mirror of
https://github.com/20kdc/OC-KittenOS.git
synced 2024-11-27 04:48:05 +11:00
Fix lockPerm and security policy glitchiness regarding it, along with even more licensing fun
This commit is contained in:
parent
f49a4bf433
commit
b75dc370dc
@ -237,55 +237,7 @@ donkonitDFProvider(function (pkg, pid, sendSig)
|
|||||||
}
|
}
|
||||||
end)
|
end)
|
||||||
|
|
||||||
-- Automatic service start
|
local function secPolicyStage2(pid, proc, perm, req)
|
||||||
local function wrapWASS(perm, req)
|
|
||||||
return function (res)
|
|
||||||
if res then
|
|
||||||
-- Do we need to start it?
|
|
||||||
if perm:sub(1, 6) == "x.svc." then
|
|
||||||
if not neo.usAccessExists(perm) then
|
|
||||||
local appAct = perm:sub(7)
|
|
||||||
local paP = appAct:match(endAcPattern)
|
|
||||||
if paP then
|
|
||||||
permAct = appAct:sub(1, #appAct - #paP)
|
|
||||||
end
|
|
||||||
-- Prepare for success
|
|
||||||
onReg[perm] = onReg[perm] or {}
|
|
||||||
table.insert(onReg[perm], function ()
|
|
||||||
req(res)
|
|
||||||
req = nil
|
|
||||||
end)
|
|
||||||
pcall(neo.executeAsync, "svc-" .. appAct)
|
|
||||||
-- Fallback "quit now"
|
|
||||||
local time = os.uptime() + 30
|
|
||||||
neo.scheduleTimer(time)
|
|
||||||
local f
|
|
||||||
function f()
|
|
||||||
if req then
|
|
||||||
if os.uptime() >= time then
|
|
||||||
req(res)
|
|
||||||
else
|
|
||||||
table.insert(todo, f)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
table.insert(todo, f)
|
|
||||||
return
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
req(res)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
-- Connect in security policy now
|
|
||||||
local backup = rootAccess.securityPolicyINIT or rootAccess.securityPolicy
|
|
||||||
rootAccess.securityPolicyINIT = backup
|
|
||||||
rootAccess.securityPolicy = function (pid, proc, perm, req)
|
|
||||||
if neo.dead then
|
|
||||||
return backup(pid, proc, perm, req)
|
|
||||||
end
|
|
||||||
req = wrapWASS(perm, req)
|
|
||||||
local def = proc.pkg:sub(1, 4) == "sys-"
|
local def = proc.pkg:sub(1, 4) == "sys-"
|
||||||
local secpol, err = require("sys-secpolicy")
|
local secpol, err = require("sys-secpolicy")
|
||||||
if not secpol then
|
if not secpol then
|
||||||
@ -305,6 +257,51 @@ rootAccess.securityPolicy = function (pid, proc, perm, req)
|
|||||||
end)
|
end)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
-- Connect in security policy now
|
||||||
|
local backup = rootAccess.securityPolicyINIT or rootAccess.securityPolicy
|
||||||
|
rootAccess.securityPolicyINIT = backup
|
||||||
|
rootAccess.securityPolicy = function (pid, proc, perm, req)
|
||||||
|
if neo.dead then
|
||||||
|
return backup(pid, proc, perm, req)
|
||||||
|
end
|
||||||
|
local function finish()
|
||||||
|
secPolicyStage2(pid, proc, perm, req)
|
||||||
|
end
|
||||||
|
-- Do we need to start it?
|
||||||
|
if perm:sub(1, 6) == "x.svc." then
|
||||||
|
if not neo.usAccessExists(perm) then
|
||||||
|
local appAct = perm:sub(7)
|
||||||
|
local paP = appAct:match(endAcPattern)
|
||||||
|
if paP then
|
||||||
|
permAct = appAct:sub(1, #appAct - #paP)
|
||||||
|
end
|
||||||
|
-- Prepare for success
|
||||||
|
onReg[perm] = onReg[perm] or {}
|
||||||
|
table.insert(onReg[perm], function ()
|
||||||
|
finish()
|
||||||
|
end)
|
||||||
|
pcall(neo.executeAsync, "svc-" .. appAct)
|
||||||
|
-- Fallback "quit now"
|
||||||
|
local time = os.uptime() + 30
|
||||||
|
neo.scheduleTimer(time)
|
||||||
|
local f
|
||||||
|
function f()
|
||||||
|
if finish then
|
||||||
|
if os.uptime() >= time then
|
||||||
|
finish()
|
||||||
|
else
|
||||||
|
table.insert(todo, f)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
table.insert(todo, f)
|
||||||
|
return
|
||||||
|
end
|
||||||
|
else
|
||||||
|
finish()
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
function theEventHandler(...)
