1
0
mirror of https://github.com/20kdc/OC-KittenOS.git synced 2024-11-27 04:48:05 +11:00

Fix lockPerm and security policy glitchiness regarding it, along with even more licensing fun

This commit is contained in:
20kdc 2018-04-23 22:18:18 +01:00
parent f49a4bf433
commit b75dc370dc
6 changed files with 64 additions and 58 deletions

View File

@ -237,55 +237,7 @@ donkonitDFProvider(function (pkg, pid, sendSig)
} }
end) end)
-- Automatic service start local function secPolicyStage2(pid, proc, perm, req)
local function wrapWASS(perm, req)
return function (res)
if res then
-- Do we need to start it?
if perm:sub(1, 6) == "x.svc." then
if not neo.usAccessExists(perm) then
local appAct = perm:sub(7)
local paP = appAct:match(endAcPattern)
if paP then
permAct = appAct:sub(1, #appAct - #paP)
end
-- Prepare for success
onReg[perm] = onReg[perm] or {}
table.insert(onReg[perm], function ()
req(res)
req = nil
end)
pcall(neo.executeAsync, "svc-" .. appAct)
-- Fallback "quit now"
local time = os.uptime() + 30
neo.scheduleTimer(time)
local f
function f()
if req then
if os.uptime() >= time then
req(res)
else
table.insert(todo, f)
end
end
end
table.insert(todo, f)
return
end
end
end
req(res)
end
end
-- Connect in security policy now
local backup = rootAccess.securityPolicyINIT or rootAccess.securityPolicy
rootAccess.securityPolicyINIT = backup
rootAccess.securityPolicy = function (pid, proc, perm, req)
if neo.dead then
return backup(pid, proc, perm, req)
end
req = wrapWASS(perm, req)
local def = proc.pkg:sub(1, 4) == "sys-" local def = proc.pkg:sub(1, 4) == "sys-"
local secpol, err = require("sys-secpolicy") local secpol, err = require("sys-secpolicy")
if not secpol then if not secpol then
@ -305,6 +257,51 @@ rootAccess.securityPolicy = function (pid, proc, perm, req)
end) end)
end end
-- Connect in security policy now
local backup = rootAccess.securityPolicyINIT or rootAccess.securityPolicy
rootAccess.securityPolicyINIT = backup
rootAccess.securityPolicy = function (pid, proc, perm, req)
if neo.dead then
return backup(pid, proc, perm, req)
end
local function finish()
secPolicyStage2(pid, proc, perm, req)
end
-- Do we need to start it?
if perm:sub(1, 6) == "x.svc." then
if not neo.usAccessExists(perm) then
local appAct = perm:sub(7)
local paP = appAct:match(endAcPattern)
if paP then
permAct = appAct:sub(1, #appAct - #paP)
end
-- Prepare for success
onReg[perm] = onReg[perm] or {}
table.insert(onReg[perm], function ()
finish()
end)
pcall(neo.executeAsync, "svc-" .. appAct)
-- Fallback "quit now"
local time = os.uptime() + 30
neo.scheduleTimer(time)
local f
function f()
if finish then
if os.uptime() >= time then
finish()
else
table.insert(todo, f)
end
end
end
table.insert(todo, f)
return
end
else
finish()
end
end
function theEventHandler(...) function theEventHandler(...)
local ev = {...} local ev = {...}
if ev[1] == "k.procdie" then if ev[1] == "k.procdie" then

View File

@ -73,7 +73,11 @@ return function ()
end end
end end
for _, v in ipairs(sources[srcName][3][pkg].files) do for _, v in ipairs(sources[srcName][3][pkg].files) do
local ok, r = sources[srcName][1](v, sources[dstName][2][1](v .. ".claw-tmp")) local tmpOut, r, ok = sources[dstName][2][1](v .. ".claw-tmp")
ok = tmpOut
if ok then
ok, r = sources[srcName][1](v, tmpOut)
end
if ok then if ok then
yielder() yielder()
else else

View File

@ -45,13 +45,10 @@ local function actualPolicy(pkg, pid, perm, matchesSvc)
end end
return function (nexus, settings, pkg, pid, perm, rsp, matchesSvc) return function (nexus, settings, pkg, pid, perm, rsp, matchesSvc)
local res = "ask" local res = actualPolicy(pkg, pid, perm, matchesSvc)
if settings then if settings then
res = settings.getSetting("perm|" .. pkg .. "|" .. perm) or res = settings.getSetting("perm|" .. pkg .. "|" .. perm) or
settings.getSetting("perm|*|" .. perm) or "ask" settings.getSetting("perm|*|" .. perm) or res
end
if res == "ask" then
res = actualPolicy(pkg, pid, perm, matchesSvc)
end end
if res == "ask" and nexus then if res == "ask" and nexus then
local totalW = 3 + 6 + 2 + 8 local totalW = 3 + 6 + 2 + 8

View File

@ -9,6 +9,9 @@
-- Specifically, register as soon as possible. -- Specifically, register as soon as possible.
-- While not required, security dialogs can cause a timeout. -- While not required, security dialogs can cause a timeout.
local ic = neo.requireAccess("x.neo.pub.base", "to lock x.svc.ghostie")
ic.lockPerm("x.svc.ghostie")
local r = neo.requireAccess("r.svc.ghostie", "ghost registration") local r = neo.requireAccess("r.svc.ghostie", "ghost registration")
local waiting = 0 local waiting = 0

View File

@ -94,14 +94,15 @@ return {
desc = "license file 'Public Domain'", desc = "license file 'Public Domain'",
v = 0, v = 0,
deps = { deps = {
"zzz-license",
}, },
dirs = { dirs = {
"docs", "docs",
"docs/licensing" "docs/licensing",
"docs/repoauthors"
}, },
files = { files = {
"docs/licensing/Public Domain" "docs/licensing/Public Domain",
"docs/repoauthors/zzz-license-pd"
}, },
} }
} }

View File

@ -75,6 +75,10 @@ Paths for the IO parts of this API
function, so that the user must be function, so that the user must be
asked before a program can access asked before a program can access
the permission. the permission.
This function should be called
*before* you register your API, not
after, in case your service was
automatically started.
NOTE: LIST REQUIRES "/" AT THE END NOTE: LIST REQUIRES "/" AT THE END
AND START, WHILE THE REST CANNOT AND START, WHILE THE REST CANNOT