P7 login diagnostics, P11 init noise reduction, config layering fix

This commit is contained in:
2026-05-29 19:13:16 +03:00
parent 0ccc233131
commit daf131d435
25 changed files with 23181 additions and 38 deletions
+2
View File
@@ -144,6 +144,7 @@ type = "oneshot_async"
[[files]] [[files]]
path = "/etc/issue" path = "/etc/issue"
postinstall = true
data = """ data = """
____ _ ____ ___ ____ ____ _ ____ ___ ____
| _ \\ ___ __| | __ ) ___ __ _ _ __ / _ \\/ ___| | _ \\ ___ __| | __ ) ___ __ _ _ __ / _ \\/ ___|
@@ -159,6 +160,7 @@ data = """
[[files]] [[files]]
path = "/etc/motd" path = "/etc/motd"
postinstall = true
data = """ data = """
____ _ ____ ___ ____ ____ _ ____ ___ ____
| _ \\ ___ __| | __ ) ___ __ _ _ __ / _ \\/ ___| | _ \\ ___ __| | __ ) ___ __ _ _ __ / _ \\/ ___|
@@ -0,0 +1,13 @@
diff --git a/init/src/main.rs b/init/src/main.rs
index e7f6712f..6b9da2b2 100644
--- a/init/src/main.rs
+++ b/init/src/main.rs
@@ -169,0 +170 @@ fn main() {
+ if init_config.log_debug {
@@ -171 +172,2 @@ fn main() {
- init_warn(&format!("rootfs-file: {}", name));
+ init_debug(&format!("rootfs-file: {}", name));
+ }
@@ -180 +182 @@ fn main() {
- init_warn(&format!(
+ init_debug(&format!(
@@ -0,0 +1,7 @@
diff --git a/src/main.rs b/src/main.rs
index be5f3b7..531b167 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -514 +514 @@ fn main(os: &impl Os) -> (usize, u64, KernelArgs) {
- "Redox OS Bootloader {} on {}",
+ "RedBear OS Bootloader {} on {}",
@@ -0,0 +1,46 @@
diff --git a/src/bin/login.rs b/src/bin/login.rs
index 6e1fda6..e0878c9 100644
--- a/src/bin/login.rs
+++ b/src/bin/login.rs
@@ -193,2 +193,7 @@ pub fn main() {
- let before_ns_fd =
- apply_login_schemes(user, &DEFAULT_SCHEMES).unwrap_or_exit(1);
+ let before_ns_fd = match apply_login_schemes(user, &DEFAULT_SCHEMES) {
+ Ok(fd) => fd,
+ Err(err) => {
+ eprintln!("login: apply_login_schemes failed: {}", err);
+ std::process::exit(1);
+ }
+ };
@@ -201,2 +206,8 @@ pub fn main() {
- drop_privileges(user).unwrap_or_exit(1);
- spawn_shell(user).unwrap_or_exit(1);
+ if let Err(err) = drop_privileges(user) {
+ eprintln!("login: drop_privileges failed: {}", err);
+ std::process::exit(1);
+ }
+ if let Err(err) = spawn_shell(user) {
+ eprintln!("login: spawn_shell failed: {}", err);
+ std::process::exit(1);
+ }
@@ -225,2 +236,7 @@ pub fn main() {
- let before_ns_fd =
- apply_login_schemes(user, &DEFAULT_SCHEMES).unwrap_or_exit(1);
+ let before_ns_fd = match apply_login_schemes(user, &DEFAULT_SCHEMES) {
+ Ok(fd) => fd,
+ Err(err) => {
+ eprintln!("login: apply_login_schemes failed: {}", err);
+ std::process::exit(1);
+ }
+ };
@@ -233,2 +249,8 @@ pub fn main() {
- drop_privileges(user).unwrap_or_exit(1);
- spawn_shell(user).unwrap_or_exit(1);
+ if let Err(err) = drop_privileges(user) {
+ eprintln!("login: drop_privileges failed: {}", err);
+ std::process::exit(1);
+ }
+ if let Err(err) = spawn_shell(user) {
+ eprintln!("login: spawn_shell failed: {}", err);
+ std::process::exit(1);
+ }
@@ -1,12 +1,10 @@
_ _
| | (_)
| | ___ _ ___ _ __ _ _ ___
| |/ / || |/ _ \ | '_ \| | | / __|
| < | || | (_) || |_) | |_| \__ \
|_|\_\|_|/ |\___/ | .__/ \__,_|___/
|__/ | |
|_|
Red Bear OS v0.2.0 "Liliya" — Built on Redox OS ____ _ ____ ___ ____
| _ \ ___ __| | __ ) ___ __ _ _ __ / _ \/ ___|
| |_) / _ \ / _` | _ \ / _ \/ _` | '__| | | | \___ \
| _ < __/ (_| | |_) | __/ (_| | | | |_| |___) |
|_| \_\___|\__,_|____/ \___|\__,_|_| \___/|____/
v0.2.2 "Liliya" — Built on Redox OS
Type 'help' for available commands. Type 'help' for available commands.
