cosmopolitan/libc/runtime/morph.c

/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8                               :vi │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
│                                                                              │
│ Permission to use, copy, modify, and/or distribute this software for         │
│ any purpose with or without fee is hereby granted, provided that the         │
│ above copyright notice and this permission notice appear in all copies.      │
│                                                                              │
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
│ PERFORMANCE OF THIS SOFTWARE.                                                │
╚─────────────────────────────────────────────────────────────────────────────*/
#define ShouldUseMsabiAttribute() 1
#include "ape/sections.internal.h"
#include "libc/dce.h"
#include "libc/errno.h"
#include "libc/intrin/asmflag.h"
#include "libc/intrin/kprintf.h"
#include "libc/nt/enum/pageflags.h"
#include "libc/nt/memory.h"
#include "libc/nt/thunk/msabi.h"
#include "libc/runtime/runtime.h"
#include "libc/sysv/consts/nr.h"
#include "libc/sysv/consts/prot.h"

__msabi extern typeof(VirtualProtect) *const __imp_VirtualProtect;

__funline void __morph_mprotect(void *addr, size_t size, int prot, int ntprot) {
#ifdef __x86_64__
  bool cf;
  int ax, dx;
  uint32_t op;
  if (!IsWindows()) {
    asm volatile(CFLAG_ASM("clc\n\t"
                           "syscall")
                 : CFLAG_CONSTRAINT(cf), "=a"(ax), "=d"(dx)
                 : "1"(__NR_mprotect), "D"(addr), "S"(size), "2"(prot)
                 : "rcx", "r8", "r9", "r10", "r11", "memory");
#ifndef NDEBUG
    if (cf) ax = -ax;
    if (ax == -EPERM) {
      kprintf("error: need pledge(prot_exec) permission to code morph\n");
    }
    if (ax < 0) {
      kprintf("error: __morph_mprotect(%p, %#zx, %d) failed: errno=%d\n", addr,
              size, prot, -ax);
    }
#endif
  } else {
    __imp_VirtualProtect(addr, size, ntprot, &op);
  }
#elif defined(__aarch64__)
  register long r0 asm("x0") = (long)addr;
  register long r1 asm("x1") = (long)size;
  register long r2 asm("x2") = (long)prot;
  register long r8 asm("x8") = (long)__NR_mprotect;
  register long r16 asm("x16") = (long)__NR_mprotect;
  asm volatile("svc\t0"
               : "+r"(r0)
               : "r"(r1), "r"(r2), "r"(r8), "r"(r16)
               : "memory");
#endif
}

/**
 * Begins code morphing executable.
 *
 * The following example
 *
 *     #include <cosmo.h>
 *     #include <stdlib.h>
 *
 *     privileged int main() {  // privileged code is unmodifiable
 *       ShowCrashReports();    // print report if trapped
 *       __morph_begin(0);      // make executable code R+W
 *       *(char *)exit = 0xCC;  // turn exit() into an INT3 trap
 *       __morph_end();         // make executable code R+X
 *       exit(0);               // won't actually exit
 *     }
 *
 * shows how the exit() function can be recompiled at runtime to become
 * an int3 (x86-64) debugger trap. What makes it tricky is Cosmopolitan
 * maintains a R^X invariant, in order to support OpenBSD. So when code
 * wants to modify some part of the executable image in memory the vast
 * majority of the code stops being executable during that time, unless
 * it's been linked into a special privileged section of the binary. It
 * is only possible to code morph from privileged functions. Privileged
 * functions are also only allowed to call other privileged functions.
 */
privileged void __morph_begin(void) {
  __morph_mprotect(__executable_start, __privileged_start - __executable_start,
                   PROT_READ | PROT_WRITE, kNtPageWritecopy);
}

/**
 * Finishes code morphing executable.
