cosmopolitan/tool/build/dso/sandbox.c

/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
╞══════════════════════════════════════════════════════════════════════════════╡
│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
│                                                                              │
│ Permission to use, copy, modify, and/or distribute this software for         │
│ any purpose with or without fee is hereby granted, provided that the         │
│ above copyright notice and this permission notice appear in all copies.      │
│                                                                              │
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
│ PERFORMANCE OF THIS SOFTWARE.                                                │
╚─────────────────────────────────────────────────────────────────────────────*/
#include "libc/calls/calls.h"
#include "libc/calls/pledge.h"
#include "libc/calls/pledge.internal.h"
#include "libc/intrin/promises.internal.h"
#include "libc/runtime/runtime.h"

/*
 * runs pledge at glibc executable load time, e.g.
 * strace -vff bash -c '_PLEDGE=4194303,0 LD_PRELOAD=$HOME/sandbox.so ls'
 */

__attribute__((__constructor__)) void init(void) {
  int c, i, j;
  const char *s;
  uint64_t arg[2] = {0};
  s = getenv("_PLEDGE");
  for (i = j = 0; i < 2; ++i) {
    while ((c = s[j] & 255)) {
      ++j;
      if ('0' <= c & c <= '9') {
        arg[i] *= 10;
        arg[i] += c - '0';
      } else {
        break;
      }
    }
  }
  sys_pledge_linux(~arg[0], arg[1]);
}
Rewrite Linux pledge() code so it can be a payload It's now possible to build our pledge() polyfill as a dynamic shared object that can be injected into a glibc executable using LD_PRELOAD 2022-08-08 18:41:08 +00:00			`/-- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│`
			`│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│`
			`╞══════════════════════════════════════════════════════════════════════════════╡`
			`│ Copyright 2022 Justine Alexandra Roberts Tunney │`
			`│ │`
			`│ Permission to use, copy, modify, and/or distribute this software for │`
			`│ any purpose with or without fee is hereby granted, provided that the │`
			`│ above copyright notice and this permission notice appear in all copies. │`
			`│ │`
			`│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │`
			`│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │`
			`│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │`
			`│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │`
			`│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │`
			`│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │`
			`│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │`
			`│ PERFORMANCE OF THIS SOFTWARE. │`
			`╚─────────────────────────────────────────────────────────────────────────────*/`
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`#include "libc/calls/calls.h"`
Rewrite Linux pledge() code so it can be a payload It's now possible to build our pledge() polyfill as a dynamic shared object that can be injected into a glibc executable using LD_PRELOAD 2022-08-08 18:41:08 +00:00			`#include "libc/calls/pledge.h"`
			`#include "libc/calls/pledge.internal.h"`
			`#include "libc/intrin/promises.internal.h"`
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`#include "libc/runtime/runtime.h"`
Rewrite Linux pledge() code so it can be a payload It's now possible to build our pledge() polyfill as a dynamic shared object that can be injected into a glibc executable using LD_PRELOAD 2022-08-08 18:41:08 +00:00
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`/*`
			`* runs pledge at glibc executable load time, e.g.`
Refactor pledge() to be more configurable The earlier iterations did too much guesswork when it came to things like stderr logging and syscall origin verification. This change will make things more conformant to existing practices. The __pledge_mode extension now can be configured in a better way. There's also a new `-q` flag added to pledge.com, e.g. o//tool/build/pledge.com -qv. ls Is a good way to disable warnings about `tty` access attempts. 2022-08-11 18:27:25 +00:00			`* strace -vff bash -c '_PLEDGE=4194303,0 LD_PRELOAD=$HOME/sandbox.so ls'`
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`*/`
Rewrite Linux pledge() code so it can be a payload It's now possible to build our pledge() polyfill as a dynamic shared object that can be injected into a glibc executable using LD_PRELOAD 2022-08-08 18:41:08 +00:00
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`__attribute__((__constructor__)) void init(void) {`
			`int c, i, j;`
			`const char *s;`
Refactor pledge() to be more configurable The earlier iterations did too much guesswork when it came to things like stderr logging and syscall origin verification. This change will make things more conformant to existing practices. The __pledge_mode extension now can be configured in a better way. There's also a new `-q` flag added to pledge.com, e.g. o//tool/build/pledge.com -qv. ls Is a good way to disable warnings about `tty` access attempts. 2022-08-11 18:27:25 +00:00			`uint64_t arg[2] = {0};`
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`s = getenv("_PLEDGE");`
Refactor pledge() to be more configurable The earlier iterations did too much guesswork when it came to things like stderr logging and syscall origin verification. This change will make things more conformant to existing practices. The __pledge_mode extension now can be configured in a better way. There's also a new `-q` flag added to pledge.com, e.g. o//tool/build/pledge.com -qv. ls Is a good way to disable warnings about `tty` access attempts. 2022-08-11 18:27:25 +00:00			`for (i = j = 0; i < 2; ++i) {`
Use LD_PRELOAD to inject pledge() in glibc progs We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used. 2022-08-09 04:23:37 +00:00			`while ((c = s[j] & 255)) {`
			`++j;`
			`if ('0' <= c & c <= '9') {`
			`arg[i] *= 10;`
			`arg[i] += c - '0';`
			`} else {`
			`break;`
			`}`
			`}`
			`}`
Refactor pledge() to be more configurable The earlier iterations did too much guesswork when it came to things like stderr logging and syscall origin verification. This change will make things more conformant to existing practices. The __pledge_mode extension now can be configured in a better way. There's also a new `-q` flag added to pledge.com, e.g. o//tool/build/pledge.com -qv. ls Is a good way to disable warnings about `tty` access attempts. 2022-08-11 18:27:25 +00:00			`sys_pledge_linux(~arg[0], arg[1]);`
Rewrite Linux pledge() code so it can be a payload It's now possible to build our pledge() polyfill as a dynamic shared object that can be injected into a glibc executable using LD_PRELOAD 2022-08-08 18:41:08 +00:00			`}`