes with a small /bin/notify utility.
This was actually rather painless and straightforward. WindowServer now
runs as the "window" user. Users in the "window" group can connect to
it via the socket in /tmp/portal/window as usual.
This is probably not the final design we'll want for this, but for now
let's run the HTTP client code as a separate user to reduce exposure
for the standard "anon" user account.
Note that "protocol" is also added to the "lookup" group, in order to
allow ProtocolServer to contact LookupServer for DNS requests.
LookupServer now runs as lookup:lookup, allowing connections from other
members of the "lookup" group.
This is enforced through file system permissions by having the service
socket (/tmp/portal/lookup) be mode 0660.
Now the LookupServer program can't overwrite other people's files if it
starts misbehaving. That's pretty cool :^)
This patch introduces the second MenuApplet: Audio. To make this work,
menu applet windows now also receive mouse events.
There's still some problem with mute/unmute via clicking not actually
working, but the call goes from the applet program over IPC to the
AudioServer, where something goes wrong with the state change message.
Need to look at that separately.
Anyways, it's pretty cool to have more applets running in their own
separate processes. :^)
For services explicitly configured as lazy, SystemServer will now listen
on the socket and only spawn the service once a client attempts to connect
to the socket.
When reaping a child, SystemServer will now match up child's pid with its own
record of the services, and respawn the service if keepalive is enabled for it.
For example, we want to restart the WindowServer if it crashes, but we wouldn't
want to restart the Terminal if it gets closed.
To start painting, call:
gui$get_window_backing_store()
Then finish up with:
gui$release_window_backing_store()
Process will retain the underlying GraphicsBitmap behind the scenes.
This fixes racing between the WindowServer and GUI clients.
This patch also adds a WSWindowLocker that is exactly what it sounds like.