| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Zhaoming Luo <zhmingluo@163.com>
Message-ID: <20241213005831.748151-1-zhmingluo@163.com>
|
| |
|
|
| |
Message-ID: <20240121210757.1900938-4-flaviocruz@gmail.com>
|
| |
|
|
|
| |
mach_open_devstream creates a fully-buffered stream by default.
This prevents from seeing various messages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since no CPU subtypes are defined for CPU_TYPE_ARM64, just report the
type, same as for x86_64.
Sample uname(2) output:
sysname: GNU
release: 0.9
version: GNU-Mach 1.8/Hurd-0.9
machine: aarch64
Message-ID: <20240323115322.69075-9-bugaevc@gmail.com>
|
| |
|
|
|
|
| |
None of the new architectures are going to have it; that isn't specific
to x86_64.
Message-ID: <20240323115322.69075-4-bugaevc@gmail.com>
|
| |
|
|
| |
Message-ID: <20240216182630.5770-2-flaviocruz@gmail.com>
|
| |
|
|
|
|
|
| |
-Werror=enum-int-mismatch warnings
MiG expects those to return kern_return_t.
Message-ID: <ZXqbbXpVqQAwd2qv@jupiter.tail36e24.ts.net>
|
| | |
|
| |
|
|
| |
This reverts commit 33c30b4ff76ca22bdedce4aa41d05736a546d86b.
|
| |
|
|
| |
Message-ID: <20231124213041.952886-3-flaviocruz@gmail.com>
|
| |
|
|
|
|
| |
We don't really have plans to have anything else than "AT386" there, and
other OSes do not include it, so it brings us more harm than good to
include it.
|
| |
|
|
|
|
| |
On MACH_SEND_TIMED_OUT we defer sending the message to just-created
thread, we allocate a copy of the message to that end. We need to free
that once the message is indeed sent.
|
| |
|
|
| |
This was added by 7487dda5f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to little-endianness of x86, this resulted in a 64-bit pointers that
pointed to the lower 4 GB of the address space being treated as a 32-bit
pointer followed by NULL, which manifested as only the first program arg
(the argv[0]) being visible in ps output. When a pointer pointed outside
of the lower 4 GB, this resulted in both halves being treated as invalid
pointers, causing proc_getprocargs () to fail with KERN_INVALID_ADDRESS,
which manifested as ps displaying COMMAND for the affected process as ?.
Found by placing all memory above the 4 GB limit, which made it apparent
that something about fetching process command lines is seriously broken.
Before:
USER PID PPID TTY TIME COMMAND
0 1 1 - 0:00.00 /hurd/init
0 2 1 - 0:00.05 /hurd/startup
0 3 2 ? 0:02.80 ?
0 4 2 ? 0:00.00 /hurd/proc
0 5 2 - 0:00.08 ?
0 6 5 - 0:00.02 ?
0 7 2 - 0:00.00 /hurd/auth
0 9 1 - 0:00.01 /hurd/term
0 13 1 - 0:00.11 /hurd/mach-defpager
0 15 1 - 0:00.00 /bin/bash
0 16 5 - 0:00.00 /hurd/pflocal
0 18 15 - 0:00.00 /bin/sh
0 20 18 - 0:00.00 ps-hurd
After:
USER PID PPID TTY TIME COMMAND
0 1 1 - 0:00.01 /hurd/init -a
0 2 1 - 0:00.03 /hurd/startup --kernel-task=1 console=com0
0 3 2 ? 0:01.36 gnumach --kernel-task=1 console=com0
0 4 2 ? 0:00.00 /hurd/proc --kernel-task=1
0 5 2 - 0:00.06 ext2fs --multiboot-command-line=console=com0
0 6 5 - 0:00.00 /hurd/exec --device-master-port=1
0 7 2 - 0:00.02 /hurd/auth
0 9 1 - 0:00.00 /hurd/term /dev/console device console
0 13 1 - 0:00.09 /hurd/mach-defpager
0 15 1 - 0:00.00 /bin/bash /usr/libexec/runsystem.hurd
0 16 5 - 0:00.00 /hurd/pflocal
0 18 15 - 0:00.00 /bin/sh
0 19 18 - 0:00.01 ps-hurd -ef
Message-Id: <20230621105638.1045306-1-bugaevc@gmail.com>
|
| |
|
|
| |
Message-Id: <20230515073600.1350072-4-bugaevc@gmail.com>
|
| |
|
|
|
|
|
|
| |
Normally glibc does not buffer tty output, but a devstream backed by
the Mach console device cannot be isatty'ed. So we need to ask glibc
explicitly to not buffer it. This is what the startup and mach-defpager
do already.
