The change 9d29e96c3b "Fix open(2) allowing
opening directories invalidly and check O_TRUNC errors." broke the chmod(2),
chown(2), and utimens(2) system calls on directories, because they can no
longer be opened for writing.
This changes fixes the regression by opening such paths for reading. There
is currently no filesystem permission checks for those system calls. However,
those system calls should check the permissions at the time of the operation
rather than relying on the file having been opened for writing previously.
Among other things, redirecting to a directory will now display an error
as it should.
Also fix a bug when opening /dev/pts: O_WRITE on a directory is a POSIX
violation.
The child processes of pid 1 were being reparented to pid 1, causing an
infinite loop. This change fixes the problem by adding a hook that runs in
the last thread about to exit in a process. When pid 1 exits, the hook will
prevent more processes and threads from being created, and then broadcast
kill all processes and threads. The hook is not run in LastPrayer(), as that
function runs in a worker thread and it can't block waiting for another
thread to run LastPrayer() in the same thread.
POSIX allows <fcntl.h> to include <sys/stat.h>, but doesn't require it.
There's little reason to do that, since they are separate headers, and
<fcntl.h> just needs the mode_t constants. Fix the code accidentally
relying on <fcntl.h> including <sys/stat.h>. The mode_t constants are now
provided in their own kernel header <sortix/mode.h>.
Additionally fix <sys/stat.h> pulling in all of <sys/types.h>, which is not
allowed by POSIX, which only requires a few types to be declared. Fix the
code accidentally relying on <sys/stat.h> including <sys/types.h>.
Finally fix <dirent.h> pulling in <stdint.h> through <sortix/dirent.h>.
The <sortix/__/dt.h> and <sortix/__/stat.h> headers are no longer required
and their contents have been merged into <sortix/__/dirent.h>.
Fix SEEK_END seeking twice as far as requested. Centralize lseek handling in
one place and avoid overflow bugs. Inode lseek handlers now only need to
handle SEEK_END with offset 0. Prevent the file offset from ever going below
zero or overflowing.
Character devices are now not seekable, but lseek will pretend they are, yet
always stay at the file offset 0. pread/pwrite on character devices will now
ignore the file offset and call read/write.
This change prevents character devices from being memory mapped, notably
/dev/zero can no longer be memory mapped. None of the current ports seem
to rely on this behavior and will work with just MAP_ANONYMOUS.
Refactor read and write system calls to have a shared return statement for
both seekable and non-seekable IO.
Fix file offset overflow bugs in read and write system calls.
Fix system calls returning EPERM instead of properly returning EBADF when
the file has not been opened in the right mode.
Truncate IO counts and total vector IO length so the IO operation does not
do any IO beyond OFF_MAX. Truncate also total vector IO length for recvmsg
and sendmsg. Fail with EINVAL if total vector IO length exceeds SSIZE_MAX.
Don't stop early if the total IO length is zero, so zero length IO now block
on any locks internal to the inode.
Handle reads at the maximum file offset with an end of file condition and
handle writes of at least one byte at the maximum file offset by failing
with EFBIG.
Refactor UtilMemoryBuffer to store the file size using off_t instead of
size_t to avoid casts and keep file sizes in the off_t type. Properly
handle errors in the code, such as failing with EROFS instead of EBADF if
the backing memory is not writeable, and failing with EFBIG if writing
beyond the end of the file.
Fix mkpartition not rejecting invalid partition start offsets and lengths.
Strictly enforce partition start and length checks in the partition code.
Enforce partitions exist within regular files or block devices.
Fix a few indention issues.
This reverts commit f6cde2d7a6.
gcc detected this header existing and emitted its own limits.h that
included the libc limits.h. This caused the #include_next chain to reach
the end and including the header failed.
Undoing this commit for now until the compiler toolchain is updated to
avoid this problem.
The console has gained these escape codes:
- Set color to any of 256 entries in the palette.
- Set color to any 24-bit RGB value.
- Inverse mode.
- Bold mode.
- Underline mode.
- Move cursor to line N.
- \a is now ignored.
The effectively unused ATTR_CHAR has been removed. Parsing of escape codes
has been improved. The graphical palette has been changed to the tango
colors, which makes Sortix look a bit differently. Some user-space programs
have been changed to use different colors that look better under the new
palette.
Remove const from methods that weren't really const and remove mutable
keyword workaround.