@@ -1,7 +1,7 @@
PRETTY_NAME="Red Bear OS 0.2.0 (Liliya)" PRETTY_NAME="Red Bear OS 0.2.2 (Liliya)"
NAME="Red Bear OS" NAME="Red Bear OS"
VERSION_ID="0.2.0" VERSION_ID="0.2.2"
VERSION="0.2.0 (Liliya)" VERSION="0.2.2 (Liliya)"
VERSION_CODENAME="liliya" VERSION_CODENAME="liliya"
ID="redbear-os" ID="redbear-os"
ID_LIKE="redox-os" ID_LIKE="redox-os"
+1
View File
@@ -4,6 +4,7 @@ rev = "463f76b9608a896e6f6c9f63457f57f6409873c7"
patches = [ patches = [
"redox.patch", "redox.patch",
"P10-rootfs-uuid-search-no-block.patch", "P10-rootfs-uuid-search-no-block.patch",
"P11-init-noise-reduction.patch",
] ]
[package] [package]
+1 -1
View File
@@ -1,6 +1,6 @@
[source] [source]
git = "https://gitlab.redox-os.org/redox-os/bootloader.git" git = "https://gitlab.redox-os.org/redox-os/bootloader.git"
patches = ["redox.patch", "fix-uefi-alloc-panic.patch", "P0-gpt-partition-offset.patch", "P5-live-preload-cap-128mib.patch", "P6-full-ramdisk-preload.patch"] patches = ["redox.patch", "fix-uefi-alloc-panic.patch", "P0-gpt-partition-offset.patch", "P5-live-preload-cap-128mib.patch", "P6-full-ramdisk-preload.patch", "P7-redbear-branding.patch"]
[build] [build]
template = "custom" template = "custom"
Submodule recipes/core/bootloader/source updated: 2a718991b3...64b1189b20
@@ -147,17 +147,25 @@ pub struct Context {
// TODO: Temporary replacement for existing kernel logic, replace with capabilities! // TODO: Temporary replacement for existing kernel logic, replace with capabilities!
pub euid: u32, pub euid: u32,
pub egid: u32, pub egid: u32,
pub caps: u64,
pub pid: usize, pub pid: usize,
/// Supplementary group IDs for access control decisions. /// Supplementary group IDs for access control decisions.
pub groups: Vec<u32>, pub groups: Vec<u32>,
/// Capability bitmask — derived from euid by procmgr: euid==0 → CAP_ALL, else 0.
pub caps: u64,
// See [`PreemptGuard`] // See [`PreemptGuard`]
// //
// When > 0, preemption is disabled. // When > 0, preemption is disabled.
pub(super) preempt_locks: usize, pub(super) preempt_locks: usize,
} }
impl Context {
pub fn has_cap(&self, cap: u64) -> bool {
self.caps & cap == cap
}
}
#[derive(Debug)] #[derive(Debug)]
pub struct SignalState { pub struct SignalState {
/// Offset to jump to when a signal is received. /// Offset to jump to when a signal is received.
