1. 13 Feb, 2017 2 commits
  2. 22 Jan, 2017 2 commits
  3. 29 Dec, 2016 1 commit
  4. 27 Dec, 2016 1 commit
    • Jonas Termansen's avatar
      Revert "Add <limits.h>." · 0cf88fd5
      Jonas Termansen authored
      This reverts commit f6cde2d7.
      gcc detected this header existing and emitted its own limits.h that
      included the libc limits.h. This caused the #include_next chain to reach
      the end and including the header failed.
      Undoing this commit for now until the compiler toolchain is updated to
      avoid this problem.
  5. 27 Nov, 2016 4 commits
  6. 23 Nov, 2016 4 commits
    • Jonas Termansen's avatar
      Add pseudo terminals. · b38c8485
      Jonas Termansen authored
      This is a compatible ABI change riding on the previous commit's bump.
    • Jonas Termansen's avatar
      Detect whether the terminal has a display and a keyboard layout. · 6ef5a5ce
      Jonas Termansen authored
      A new ioctl TIOCGDISPLAYS allow detecting which displays the terminal
      has associated. The ability to set a keyboard layout can be detected
      with tcgetblob kblayout.
      Improve the user-space multi-monitor support while here.
      The kernel now sets TERM rather than init(8).
      This is a compatible ABI change riding on the previous commit's bump.
    • Jonas Termansen's avatar
      Add support for sessions. · db7182dd
      Jonas Termansen authored
      This change refactors the process group implementation and adds support
      for sessions. The setsid(2) and getsid(2) system calls were added.
      psctl(2) now has PSCTL_TTYNAME, which lets you get the name of a process's
      terminal, and ps(1) now uses it.
      The initial terminal is now called /dev/tty1.
      /dev/tty is now a factory for the current terminal.
      A global lock now protects the process hierarchy which makes it safe to
      access other processes. This refactor removes potential vulnerabilities
      and increases system robustness.
      A number of terminal ioctls have been added.
      This is a compatible ABI change.
    • Jonas Termansen's avatar
      Add factory inode support. · d529a1e3
      Jonas Termansen authored
  7. 22 Nov, 2016 1 commit
  8. 06 Nov, 2016 1 commit
  9. 05 Nov, 2016 3 commits
  10. 03 Nov, 2016 3 commits
  11. 30 Oct, 2016 1 commit
  12. 17 Oct, 2016 1 commit
  13. 03 Oct, 2016 2 commits
    • Jonas Termansen's avatar
      Seed kernel entropy with randomness from the previous boot. · 84c0844f
      Jonas Termansen authored
      The bootloader will now load the /boot/random.seed file if it exists, in
      which case the kernel will use it as the initial kernel entropy. The kernel
      warns if no random seed was loaded, unless the --no-random-seed option was
      given. This option is used for live environments that inherently have no
      prior secret state. The kernel initializes its entropy pool from the random
      seed as of the first things, so randomness is available very early on.
      init(8) will emit a fresh /boot/random.seed file on boot to avoid the same
      entropy being used twice. init(8) also writes out /boot/random.seed on
      system shutdown where the system has the most entropy. init(8) will warn if
      writing the file fails, except if /boot is a real-only filesystem, and
      keeping such state is impossible. The system administrator is then
      responsible for ensuring the bootloader somehow passes a fresh random seed
      on the next boot.
      /boot/random.seed must be owned by the root user and root group and must
      have file permissions 600 to avoid unprivileged users can read it. The file
      is passed to the kernel by the bootloader as a multiboot module with the
      command line --random-seed.
      If no random seed is loaded, the kernel attempts a poor quality fallback
      where it seeds the kernel arc4random(3) continuously with the current time.
      The timing variance may provide some effective entropy. There is no real
      kernel entropy gathering yet. The read of the CMOS real time clock is moved
      to an early point in the kernel boot, so the current time is available as
      fallback entropy.
      The kernel access of the random seed module is supposed to be infallible
      and happens before the kernel log is set up, but there is not yet a failsafe
      API for mapping single pages in the early kernel.
      sysupgrade(8) creates /boot/random.seed if it's absent as a temporary
      compatibility measure for people upgrading from the 1.0 release. The GRUB
      port will need to be upgraded with support for /boot/random.seed in the
      10_sortix script. Installation with manual bootloader configuration will
      need to load the random seed with the --random-seed command line. With GRUB,
      this can be done with: module /boot/random.seed --random-seed
    • Jonas Termansen's avatar
      Allow detecting fallback video modes. · 6944250b
      Jonas Termansen authored
  14. 28 Sep, 2016 5 commits
  15. 25 Sep, 2016 1 commit
  16. 21 Aug, 2016 1 commit
  17. 20 Aug, 2016 3 commits
  18. 29 Jul, 2016 2 commits
  19. 15 May, 2016 2 commits
    • Jonas Termansen's avatar
      Add protection against sigreturn oriented programming (SROP). · 2e03bd94
      Jonas Termansen authored
      This change hardens against invalid calls to sigreturn, which is a very
      useful gadget when compromising a process. The system call now verifies
      it is a real return from a signal and aborts the process otherwise. This
      should render such attacks impossible in threads that are not servicing a
      signal, and infeasible in threads that are handling signals they are yet to
      return from.
      The kernel now keeps track for each thread how many signals are being
      handled but haven't returned yet.
      Each thread now has a random signal value. It is re-randomized when the
      thread handles a signal and the current signal counter is zero. This is
      xorred with the context address and used as canary on the stack during
      signal dispatch, protecting the saved context on the stack. This works
      mostly like the regular stack protector.
      The kernel now keeps track of the stack pointer for a single handled
      signal per thread. It doesn't seem worth it to keep track of multiple
      handled signals, as more than one is rare. Note that each delivered signal
      will not necessarily result in a sigreturn because it is valid for a thread
      to longjmp(3) out of a signal handler to a valid jmp_buf.
      The sigreturn system call will abort if either:
      - It was not called from the kernel sigreturn page.
      - The thread is not currently processing a signal.
      - The thread is processing a single signal, and the stack pointer did not
        have the expected value.
      - It fails to read the context on the stack.
      - The canary is wrong.
    • Jonas Termansen's avatar
      Clean up errno. · 9b986798
      Jonas Termansen authored