Message-Id: <20230515073600.1350072-3-bugaevc@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Also fixed the implementation of default_pager_paging_storage_new in proxy
def pager to call into default_pager_paging_storage_new.
We can fast track the simplification of the RPC ABI for x86_64 if we don't have
MACH_MSG_TYPE_STRING used in RPCs which forces msgt_size to use more than 8
bits.
Message-Id: <ZFsk/W+slpAZyTG1@jupiter.tail36e24.ts.net>
|
| |
|
|
| |
Message-Id: <20230508213136.608575-19-bugaevc@gmail.com>
|
| |
|
|
| |
Message-Id: <20230508213136.608575-18-bugaevc@gmail.com>
|
| | |
|
| |
|
|
| |
Message-Id: <ZFLcIs0iwiC9kQDf@jupiter.tail36e24.ts.net>
|
| |
|
|
|
| |
A follow up to 92fad38a043b75ed6b435b3efa574ede91dbe9ee in gnumach.
Message-Id: <ZFCNasf9bJ9qj+CG@jupiter.tail36e24.ts.net>
|
| |
|
|
|
|
|
|
| |
Also update the crash_dump_task RPC since it gets the subcode from the
signal details in Glibc.
This should fix the existing build error.
Message-Id: <ZDDrnHFHtiLIS53W@jupiter.tail36e24.ts.net>
|
| |
|
|
|
|
| |
https://git.savannah.gnu.org/cgit/hurd/gnumach.git/commit/?id=5447f965f1e109f7ac9aeb91c0e3906969a4adb8
provides more context.
Message-Id: <ZBFkAXCYcj27UXRo@mars.tail36e24.ts.net>
|
| |
|
|
|
| |
Also add -Werror=old-style-definition to enforce new code.
Message-Id: <ZBZ+8xf7GHy2RT/h@jupiter.tail36e24.ts.net>
|
| | |
|
| |
|
|
|
|
|
| |
In case the new task notification gets late, the task may have terminated
already, and thus a dead name gets provided in the notification. We should
just ignore this, otherwise the task hashing would get collisions on all
such dead tasks ports.
|
| |
|
|
|
| |
The error handling code would already deallocate them, thus leading to
duplicate deallocation, spurious destroy, and later on port mixup.
|
| |
|
|
|
| |
In case the task dies very early and thus the notification arrives very
early.
|
| |
|
|
| |
For coherency with the existing RPCs
|
| |
|
|
| |
And add proc_complete_reauthentication ()
|
| |
|
|
|
|
|
|
|
|
| |
Now that it's completely unused.
procinfo.owner is now simply set to the first UID that a process has.
proc_setowner () is kept for compatibility, but now does nothing.
The clients still try to call it, though, for compatibility with older
proc server versions.
|
| |
|
|
|
| |
This is a new RPC to atomically change the UIDs of a process, recreate its
process port, and reassign a different task to it.
|
| |
|
|
|
| |
If the allocation failed, we want to leave the p_ids pointer as it was, and
properly propagate the error code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous scheme was to check that PROC1 has the UID that is designated
as PROC2's "owner". This is extremely problematic for several reasons,
including:
* The UIDs and the owner of a process are set separately and can easily get out
of sync. While S_proc_setowner () checks that the new owner is among the UIDs
that the process has, this invariant is violated after the process is given a
new set of UIDs with S_proc_reauthenticate (). In particular, this happens
during execution of a SUID binary: the process is reauthenticated to a
different set of UIDs first, and its owner is udpated later, if at all.
* In the Hurd, a process can have multiple UIDs. Having to designate just one
of them as the owner means the other UIDs get ignored for the purpose of
permission checking. One particularly problematic case is a SUID process that
temporarily lowers its effective UID: glibc sets the first effective UID as
the process owner, giving just about anyone access to the task.
Resolve this by ignoring the owner for the purpose of permission checking, and
relying solely on the authenticated UIDs. Roughly speaking, PROC1 can get
complete access to PROC2 if the UIDs PROC1 has form a superset of the UIDs that
PROC2 has; in other words, the access is only allowed when it would not result
in PROC1 getting access to UIDs it doesn't have already. Of course, root is
still allowed to access any process.
