Kernel: Implement supplementary groups

This code has very ugly file parsing code. I have to create API
for reading files line by line in kernel space...

This allows users to open framebuffer/input files without root.

Mounting has to be moved to userspace soon. It makes no sense to
hard code permissions for every (device) file.
This commit is contained in:
Bananymous 2024-01-02 23:19:58 +02:00
parent 96d831c31a
commit 9fa13079f2
8 changed files with 188 additions and 5 deletions

Binary file not shown.

View File

@ -14,6 +14,7 @@ set(KERNEL_SOURCES
kernel/APIC.cpp kernel/APIC.cpp
kernel/BootInfo.cpp kernel/BootInfo.cpp
kernel/CPUID.cpp kernel/CPUID.cpp
kernel/Credentials.cpp
kernel/Debug.cpp kernel/Debug.cpp
kernel/Device/Device.cpp kernel/Device/Device.cpp
kernel/Device/FramebufferDevice.cpp kernel/Device/FramebufferDevice.cpp

View File

@ -1,5 +1,7 @@
#pragma once #pragma once
#include <BAN/Vector.h>
#include <sys/types.h> #include <sys/types.h>
namespace Kernel namespace Kernel
@ -31,9 +33,17 @@ namespace Kernel
bool is_superuser() const { return m_euid == 0; } bool is_superuser() const { return m_euid == 0; }
bool has_egid(gid_t) const;
BAN::ErrorOr<void> initialize_supplementary_groups();
private:
BAN::ErrorOr<BAN::String> find_username() const;
private: private:
uid_t m_ruid, m_euid, m_suid; uid_t m_ruid, m_euid, m_suid;
gid_t m_rgid, m_egid, m_sgid; gid_t m_rgid, m_egid, m_sgid;
BAN::Vector<gid_t> m_supplementary;
}; };
} }

View File

@ -0,0 +1,165 @@
#include <kernel/Credentials.h>
#include <kernel/FS/VirtualFileSystem.h>
#include <ctype.h>
#include <fcntl.h>
namespace Kernel
{
static id_t parse_id(BAN::StringView line)
{
id_t id = 0;
for (char c : line)
{
if (!isdigit(c))
return -1;
id = (id * 10) + (c - '0');
}
return id;
};
BAN::ErrorOr<BAN::String> Credentials::find_username() const
{
auto inode = TRY(VirtualFileSystem::get().file_from_absolute_path(*this, "/etc/passwd"sv, O_RDONLY)).inode;
BAN::String line;
off_t offset = 0;
uint8_t buffer[128];
while (offset < inode->size())
{
size_t nread = TRY(inode->read(offset, { buffer, sizeof(buffer) }));
bool line_done = false;
for (size_t i = 0; i < nread; i++)
{
if (buffer[i] == '\n')
{
TRY(line.append({ (const char*)buffer, i }));
line_done = true;
offset += i + 1;
break;
}
}
if (!line_done)
{
offset += nread;
TRY(line.append({ (const char*)buffer, nread }));
continue;
}
auto parts = TRY(line.sv().split(':', true));
if (parts.size() == 7 && m_euid == parse_id(parts[2]))
{
BAN::String result;
TRY(result.append(parts[0]));
return result;
}
line.clear();
}
auto parts = TRY(line.sv().split(':', true));
if (parts.size() == 7 && m_euid == parse_id(parts[2]))
{
BAN::String result;
TRY(result.append(parts[0]));
return result;
}
return BAN::Error::from_errno(EINVAL);
}
BAN::ErrorOr<void> Credentials::initialize_supplementary_groups()
{
m_supplementary.clear();
auto username = TRY(find_username());
auto file_or_error = VirtualFileSystem::get().file_from_absolute_path(*this, "/etc/group", O_RDONLY);
if (file_or_error.is_error())
{
if (file_or_error.error().get_error_code() == ENOENT)
return {};
return file_or_error.error();
}
auto inode = file_or_error.value().inode;
BAN::String line;
off_t offset = 0;
uint8_t buffer[128];
while (offset < inode->size())
{
size_t nread = TRY(inode->read(offset, { buffer, sizeof(buffer) }));
bool line_done = false;
for (size_t i = 0; i < nread; i++)
{
if (buffer[i] == '\n')
{
TRY(line.append({ (const char*)buffer, i }));
line_done = true;
offset += i + 1;
break;
}
}
if (!line_done)
{
offset += nread;
TRY(line.append({ (const char*)buffer, nread }));
continue;
}
auto parts = TRY(line.sv().split(':', true));
if (parts.size() != 4)
{
line.clear();
continue;
}
auto users = TRY(parts[3].split(','));
for (auto user : users)
{
if (user != username)
continue;
if (gid_t gid = parse_id(parts[2]); gid != -1)
{
TRY(m_supplementary.push_back(gid));
break;
}
}
line.clear();
}
auto parts = TRY(line.sv().split(':', true));
if (parts.size() == 4)
{
auto users = TRY(parts[3].split(','));
for (auto user : users)
{
if (user != username)
continue;
if (gid_t gid = parse_id(parts[2]); gid != -1)
{
TRY(m_supplementary.push_back(gid));
break;
}
}
}
return {};
}
bool Credentials::has_egid(gid_t gid) const
{
if (m_egid == gid)
return true;
for (gid_t supplementary : m_supplementary)
if (gid == supplementary)
return true;
return false;
}
}