@@ -206,10 +214,11 @@ impl Context {
euid: 0, euid: 0,
egid: 0, egid: 0,
caps: crate::scheme::caps::CAP_ALL,
pid: 0, pid: 0,
groups: Vec::new(), groups: Vec::new(),
caps: 0,
#[cfg(feature = "syscall_debug")] #[cfg(feature = "syscall_debug")]
syscall_debug_info: crate::syscall::debug::SyscallDebugInfo::default(), syscall_debug_info: crate::syscall::debug::SyscallDebugInfo::default(),
@@ -479,9 +488,6 @@ impl Context {
(for_thread, for_proc, sig) (for_thread, for_proc, sig)
} }
pub fn has_cap(&self, cap: u64) -> bool {
self.caps & cap != 0
}
pub fn caller_ctx(&self) -> CallerCtx { pub fn caller_ctx(&self) -> CallerCtx {
CallerCtx { CallerCtx {
uid: self.euid, uid: self.euid,
@@ -13,7 +13,6 @@ use crate::{
arch::sleep, arch::sleep,
context::file::InternalFlags, context::file::InternalFlags,
event, event,
scheme::caps,
sync::{CleanLockToken, RwLock, WaitCondition, L1}, sync::{CleanLockToken, RwLock, WaitCondition, L1},
}; };
@@ -140,7 +139,7 @@ impl KernelScheme for AcpiScheme {
.or(Err(Error::new(EINVAL)))? .or(Err(Error::new(EINVAL)))?
.trim_start_matches('/'); .trim_start_matches('/');
if !ctx.has_cap(caps::CAP_ACPI) { if !ctx.has_cap(crate::scheme::caps::CAP_ACPI) {
return Err(Error::new(EACCES)); return Err(Error::new(EACCES));
} }
if flags & O_CREAT == O_CREAT { if flags & O_CREAT == O_CREAT {
@@ -1,11 +1,29 @@
//! Kernel capability bitmask for fine-grained privilege control.
//!
//! Each capability is a single bit in a `u64`. Processes with `euid == 0`
//! (via procmgr SetResugid) receive `CAP_ALL`. Non-root processes receive `0`
//! by default. Future work: explicit capability assignment via proc scheme.
/// Register or unregister kernel schemes.
pub const CAP_SCHEME_REGISTER: u64 = 1 << 0; pub const CAP_SCHEME_REGISTER: u64 = 1 << 0;
/// Map physical memory (scheme:memory/physical).
pub const CAP_PHYS_MEM: u64 = 1 << 1; pub const CAP_PHYS_MEM: u64 = 1 << 1;
/// Allocate IRQ vectors (scheme:irq).
pub const CAP_IRQ: u64 = 1 << 2; pub const CAP_IRQ: u64 = 1 << 2;
/// Access ACPI tables (scheme:acpi).
pub const CAP_ACPI: u64 = 1 << 3; pub const CAP_ACPI: u64 = 1 << 3;
/// Use kernel debugger (scheme:debug).
pub const CAP_SYS_DEBUG: u64 = 1 << 4; pub const CAP_SYS_DEBUG: u64 = 1 << 4;
/// Write to arbitrary files / sys:action (scheme:sys write).
pub const CAP_SYS_WRITE: u64 = 1 << 5; pub const CAP_SYS_WRITE: u64 = 1 << 5;
/// Read/write model-specific registers (scheme:msr).
pub const CAP_SYS_MSR: u64 = 1 << 6; pub const CAP_SYS_MSR: u64 = 1 << 6;
/// Access PS/2 keyboard/mouse (scheme:serio).
pub const CAP_SERIO: u64 = 1 << 7; pub const CAP_SERIO: u64 = 1 << 7;
/// Change file ownership (scheme:user chown).
pub const CAP_CHOWN: u64 = 1 << 8; pub const CAP_CHOWN: u64 = 1 << 8;
/// Modify process attributes: setuid/setgid, ptrace, signal to arbitrary procs.
pub const CAP_PROC_ATTR: u64 = 1 << 9; pub const CAP_PROC_ATTR: u64 = 1 << 9;
/// All capabilities set — assigned to euid == 0 processes.