In particular, this means that:
* a process can access another process if they have the same auth;
* a process that has "more auth" can access one that has "less auth", but not
the other way around;
* a SUID-root process that has lowered its effective UIDs can only be accessed
by root.
Another important point here is that the UIDs in question are both effective
and available UIDs that a process has. Normally, available UIDs are ignored for
the purpose of permission checking (and that is their whole point). However,
POSIX description of kill(2) has the following clause:
> For a process to have permission to send a signal to a process designated by
> pid, unless the sending process has appropriate privileges, the real or
> effective user ID of the sending process shall match the real or saved
> set-user-ID of the receiving process.
Which I read as saying that the real (i.e. available) UID(s) of PROC1 should be
used for evaluating whether kill(2) can succeed, not only its effective UID(s).
|
| |
|
|
|
| |
This is in preparation for using the UID's to evaluate permissions
in a different way.
|
| |
|
|
| |
We can simply override proc_dead_name () to handle dead-name notifications.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mach_port_destroy () is a dangerous API that has to be used with extreme care.
Namely, it destroys not one user reference, but *all* user references that a
task has for a port name. Different parts of a program may all keep separate
references on a port without coordinating it with each other (which is the
whole idea behind reference counting). If one part of a program decides to
destroy a port with mach_port_destroy () without informing others, others may
still believe they hold a reference and will continue to use the name as if it
still refered to the now-destroyed port right. This consitutes a port
use-after-free, even if their use is also deallocating their reference.
In the particular case of the proc server, this manifested itself as
S_proc_reassign () destroying all user references to the task port right before
the task port right is deallocated again in the dead-name notification handler.
|
| |
|
|
| |
Reported-by: Etienne Brateau <etienne.brateau@gmail.com>
|
| |
|
|
|
| |
This follows mig's cf4bcc3f1435 ("Also add const qualifiers on server
side")
|
| |
|
|
| |
No actual behavior change.
|
| |
|
|
| |
* proc/wait.c (WNOWAIT): Define if not already defined.
|
| |
|
|
| |
* proc/wait.c (S_proc_mark_cont): Set p_status to __W_CONTINUED.
|
| |
|
|
|
| |
* proc/wait.c (S_proc_waitid): When options contains WNOWAIT, do not set
p_waited or complete child death.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
proc_wait assumes that the caller always wants WEXITED, but waitid()
does not. The new proc_waitid RPC requires the caller to specify at
least one of WEXITED, WSTOPPED, or WCONTINUED.
* hurd/process.defs (proc_waitid): New RPC.
* hurd/process_reply.defs (proc_waitid): New RPC.
* hurd/process_request.defs (proc_waitid): New RPC.
* proc/proc.h (struct proc): Add p_continued field.
* proc/wait.c (WCONTINUED, WEXITED): Define if not already defined.
(S_proc_wait): Rename implementation to S_proc_waitid, and modify to
stop assuming WEXITED. Add support for WCONTINUED.
(S_proc_wait): Reimplement by just calling S_proc_waitid with an
additional WEXITED.
(proc_mark_stop): Clear p_continued.
(proc_mark_cont): Set p_continued, clear p_waited, wake any waiting
parent.
|
| |
|
|
|
| |
* proc/wait.c (S_proc_mark_cont): When parent has not set nostopcld,
send a SIGCHLD with CLD_CONTINUED.
|
| |
|
|
|
|
|
|
| |
* proc/stubs.c (send_signal): Add a sigcode argument.
* proc/proc.h (send_signal): Declare the sigcode argument.
* proc/pgrp.c (leave_pgrp): Specify a null sigcode.
* proc/wait.c (alert_parent): Use CLD_EXITED for SIGCHLD on exit.
(S_proc_mark_stop): Use CLD_STOPPED for SIGCHLD on stop.
|
| |
|
|
|
| |
* proc/stubs.c (send_signal): Add missing warning in union inside
mach_msg_header_t.
|
| |
|
|
|
|
|
|
|
|
| |
* doc/hurd.texi: Index pthread.h instead of cthreads.h
* libports/Makefile (SRCS): Drop stubs.c.
* libports/stubs.c: Remove file.
* mach-defpager/default_pager.c (default_pager): Drop disabled cthreads
calls.
* pfinet/kmem_cache.c: Fix comment.
* proc/stubs.c: Fix comments.
|
