1
0
mirror of https://github.com/20kdc/OC-KittenOS.git synced 2024-12-26 02:48:06 +11:00

Added a theoretical way for services to get started automatically.

This really needs testing...
This commit is contained in:
20kdc 2018-04-22 15:25:49 +01:00
parent 1bb8d16298
commit 3d399dc047
3 changed files with 61 additions and 21 deletions

View File

@ -94,11 +94,13 @@ local function getPfx(xd, pkg)
end
end
local endAcPattern = "/[a-z0-9/%.]*$"
local function matchesSvc(xd, pkg, perm)
local pfx = getPfx(xd, pkg)
if pfx then
local permAct = perm
local paP = permAct:match("/[a-z0-9/%.]*$")
local paP = permAct:match(endAcPattern)
if paP then
permAct = permAct:sub(1, #permAct - #paP)
end
@ -218,6 +220,31 @@ donkonitDFProvider(function (pkg, pid, sendSig)
}
end)
-- Automatic service start
local function wrapWASS(perm, req)
return function (res)
if res then
-- Do we need to start it?
if perm:sub(1, 6) == "x.svc." then
if not neo.usAccessExists(perm) then
local appAct = perm:sub(7)
local paP = appAct:match(endAcPattern)
if paP then
permAct = appAct:sub(1, #appAct - #paP)
end
pcall(neo.executeAsync, appAct)
neo.scheduleTimer(0)
table.insert(todo, function ()
req(res)
end)
return
end
end
end
req(res)
end
end
-- Connect in security policy now
local rootAccess = neo.requireAccess("k.root", "installing GUI integration")
local backup = rootAccess.securityPolicyINIT or rootAccess.securityPolicy
@ -226,6 +253,7 @@ rootAccess.securityPolicy = function (pid, proc, perm, req)
if neo.dead then
return backup(pid, proc, perm, req)
end
req = wrapWASS(req)
local def = proc.pkg:sub(1, 4) == "sys-"
local secpol, err = require("sys-secpolicy")
if not secpol then

View File

@ -329,6 +329,12 @@ baseProcNeo = {
end,
listApps = lister("apps/"),
listLibs = lister("libs/"),
usAccessExists = function (accessName)
ensureType(accessName, "string")
if accesses[accessName] then
return true
end
end,
totalIdleTime = function () return idleTime end,
ensurePath = ensurePath,
ensurePathComponent = ensurePathComponent,

View File

@ -167,7 +167,7 @@ For libraries, it contains:
not a requirement and is not
enforced - it's not a security
matter, just optimization/memory.
wrapMeta: A function that takes a
wrapMeta(v): A function that takes a
value, and wraps it in such a way
as to be immutable, returning the
wrapped value.
@ -175,26 +175,30 @@ For libraries, it contains:
against memory use - by using this
to protect a table, the result can
be shared between untrusted code.
listProcs: A function that returns a
table of processes. Index is ipairs
-friendly, values are:
listProcs(): A function that returns
an ipairs-friendly process list.
Values are:
{pid, pkg, cpuUsageInSeconds}
listApps: Returns an ipairs-friendly
list of applications on the system,
such as:
{"app-out-of-sight-is-out-of-mind",
"svc-i-see-the-ones-that-play"}
listLibs: Returns an ipairs-friendly
list of libraries on the system,
such as:
listApps(): Returns an
ipairs-friendly list of
applications on the system, like:
{"app-test", "svc-liliput"}
listLibs(): Returns an
ipairs-friendly list of libraries
on the system, such as:
{"fmttext",
"braille"}
totalIdleTime: Returns the current
usAccessExists(s):
Returns true if the specified
access has been registered from
userspace using the related "r."
access.
totalIdleTime(): Returns the current
kernel idle time total, useful for
measuring current CPU usage, and in
turn comparing to application CPU
time to get various statistics.
ensurePath: (s, root)
ensurePath(s, root):
Attempts to verify the
safety of a path, and errors if any
aspect seems incorrect.
@ -207,7 +211,7 @@ For libraries, it contains:
Essentially, "//" must not occur,
and all "[^/]+" matches must be
valid path components.
ensurePathComponent: (s)
ensurePathComponent(s):
Ensures that a string is a safe
filename via a character list and
some special filename checks.
@ -226,7 +230,7 @@ For libraries, it contains:
Windows total nonsense (aux, com1)
because if OC doesn't cover up
that then you're kinda doomed.
ensureType: (v, ts)
ensureType(v, ts):
Checks that a value is of a given
type, and errors otherwise. If the
type is "table", it also errors if
@ -284,12 +288,14 @@ The additional things available to
is responded to with a
k.securityresponse such as:
"k.securityresponse", perm, obj
requestAccess: A function with
(perm, handler) as the arguments -
runs requestAccessAsync, then sends
requestAccess(perm[, handler]):
Runs requestAccessAsync, then sends
events to handler (if any) while
waiting for the response.
requireAccess: requestAccess, but
sys-icecap is responsible for any
automatic starting of services
that may occur.
requireAccess(perm, reason): requestAccess, but
(perm, reason) - the reason is used
in an error if the access cannot
be gained.