pub const CAP_ALL: u64 = !0u64; pub const CAP_ALL: u64 = !0u64;
@@ -73,7 +73,7 @@ impl KernelScheme for DebugScheme {
} }
let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?; let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?;
if !ctx.has_cap(caps::CAP_SYS_DEBUG) { if !ctx.has_cap(crate::scheme::caps::CAP_SYS_DEBUG) {
return Err(Error::new(EPERM)); return Err(Error::new(EPERM));
} }
+1 -2
View File
@@ -18,7 +18,6 @@ use syscall::{
use crate::context::file::InternalFlags; use crate::context::file::InternalFlags;
use super::{CallerCtx, HandleMap, OpenResult, SchemeExt, StrOrBytes}; use super::{CallerCtx, HandleMap, OpenResult, SchemeExt, StrOrBytes};
use super::caps;
#[cfg(any(target_arch = "x86_64", target_arch = "x86"))] #[cfg(any(target_arch = "x86_64", target_arch = "x86"))]
use crate::arch::device::{ioapic, local_apic::ApicId}; use crate::arch::device::{ioapic, local_apic::ApicId};
@@ -257,7 +256,7 @@ impl crate::scheme::KernelScheme for IrqScheme {
} }
let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?; let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?;
if !ctx.has_cap(caps::CAP_IRQ) { if !ctx.has_cap(crate::scheme::caps::CAP_IRQ) {
return Err(Error::new(EACCES)); return Err(Error::new(EACCES));
} }
@@ -9,7 +9,6 @@ use crate::{
memory::{handle_notify_files, AddrSpace, AddrSpaceWrapper, Grant, PageSpan}, memory::{handle_notify_files, AddrSpace, AddrSpaceWrapper, Grant, PageSpan},
}, },
memory::{free_frames, used_frames, Frame, VirtualAddress, PAGE_SIZE}, memory::{free_frames, used_frames, Frame, VirtualAddress, PAGE_SIZE},
scheme::caps,
sync::CleanLockToken, sync::CleanLockToken,
syscall::{ syscall::{
data::{Map, StatVfs}, data::{Map, StatVfs},
@@ -233,7 +232,7 @@ impl KernelScheme for MemoryScheme {
.ok_or(Error::new(ENOENT))?; .ok_or(Error::new(ENOENT))?;
// TODO: Support arches with other default memory types? // TODO: Support arches with other default memory types?
if !ctx.has_cap(caps::CAP_PHYS_MEM) if !ctx.has_cap(crate::scheme::caps::CAP_PHYS_MEM)
&& (!flags.is_empty() && (!flags.is_empty()
|| !matches!( || !matches!(
(handle_ty, mem_ty), (handle_ty, mem_ty),
+3 -2
View File
@@ -51,7 +51,6 @@ use self::{
}; };
/// When compiled with the "acpi" feature - `acpi:` - allows drivers to read a limited set of ACPI tables. /// When compiled with the "acpi" feature - `acpi:` - allows drivers to read a limited set of ACPI tables.
pub mod caps;
pub mod acpi; pub mod acpi;
pub mod dtb; pub mod dtb;
@@ -80,6 +79,8 @@ pub mod serio;
/// `sys:` - system information, such as the context list and scheme list /// `sys:` - system information, such as the context list and scheme list
pub mod sys; pub mod sys;
pub mod caps;
/// `time:` - allows reading time, setting timeouts and getting events when they are met /// `time:` - allows reading time, setting timeouts and getting events when they are met
pub mod time; pub mod time;
@@ -816,7 +817,7 @@ pub struct CallerCtx {
} }
impl CallerCtx { impl CallerCtx {
pub fn has_cap(&self, cap: u64) -> bool { pub fn has_cap(&self, cap: u64) -> bool {
self.caps & cap != 0 self.caps & cap == cap
} }
pub fn filter_uid_gid(self, euid: u32, egid: u32) -> Self { pub fn filter_uid_gid(self, euid: u32, egid: u32) -> Self {
if self.uid == 0 && self.gid == 0 { if self.uid == 0 && self.gid == 0 {