 */
privileged void __morph_end(void) {
  __morph_mprotect(__executable_start, __privileged_start - __executable_start,
                   PROT_READ | PROT_EXEC, kNtPageExecuteRead);
}
Initial import 2020-06-15 14:18:57 +00:00			`/-- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│`
flip et / noet in modelines `et` means `expandtab`. ```sh rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\) et\(.\) :vi/vi: \1 xoet\2:vi/' rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\)noet\(.\):vi/vi: \1et\2 :vi/' rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\)xoet\(.\):vi/vi: \1noet\2:vi/' ``` 2023-12-08 03:11:56 +00:00			`│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi │`
Initial import 2020-06-15 14:18:57 +00:00			`╞══════════════════════════════════════════════════════════════════════════════╡`
Fix bugs and make improvements - Get clone() working on FreeBSD - Increase some Python build quotas - Add more atomic builtins to chibicc - Fix ASAN poisoning of alloca() memory - Make MODE= mandatory link path tinier - Improve the examples folder a little bit - Start working on some more resource limits - Make the linenoise auto-complete UI as good as GNU readline - Update compile.com, avoiding AVX codegen on non-AVX systems - Make sure empty path to syscalls like opendir raises ENOENT - Correctly polyfill ENOENT vs. ENOTDIR on the New Technology - Port bestline's paredit features to //third_party/linenoise - Remove workarounds for RHEL 5.0 bugs that were fixed in 5.1 2022-04-20 16:56:53 +00:00			`│ Copyright 2022 Justine Alexandra Roberts Tunney │`
Initial import 2020-06-15 14:18:57 +00:00			`│ │`
Change license 2020-12-28 01:18:44 +00:00			`│ Permission to use, copy, modify, and/or distribute this software for │`
			`│ any purpose with or without fee is hereby granted, provided that the │`
			`│ above copyright notice and this permission notice appear in all copies. │`
Initial import 2020-06-15 14:18:57 +00:00			`│ │`
Change license 2020-12-28 01:18:44 +00:00			`│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │`
			`│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │`
			`│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │`
			`│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │`
			`│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │`
			`│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │`
			`│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │`
			`│ PERFORMANCE OF THIS SOFTWARE. │`
Initial import 2020-06-15 14:18:57 +00:00			`╚─────────────────────────────────────────────────────────────────────────────*/`
Support thread local storage 2022-05-16 20:20:08 +00:00			`#define ShouldUseMsabiAttribute() 1`
Make some foss compatibility improvements 2022-10-14 16:52:35 +00:00			`#include "ape/sections.internal.h"`
Support thread local storage 2022-05-16 20:20:08 +00:00			`#include "libc/dce.h"`
			`#include "libc/errno.h"`
Perform more low-level code cleanup 2022-09-09 11:07:08 +00:00			`#include "libc/intrin/asmflag.h"`
Support thread local storage 2022-05-16 20:20:08 +00:00			`#include "libc/intrin/kprintf.h"`
			`#include "libc/nt/enum/pageflags.h"`
			`#include "libc/nt/memory.h"`
			`#include "libc/nt/thunk/msabi.h"`
			`#include "libc/runtime/runtime.h"`
			`#include "libc/sysv/consts/nr.h"`
			`#include "libc/sysv/consts/prot.h"`
Initial import 2020-06-15 14:18:57 +00:00
Support thread local storage 2022-05-16 20:20:08 +00:00			`__msabi extern typeof(VirtualProtect) *const __imp_VirtualProtect;`

Incorporate more small improvements 2023-07-23 17:57:18 +00:00			`__funline void __morph_mprotect(void *addr, size_t size, int prot, int ntprot) {`
Make progress towards aarch64 build 2023-05-02 02:43:59 +00:00			`#ifdef __x86_64__`
Make pledge() and unveil() work amazingly This change reconciles our pledge() implementation with the OpenBSD kernel source code. We now a polyfill that's much closer to OpenBSD's behavior. For example, it was discovered that "stdio" permits threads. There were a bunch of Linux system calls that needed to be added, like sched_yield(). The exec / execnative category division is now dropped. We're instead using OpenBSD's "prot_exec" promise for launching APE binaries and dynamic shared objects. We also now filter clone() flags. The pledge.com command has been greatly improved. It now does unveiling by default when Landlock is available. It's now smart enough to unveil a superset of paths that OpenBSD automatically unveils with pledge(), such as /etc/localtime. pledge.com also now checks if the executable being launched is a dynamic shared object, in which case it unveils libraries. These changes now make it possible to pledge curl on ubuntu 20.04 glibc: pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \ curl -s https://justine.lol/hello.txt Here's what pledging curl on Alpine 3.16 with Musl Libc looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ curl -s https://justine.lol/hello.txt Here's what pledging curl.com w/ ape loader looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ o//examples/curl.com https://justine.lol/hello.txt The most secure sandbox, is curl.com converted to static ELF: o//tool/build/assimilate.com o//examples/curl.com pledge.com -p 'stdio rpath dns inet' \ o//examples/curl.com https://justine.lol/hello.txt A weird corner case needed to be handled when resolving symbolic links during the unveiling process, that's arguably a Landlock bug. It's not surprising since Musl and Glibc are also inconsistent here too. 2022-07-20 04:18:33 +00:00			`bool cf;`
Support thread local storage 2022-05-16 20:20:08 +00:00			`int ax, dx;`
			`uint32_t op;`
			`if (!IsWindows()) {`
Make pledge() and unveil() work amazingly This change reconciles our pledge() implementation with the OpenBSD kernel source code. We now a polyfill that's much closer to OpenBSD's behavior. For example, it was discovered that "stdio" permits threads. There were a bunch of Linux system calls that needed to be added, like sched_yield(). The exec / execnative category division is now dropped. We're instead using OpenBSD's "prot_exec" promise for launching APE binaries and dynamic shared objects. We also now filter clone() flags. The pledge.com command has been greatly improved. It now does unveiling by default when Landlock is available. It's now smart enough to unveil a superset of paths that OpenBSD automatically unveils with pledge(), such as /etc/localtime. pledge.com also now checks if the executable being launched is a dynamic shared object, in which case it unveils libraries. These changes now make it possible to pledge curl on ubuntu 20.04 glibc: pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \ curl -s https://justine.lol/hello.txt Here's what pledging curl on Alpine 3.16 with Musl Libc looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ curl -s https://justine.lol/hello.txt Here's what pledging curl.com w/ ape loader looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ o//examples/curl.com https://justine.lol/hello.txt The most secure sandbox, is curl.com converted to static ELF: o//tool/build/assimilate.com o//examples/curl.com pledge.com -p 'stdio rpath dns inet' \ o//examples/curl.com https://justine.lol/hello.txt A weird corner case needed to be handled when resolving symbolic links during the unveiling process, that's arguably a Landlock bug. It's not surprising since Musl and Glibc are also inconsistent here too. 2022-07-20 04:18:33 +00:00			`asm volatile(CFLAG_ASM("clc\n\t"`
			`"syscall")`
			`: CFLAG_CONSTRAINT(cf), "=a"(ax), "=d"(dx)`
			`: "1"(__NR_mprotect), "D"(addr), "S"(size), "2"(prot)`
Perform more low-level code cleanup 2022-09-09 11:07:08 +00:00			`: "rcx", "r8", "r9", "r10", "r11", "memory");`
Make pledge() and unveil() work amazingly This change reconciles our pledge() implementation with the OpenBSD kernel source code. We now a polyfill that's much closer to OpenBSD's behavior. For example, it was discovered that "stdio" permits threads. There were a bunch of Linux system calls that needed to be added, like sched_yield(). The exec / execnative category division is now dropped. We're instead using OpenBSD's "prot_exec" promise for launching APE binaries and dynamic shared objects. We also now filter clone() flags. The pledge.com command has been greatly improved. It now does unveiling by default when Landlock is available. It's now smart enough to unveil a superset of paths that OpenBSD automatically unveils with pledge(), such as /etc/localtime. pledge.com also now checks if the executable being launched is a dynamic shared object, in which case it unveils libraries. These changes now make it possible to pledge curl on ubuntu 20.04 glibc: pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \ curl -s https://justine.lol/hello.txt Here's what pledging curl on Alpine 3.16 with Musl Libc looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ curl -s https://justine.lol/hello.txt Here's what pledging curl.com w/ ape loader looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ o//examples/curl.com https://justine.lol/hello.txt The most secure sandbox, is curl.com converted to static ELF: o//tool/build/assimilate.com o//examples/curl.com pledge.com -p 'stdio rpath dns inet' \ o//examples/curl.com https://justine.lol/hello.txt A weird corner case needed to be handled when resolving symbolic links during the unveiling process, that's arguably a Landlock bug. It's not surprising since Musl and Glibc are also inconsistent here too. 2022-07-20 04:18:33 +00:00			`#ifndef NDEBUG`
