29
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Sep 2023
29 points (100.0% liked)
Programming
13362 readers
1 users here now
All things programming and coding related. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 1 year ago
MODERATORS
dd if=/dev/zero of=/dev/sda
is a userland program, which I would say causes harm./dev/sda
access requires superuser/root permissions from the kernel, which means asking the kernel to lift many of the protections.On some unix systems (MacOS for example) you can't even do that with root.
You'd need reboot into firmware, change some flags on the boot partition, and then reboot back into the regular operating system.
To install a new version of the operating system on a Mac, it creates a new snapshot of your boot hard drive, updates the system there, then reboots instructing the firmware to reboot on the new snapshot. The firmware does it's a few checks of it's own as well, and if it fails to boot then it will reboot on the old snapshot (which is only removed after successfully booting on to the new one). That's not only a better/more reliable way to upgrade the operating system, it's also the only way it can be done because even the kernel doesn't have write access to those files.
The only drawback is you can't use your computer while the firmware checks/boots the updated system. But Apple seems to be laying the foundations for a new process where your updated operating system will boot alongside the old version (with hypervisors) in the background, be fully tested/etc, and then it should be able to switch over to the other operating system pretty much instantly. It would likely even replace the windows of running software with a screenshot, then instruct the software to save it's state and relaunch to restore functionality to the screenshot windows (they already do this if a Mac's battery runs really low - closing everything cleanly before power cuts out, then restore everything once you charge the battery).
That's interesting, I don't have much contact with Apple's ecosystem.
Sounds similar to a setup that Linux allows, with the root filesystem on btrfs, making a snapshot of it and updating, then live switching kernels. But there is no firmware support to make the switch, so it relies on root having full access to everything.
The hypervisors approach seem like what Windows is doing, where Windows itself gets booted in a Hyper-X VM, allowing WSL2 and every other VM to run at "native" speed (since "native" itself is a VM), and in theory should allow booting a parallel updated Windows, then just switching VMs.
On Linux there is also a feature for live migrating VMs, which allows software to keep running while they're being migrated with just a minimum pause, so they could use something like that.
Yes, which is literally what OP is asking about. They mention system calls, and are asking, if a userland program can do dangerous thing using system calls, why is there a divide between user and kernel. "Because the kernel can then check permissions of the system call" is a great answer, but "hopefully you can't harm your computer with userland programs" is completely wrong and misguided.
Yeah, security is in layers and userland isn't automatically "safe", if that's what you're pointing out. So I did mention non-superusers. Separating the kernel from userland applications is also critically important to (try to) prevent non-superusers from accessing APIs and devices which only superusers (or those in particular groups) are able to reach.