A new ioctl TIOCGDISPLAYS allow detecting which displays the terminal
has associated. The ability to set a keyboard layout can be detected
with tcgetblob kblayout.
Improve the user-space multi-monitor support while here.
The kernel now sets TERM rather than init(8).
This is a compatible ABI change riding on the previous commit's bump.
This change refactors the process group implementation and adds support
for sessions. The setsid(2) and getsid(2) system calls were added.
psctl(2) now has PSCTL_TTYNAME, which lets you get the name of a process's
terminal, and ps(1) now uses it.
The initial terminal is now called /dev/tty1.
/dev/tty is now a factory for the current terminal.
A global lock now protects the process hierarchy which makes it safe to
access other processes. This refactor removes potential vulnerabilities
and increases system robustness.
A number of terminal ioctls have been added.
This is a compatible ABI change.
The bootloader will now load the /boot/random.seed file if it exists, in
which case the kernel will use it as the initial kernel entropy. The kernel
warns if no random seed was loaded, unless the --no-random-seed option was
given. This option is used for live environments that inherently have no
prior secret state. The kernel initializes its entropy pool from the random
seed as of the first things, so randomness is available very early on.
init(8) will emit a fresh /boot/random.seed file on boot to avoid the same
entropy being used twice. init(8) also writes out /boot/random.seed on
system shutdown where the system has the most entropy. init(8) will warn if
writing the file fails, except if /boot is a real-only filesystem, and
keeping such state is impossible. The system administrator is then
responsible for ensuring the bootloader somehow passes a fresh random seed
on the next boot.
/boot/random.seed must be owned by the root user and root group and must
have file permissions 600 to avoid unprivileged users can read it. The file
is passed to the kernel by the bootloader as a multiboot module with the
command line --random-seed.
If no random seed is loaded, the kernel attempts a poor quality fallback
where it seeds the kernel arc4random(3) continuously with the current time.
The timing variance may provide some effective entropy. There is no real
kernel entropy gathering yet. The read of the CMOS real time clock is moved
to an early point in the kernel boot, so the current time is available as
fallback entropy.
The kernel access of the random seed module is supposed to be infallible
and happens before the kernel log is set up, but there is not yet a failsafe
API for mapping single pages in the early kernel.
sysupgrade(8) creates /boot/random.seed if it's absent as a temporary
compatibility measure for people upgrading from the 1.0 release. The GRUB
port will need to be upgraded with support for /boot/random.seed in the
10_sortix script. Installation with manual bootloader configuration will
need to load the random seed with the --random-seed command line. With GRUB,
this can be done with: module /boot/random.seed --random-seed
Add short options for most long options. Rename the -i option to -H, but
support -i for compatibility until the next release cycle, where -i will
become the short option of --identifier. Rename --include to --headers
and support --include until the next release cycle.
Add carray(1) manual page which makes --help unnecessary, and remove
--version as it surely matches your local Sortix version.
This change hardens against invalid calls to sigreturn, which is a very
useful gadget when compromising a process. The system call now verifies
it is a real return from a signal and aborts the process otherwise. This
should render such attacks impossible in threads that are not servicing a
signal, and infeasible in threads that are handling signals they are yet to
return from.
The kernel now keeps track for each thread how many signals are being
handled but haven't returned yet.
Each thread now has a random signal value. It is re-randomized when the
thread handles a signal and the current signal counter is zero. This is
xorred with the context address and used as canary on the stack during
signal dispatch, protecting the saved context on the stack. This works
mostly like the regular stack protector.
The kernel now keeps track of the stack pointer for a single handled
signal per thread. It doesn't seem worth it to keep track of multiple
handled signals, as more than one is rare. Note that each delivered signal
will not necessarily result in a sigreturn because it is valid for a thread
to longjmp(3) out of a signal handler to a valid jmp_buf.
The sigreturn system call will abort if either:
- It was not called from the kernel sigreturn page.
- The thread is not currently processing a signal.
- The thread is processing a single signal, and the stack pointer did not
have the expected value.
- It fails to read the context on the stack.
- The canary is wrong.
This properly avoids problems where the compiler is unaware that this is the
implementation and assumes it can rely on the implementation. For instance,
it might implement calloc using a call to calloc.
Restructure the code that wrongly assumed __STDC_HOSTED__ meant userspace.