Luna/kernel/src/Pledge.cpp

#include "Pledge.h"
#include "Log.h"
#include "memory/MemoryManager.h"
#include "thread/Scheduler.h"

static const char* promise_names[] = {
#define __enumerate(promise) #promise,
    enumerate_promises(__enumerate)
#undef __enumerate
};

Result<void> check_pledge(Process* process, Promise promise)
{
    // Thread has not called pledge().
    if (process->promises < 0) return {};
    int mask = (1 << (int)promise);
    if ((process->promises & mask) != mask)
    {
        kerrorln("Pledge violation in process %d! Has not pledged %s", process->id, promise_names[(int)promise]);
        if (process->promises & (1 << (int)Promise::p_error)) return err(ENOSYS);

        Scheduler::for_each_thread(process, [](Thread* thread) {
            // Kill this thread with an uncatchable SIGABRT. For this, we reset the disposition of SIGABRT to the
            // default (dump core). We could just kill the thread here and be done, but that discards anything on the
            // current stack, which means that some destructors might not be called. Instead, leave the job to the next
            // call of Thread::process_pending_signals().
            thread->signal_handlers[SIGABRT - 1].sa_handler = SIG_DFL;

            // Unblock SIGABRT.
            thread->signal_mask.set(SIGABRT - 1, false);

            // If there are any other pending signals, they might be processed before SIGABRT. Avoid that by resetting
            // the thread's pending signals.
            thread->pending_signals.clear();

            thread->send_signal(SIGABRT);

            return true;
        });

        // This should never arrive to userspace, unless we're init and have ignored SIGABRT.
        return err(ENOSYS);
    }

    return {};
}

Result<int> parse_promises(u64 pledge)
{
    if (!pledge) return -1;

    auto text = TRY(MemoryManager::strdup_from_user(pledge));
    if (text.is_empty()) return 0;

    auto promises = TRY(text.split(" "));

    int result = 0;
    for (const auto& promise : promises)
    {
        for (int i = 0; i < (int)Promise::num_promises; i++)
        {
            if (promise.view() == promise_names[i])
            {
                result |= (1 << i);
                goto found;
            }
        }
        return err(EINVAL);
    found:
        continue;
    }

    return result;
}
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00			`#include "Pledge.h"`
			`#include "Log.h"`
			`#include "memory/MemoryManager.h"`
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`#include "thread/Scheduler.h"`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00
			`static const char* promise_names[] = {`
			`#define __enumerate(promise) #promise,`
			`enumerate_promises(__enumerate)`
			`#undef __enumerate`
			`};`

kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`Result<void> check_pledge(Process* process, Promise promise)`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00			`{`
			`// Thread has not called pledge().`
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`if (process->promises < 0) return {};`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00			`int mask = (1 << (int)promise);`
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`if ((process->promises & mask) != mask)`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00			`{`
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`kerrorln("Pledge violation in process %d! Has not pledged %s", process->id, promise_names[(int)promise]);`
			`if (process->promises & (1 << (int)Promise::p_error)) return err(ENOSYS);`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`Scheduler::for_each_thread(process, [](Thread* thread) {`
			`// Kill this thread with an uncatchable SIGABRT. For this, we reset the disposition of SIGABRT to the`
			`// default (dump core). We could just kill the thread here and be done, but that discards anything on the`
			`// current stack, which means that some destructors might not be called. Instead, leave the job to the next`
			`// call of Thread::process_pending_signals().`
			`thread->signal_handlers[SIGABRT - 1].sa_handler = SIG_DFL;`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`// Unblock SIGABRT.`
			`thread->signal_mask.set(SIGABRT - 1, false);`
libluna: Document Bitset.h 2023-08-23 12:45:53 +00:00
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`// If there are any other pending signals, they might be processed before SIGABRT. Avoid that by resetting`
			`// the thread's pending signals.`
			`thread->pending_signals.clear();`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00
kernel: Rework VFS access checking + add processes VFS functions now accept a single Process* pointer instead of credentials and groups. There is now a distinction between processes and threads Now to fix all the bugs... waitpid crashes the process with an NX error... 2024-12-06 20:35:59 +00:00			`thread->send_signal(SIGABRT);`

			`return true;`
			`});`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00
libluna: Document Bitset.h 2023-08-23 12:45:53 +00:00			`// This should never arrive to userspace, unless we're init and have ignored SIGABRT.`
kernel+libc: Add pledge support 2023-08-12 19:38:25 +00:00			`return err(ENOSYS);`
			`}`

			`return {};`
			`}`

			`Result<int> parse_promises(u64 pledge)`
			`{`
			`if (!pledge) return -1;`

			`auto text = TRY(MemoryManager::strdup_from_user(pledge));`
			`if (text.is_empty()) return 0;`

			`auto promises = TRY(text.split(" "));`

			`int result = 0;`
			`for (const auto& promise : promises)`
			`{`
			`for (int i = 0; i < (int)Promise::num_promises; i++)`
			`{`
			`if (promise.view() == promise_names[i])`
			`{`
			`result \|= (1 << i);`
			`goto found;`
			`}`
			`}`
			`return err(EINVAL);`
			`found:`
			`continue;`
			`}`

			`return result;`
			`}`