@@ -1273,7 +1273,11 @@ impl ContextHandle {
guard.pid = info.pid as usize; guard.pid = info.pid as usize;
guard.euid = info.euid; guard.euid = info.euid;
guard.egid = info.egid; guard.egid = info.egid;
guard.caps = if info.euid == 0 { crate::scheme::caps::CAP_ALL } else { 0 }; guard.caps = if info.euid == 0 {
crate::scheme::caps::CAP_ALL
} else {
0
};
guard.prio = (info.prio as usize).min(39); guard.prio = (info.prio as usize).min(39);
Ok(size_of::<ProcSchemeAttrs>()) Ok(size_of::<ProcSchemeAttrs>())
} }
@@ -79,7 +79,7 @@ impl KernelScheme for SerioScheme {
} }
let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?; let path = user_buf.as_str().or(Err(Error::new(EINVAL)))?;
if !ctx.has_cap(caps::CAP_SERIO) { if !ctx.has_cap(crate::scheme::caps::CAP_SERIO) {
return Err(Error::new(EPERM)); return Err(Error::new(EPERM));
} }
@@ -24,7 +24,6 @@ use crate::{
}; };
use super::{CallerCtx, HandleMap, KernelScheme, OpenResult, StrOrBytes}; use super::{CallerCtx, HandleMap, KernelScheme, OpenResult, StrOrBytes};
use super::caps;
mod block; mod block;
mod context; mod context;
@@ -142,7 +141,7 @@ impl KernelScheme for SysScheme {
} else if path.starts_with("msr/") { } else if path.starts_with("msr/") {
#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
{ {
if !ctx.has_cap(caps::CAP_SYS_MSR) { if !ctx.has_cap(crate::scheme::caps::CAP_SYS_MSR) {
return Err(Error::new(EPERM)); return Err(Error::new(EPERM));
} }
let rest = &path[4..]; let rest = &path[4..];
@@ -168,7 +167,7 @@ impl KernelScheme for SysScheme {
.find(|(entry_path, _)| *entry_path == path) .find(|(entry_path, _)| *entry_path == path)
.ok_or(Error::new(ENOENT))?; .ok_or(Error::new(ENOENT))?;
if matches!(entry.1, Wr(_)) && !ctx.has_cap(caps::CAP_SYS_WRITE) { if matches!(entry.1, Wr(_)) && !ctx.has_cap(crate::scheme::caps::CAP_SYS_WRITE) {
return Err(Error::new(EPERM)); return Err(Error::new(EPERM));
} }
@@ -26,7 +26,7 @@ use crate::{
}, },
event, event,
memory::{Frame, Page, VirtualAddress, PAGE_SIZE}, memory::{Frame, Page, VirtualAddress, PAGE_SIZE},
scheme::{caps, SchemeId}, scheme::SchemeId,
sync::{CleanLockToken, LockToken, Mutex, RwLock, WaitQueue, L1}, sync::{CleanLockToken, LockToken, Mutex, RwLock, WaitQueue, L1},
syscall::{ syscall::{
data::{Map, StdFsCallMeta}, data::{Map, StdFsCallMeta},
@@ -1590,7 +1590,7 @@ impl KernelScheme for UserScheme {
{ {
let ctx = context::current(); let ctx = context::current();
let cx = &ctx.read(token.token()); let cx = &ctx.read(token.token());
if !cx.has_cap(caps::CAP_CHOWN) && (uid != cx.euid || gid != cx.egid) { if !cx.has_cap(crate::scheme::caps::CAP_CHOWN) && (uid != cx.euid || gid != cx.egid) {
return Err(Error::new(EPERM)); return Err(Error::new(EPERM));
} }
} }
+1 -1
View File
@@ -1,6 +1,6 @@
[source] [source]
git = "https://gitlab.redox-os.org/redox-os/userutils.git" git = "https://gitlab.redox-os.org/redox-os/userutils.git"
patches = ["P5-redbear-branding.patch", "P6-login-privilege-drop.patch"] patches = ["P5-redbear-branding.patch", "P6-login-privilege-drop.patch", "P7-login-diagnostics.patch"]
[build] [build]
template = "custom" template = "custom"
Submodule recipes/core/userutils/source updated: 9c37ba8c19...0c5274faa9
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+18882
View File
File diff suppressed because it is too large Load Diff