View File

@ -22,7 +22,7 @@ namespace Kernel
if (g_boot_info.framebuffer.bpp != 24 && g_boot_info.framebuffer.bpp != 32) if (g_boot_info.framebuffer.bpp != 24 && g_boot_info.framebuffer.bpp != 32)
return BAN::Error::from_errno(ENOTSUP); return BAN::Error::from_errno(ENOTSUP);
auto* device_ptr = new FramebufferDevice( auto* device_ptr = new FramebufferDevice(
0666, 0, 0, 0660, 0, 900,
DevFileSystem::get().get_next_dev(), DevFileSystem::get().get_next_dev(),
g_boot_info.framebuffer.address, g_boot_info.framebuffer.address,
g_boot_info.framebuffer.width, g_boot_info.framebuffer.width,

View File

@ -17,7 +17,7 @@ namespace Kernel
{ } { }
else if ((mode().mode & S_IRUSR) && credentials.euid() == uid()) else if ((mode().mode & S_IRUSR) && credentials.euid() == uid())
{ } { }
else if ((mode().mode & S_IRGRP) && credentials.egid() == gid()) else if ((mode().mode & S_IRGRP) && credentials.has_egid(gid()))
{ } { }
else else
{ {
@ -31,7 +31,7 @@ namespace Kernel
{ } { }
else if ((mode().mode & S_IWUSR) && credentials.euid() == uid()) else if ((mode().mode & S_IWUSR) && credentials.euid() == uid())
{ } { }
else if ((mode().mode & S_IWGRP) && credentials.egid() == gid()) else if ((mode().mode & S_IWGRP) && credentials.has_egid(gid()))
{ } { }
else else
{ {
@ -45,7 +45,7 @@ namespace Kernel
{ } { }
else if ((mode().mode & S_IXUSR) && credentials.euid() == uid()) else if ((mode().mode & S_IXUSR) && credentials.euid() == uid())
{ } { }
else if ((mode().mode & S_IXGRP) && credentials.egid() == gid()) else if ((mode().mode & S_IXGRP) && credentials.has_egid(gid()))
{ } { }
else else
{ {

View File

@ -69,7 +69,7 @@ namespace Kernel::Input
static PS2Controller* s_instance = nullptr; static PS2Controller* s_instance = nullptr;
PS2Device::PS2Device() PS2Device::PS2Device()
: CharacterDevice(0440, 0, 0) : CharacterDevice(0440, 0, 901)
, m_name(BAN::String::formatted("input{}", DevFileSystem::get().get_next_input_device())) , m_name(BAN::String::formatted("input{}", DevFileSystem::get().get_next_input_device()))
{ } { }

View File

@ -116,6 +116,8 @@ namespace Kernel
BAN::ErrorOr<Process*> Process::create_userspace(const Credentials& credentials, BAN::StringView path) BAN::ErrorOr<Process*> Process::create_userspace(const Credentials& credentials, BAN::StringView path)
{ {
auto* process = create_process(credentials, 0); auto* process = create_process(credentials, 0);
TRY(process->m_credentials.initialize_supplementary_groups());
MUST(process->m_working_directory.push_back('/')); MUST(process->m_working_directory.push_back('/'));
process->m_page_table = BAN::UniqPtr<PageTable>::adopt(MUST(PageTable::create_userspace())); process->m_page_table = BAN::UniqPtr<PageTable>::adopt(MUST(PageTable::create_userspace()));
@ -1348,6 +1350,7 @@ namespace Kernel
m_credentials.set_euid(uid); m_credentials.set_euid(uid);
m_credentials.set_ruid(uid); m_credentials.set_ruid(uid);
m_credentials.set_suid(uid); m_credentials.set_suid(uid);
TRY(m_credentials.initialize_supplementary_groups());
return 0; return 0;
} }
@ -1356,6 +1359,7 @@ namespace Kernel
if (uid == m_credentials.ruid() || uid == m_credentials.suid()) if (uid == m_credentials.ruid() || uid == m_credentials.suid())
{ {
m_credentials.set_euid(uid); m_credentials.set_euid(uid);
TRY(m_credentials.initialize_supplementary_groups());
return 0; return 0;
} }
@ -1402,6 +1406,7 @@ namespace Kernel
if (uid == m_credentials.ruid() || uid == m_credentials.suid() || m_credentials.is_superuser()) if (uid == m_credentials.ruid() || uid == m_credentials.suid() || m_credentials.is_superuser())
{ {
m_credentials.set_euid(uid); m_credentials.set_euid(uid);
TRY(m_credentials.initialize_supplementary_groups());
return 0; return 0;
} }
@ -1468,6 +1473,8 @@ namespace Kernel
if (euid != -1) if (euid != -1)
m_credentials.set_euid(euid); m_credentials.set_euid(euid);
TRY(m_credentials.initialize_supplementary_groups());
return 0; return 0;
} }