The language in POSIX mentioning overriding blocking or ignoring SIGABRT
refers to the inevitability of exiting by SIGABRT if SIGABRT isn't caught or
if the handler does return.
This implementation of abort(3) implements the standard by raising SIGABRT,
allowing the signal to be caught; and if the signal is blocked or ignored or
the handler returns, then exit_thread(2) forcefully exits the process as if
by SIGABRT.
POSIX allows <fcntl.h> to include <sys/stat.h>, but doesn't require it.
There's little reason to do that, since they are separate headers, and
<fcntl.h> just needs the mode_t constants. Fix the code accidentally
relying on <fcntl.h> including <sys/stat.h>. The mode_t constants are now
provided in their own kernel header <sortix/mode.h>.
Additionally fix <sys/stat.h> pulling in all of <sys/types.h>, which is not
allowed by POSIX, which only requires a few types to be declared. Fix the
code accidentally relying on <sys/stat.h> including <sys/types.h>.
Finally fix <dirent.h> pulling in <stdint.h> through <sortix/dirent.h>.
The <sortix/__/dt.h> and <sortix/__/stat.h> headers are no longer required
and their contents have been merged into <sortix/__/dirent.h>.
OpenSSH is allocating a fd_set of exactly the needed size, which leads to
buffer overflows in select(2) when it tries to zero out the fd_set assuming
it is the normal size.
This reverts commit f6cde2d7a6.
gcc detected this header existing and emitted its own limits.h that
included the libc limits.h. This caused the #include_next chain to reach
the end and including the header failed.
Undoing this commit for now until the compiler toolchain is updated to
avoid this problem.
This change refactors the process group implementation and adds support
for sessions. The setsid(2) and getsid(2) system calls were added.
psctl(2) now has PSCTL_TTYNAME, which lets you get the name of a process's
terminal, and ps(1) now uses it.
The initial terminal is now called /dev/tty1.
/dev/tty is now a factory for the current terminal.
A global lock now protects the process hierarchy which makes it safe to
access other processes. This refactor removes potential vulnerabilities
and increases system robustness.
A number of terminal ioctls have been added.
This is a compatible ABI change.
The bootloader will now load the /boot/random.seed file if it exists, in
which case the kernel will use it as the initial kernel entropy. The kernel
warns if no random seed was loaded, unless the --no-random-seed option was
given. This option is used for live environments that inherently have no
prior secret state. The kernel initializes its entropy pool from the random
seed as of the first things, so randomness is available very early on.
init(8) will emit a fresh /boot/random.seed file on boot to avoid the same
entropy being used twice. init(8) also writes out /boot/random.seed on
system shutdown where the system has the most entropy. init(8) will warn if
writing the file fails, except if /boot is a real-only filesystem, and
keeping such state is impossible. The system administrator is then
responsible for ensuring the bootloader somehow passes a fresh random seed
on the next boot.
/boot/random.seed must be owned by the root user and root group and must
have file permissions 600 to avoid unprivileged users can read it. The file
is passed to the kernel by the bootloader as a multiboot module with the
command line --random-seed.
If no random seed is loaded, the kernel attempts a poor quality fallback
where it seeds the kernel arc4random(3) continuously with the current time.
The timing variance may provide some effective entropy. There is no real
kernel entropy gathering yet. The read of the CMOS real time clock is moved
to an early point in the kernel boot, so the current time is available as
fallback entropy.
The kernel access of the random seed module is supposed to be infallible
and happens before the kernel log is set up, but there is not yet a failsafe
API for mapping single pages in the early kernel.
sysupgrade(8) creates /boot/random.seed if it's absent as a temporary
compatibility measure for people upgrading from the 1.0 release. The GRUB
port will need to be upgraded with support for /boot/random.seed in the
10_sortix script. Installation with manual bootloader configuration will
need to load the random seed with the --random-seed command line. With GRUB,
this can be done with: module /boot/random.seed --random-seed
execl(3) and its variants use a sentinel to terminate the variadic
argument list, in the form of a null pointer constant of type pointer to
char. POSIX mandates that NULL is a null pointer constant of type
pointer to void, which is not of an equivalent type to that required by
execl(3) and its variants, resulting in undefined behaviour.
This commit casts all such instances of NULL to pointer to char type.
For consistency, it also adds const-qualification to any such instances
which had already been casted, and were not const-qualified.
This properly avoids problems where the compiler is unaware that this is the
implementation and assumes it can rely on the implementation. For instance,
it might implement calloc using a call to calloc.
Restructure the code that wrongly assumed __STDC_HOSTED__ meant userspace.
This system call has five arguments, of which one is a 64-bit uid_t, and
another is a 64-bit gid_t, which means that 7 registers are needed. However,
x86 only has 5 registers available for system calls. Wrap the system call
with a structure like with mmap(2).
I hereby relicense all my work on Sortix under the ISC license as below.
All Sortix contributions by other people are already under this license,
are not substantial enough to be copyrightable, or have been removed.
All imported code from other projects is compatible with this license.
All GPL licensed code from other projects had previously been removed.
Copyright 2011-2016 Jonas 'Sortie' Termansen and contributors.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
This interface isn't standardized to be thread safe so nobody can rely on
it. Additionally this only thread secures setlocale, but not all the code
that might depend on the current locale, so it is pointless.