|
function theEventHandler(...)
|
||||||
local ev = {...}
|
local ev = {...}
|
||||||
if ev[1] == "k.procdie" then
|
if ev[1] == "k.procdie" then
|
||||||
|
@ -73,7 +73,11 @@ return function ()
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
for _, v in ipairs(sources[srcName][3][pkg].files) do
|
for _, v in ipairs(sources[srcName][3][pkg].files) do
|
||||||
local ok, r = sources[srcName][1](v, sources[dstName][2][1](v .. ".claw-tmp"))
|
local tmpOut, r, ok = sources[dstName][2][1](v .. ".claw-tmp")
|
||||||
|
ok = tmpOut
|
||||||
|
if ok then
|
||||||
|
ok, r = sources[srcName][1](v, tmpOut)
|
||||||
|
end
|
||||||
if ok then
|
if ok then
|
||||||
yielder()
|
yielder()
|
||||||
else
|
else
|
||||||
|
@ -45,13 +45,10 @@ local function actualPolicy(pkg, pid, perm, matchesSvc)
|
|||||||
end
|
end
|
||||||
|
|
||||||
return function (nexus, settings, pkg, pid, perm, rsp, matchesSvc)
|
return function (nexus, settings, pkg, pid, perm, rsp, matchesSvc)
|
||||||
local res = "ask"
|
local res = actualPolicy(pkg, pid, perm, matchesSvc)
|
||||||
if settings then
|
if settings then
|
||||||
res = settings.getSetting("perm|" .. pkg .. "|" .. perm) or
|
res = settings.getSetting("perm|" .. pkg .. "|" .. perm) or
|
||||||
settings.getSetting("perm|*|" .. perm) or "ask"
|
settings.getSetting("perm|*|" .. perm) or res
|
||||||
end
|
|
||||||
if res == "ask" then
|
|
||||||
res = actualPolicy(pkg, pid, perm, matchesSvc)
|
|
||||||
end
|
end
|
||||||
if res == "ask" and nexus then
|
if res == "ask" and nexus then
|
||||||
local totalW = 3 + 6 + 2 + 8
|
local totalW = 3 + 6 + 2 + 8
|
||||||
|
@ -9,6 +9,9 @@
|
|||||||
-- Specifically, register as soon as possible.
|
-- Specifically, register as soon as possible.
|
||||||
-- While not required, security dialogs can cause a timeout.
|
-- While not required, security dialogs can cause a timeout.
|
||||||
|
|
||||||
|
local ic = neo.requireAccess("x.neo.pub.base", "to lock x.svc.ghostie")
|
||||||
|
ic.lockPerm("x.svc.ghostie")
|
||||||
|
|
||||||
local r = neo.requireAccess("r.svc.ghostie", "ghost registration")
|
local r = neo.requireAccess("r.svc.ghostie", "ghost registration")
|
||||||
|
|
||||||
local waiting = 0
|
local waiting = 0
|
||||||
|
@ -94,14 +94,15 @@ return {
|
|||||||
desc = "license file 'Public Domain'",
|
desc = "license file 'Public Domain'",
|
||||||
v = 0,
|
v = 0,
|
||||||
deps = {
|
deps = {
|
||||||
"zzz-license",
|
|
||||||
},
|
},
|
||||||
dirs = {
|
dirs = {
|
||||||
"docs",
|
"docs",
|
||||||
"docs/licensing"
|
"docs/licensing",
|
||||||
|
"docs/repoauthors"
|
||||||
},
|
},
|
||||||
files = {
|
files = {
|
||||||
"docs/licensing/Public Domain"
|
"docs/licensing/Public Domain",
|
||||||
|
"docs/repoauthors/zzz-license-pd"
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -75,6 +75,10 @@ Paths for the IO parts of this API
|
|||||||
function, so that the user must be
|
function, so that the user must be
|
||||||
asked before a program can access
|
asked before a program can access
|
||||||
the permission.
|
the permission.
|
||||||
|
This function should be called
|
||||||
|
*before* you register your API, not
|
||||||
|
after, in case your service was
|
||||||
|
automatically started.
|
||||||
|
|
||||||
NOTE: LIST REQUIRES "/" AT THE END
|
NOTE: LIST REQUIRES "/" AT THE END
|
||||||
AND START, WHILE THE REST CANNOT
|
AND START, WHILE THE REST CANNOT
|
||||||
|
Loading…
Reference in New Issue
Block a user