			`if (cf) ax = -ax;`
			`if (ax == -EPERM) {`
			`kprintf("error: need pledge(prot_exec) permission to code morph\n");`
			`}`
Incorporate more small improvements 2023-07-23 17:57:18 +00:00			`if (ax < 0) {`
			`kprintf("error: __morph_mprotect(%p, %#zx, %d) failed: errno=%d\n", addr,`
			`size, prot, -ax);`
			`}`
Make pledge() and unveil() work amazingly This change reconciles our pledge() implementation with the OpenBSD kernel source code. We now a polyfill that's much closer to OpenBSD's behavior. For example, it was discovered that "stdio" permits threads. There were a bunch of Linux system calls that needed to be added, like sched_yield(). The exec / execnative category division is now dropped. We're instead using OpenBSD's "prot_exec" promise for launching APE binaries and dynamic shared objects. We also now filter clone() flags. The pledge.com command has been greatly improved. It now does unveiling by default when Landlock is available. It's now smart enough to unveil a superset of paths that OpenBSD automatically unveils with pledge(), such as /etc/localtime. pledge.com also now checks if the executable being launched is a dynamic shared object, in which case it unveils libraries. These changes now make it possible to pledge curl on ubuntu 20.04 glibc: pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \ curl -s https://justine.lol/hello.txt Here's what pledging curl on Alpine 3.16 with Musl Libc looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ curl -s https://justine.lol/hello.txt Here's what pledging curl.com w/ ape loader looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ o//examples/curl.com https://justine.lol/hello.txt The most secure sandbox, is curl.com converted to static ELF: o//tool/build/assimilate.com o//examples/curl.com pledge.com -p 'stdio rpath dns inet' \ o//examples/curl.com https://justine.lol/hello.txt A weird corner case needed to be handled when resolving symbolic links during the unveiling process, that's arguably a Landlock bug. It's not surprising since Musl and Glibc are also inconsistent here too. 2022-07-20 04:18:33 +00:00			`#endif`
Fix bugs and make improvements - Get clone() working on FreeBSD - Increase some Python build quotas - Add more atomic builtins to chibicc - Fix ASAN poisoning of alloca() memory - Make MODE= mandatory link path tinier - Improve the examples folder a little bit - Start working on some more resource limits - Make the linenoise auto-complete UI as good as GNU readline - Update compile.com, avoiding AVX codegen on non-AVX systems - Make sure empty path to syscalls like opendir raises ENOENT - Correctly polyfill ENOENT vs. ENOTDIR on the New Technology - Port bestline's paredit features to //third_party/linenoise - Remove workarounds for RHEL 5.0 bugs that were fixed in 5.1 2022-04-20 16:56:53 +00:00			`} else {`
Support thread local storage 2022-05-16 20:20:08 +00:00			`__imp_VirtualProtect(addr, size, ntprot, &op);`
Improve dead code elimination 2021-02-08 12:04:42 +00:00			`}`
Make progress towards aarch64 build 2023-05-02 02:43:59 +00:00			`#elif defined(__aarch64__)`
			`register long r0 asm("x0") = (long)addr;`
			`register long r1 asm("x1") = (long)size;`
			`register long r2 asm("x2") = (long)prot;`
Make considerably more progress on AARCH64 - Utilities like pledge.com now build - kprintf() will no longer balk at 48-bit addresses - There's a new aarch64-dbg build mode that should work - gc() and defer() are mostly pacified; avoid using them on aarch64 - THIRD_PART_STB now has Arm Neon intrinsics for fast image handling 2023-05-13 05:42:57 +00:00			`register long r8 asm("x8") = (long)__NR_mprotect;`
Get --ftrace working on aarch64 This change implements a new approach to function call logging, that's based on the GCC flag: -fpatchable-function-entry. Read the commentary in build/config.mk to learn how it works. 2023-06-06 06:35:31 +00:00			`register long r16 asm("x16") = (long)__NR_mprotect;`
Make considerably more progress on AARCH64 - Utilities like pledge.com now build - kprintf() will no longer balk at 48-bit addresses - There's a new aarch64-dbg build mode that should work - gc() and defer() are mostly pacified; avoid using them on aarch64 - THIRD_PART_STB now has Arm Neon intrinsics for fast image handling 2023-05-13 05:42:57 +00:00			`asm volatile("svc\t0"`
Get --ftrace working on aarch64 This change implements a new approach to function call logging, that's based on the GCC flag: -fpatchable-function-entry. Read the commentary in build/config.mk to learn how it works. 2023-06-06 06:35:31 +00:00			`: "+r"(r0)`
			`: "r"(r1), "r"(r2), "r"(r8), "r"(r16)`
Make considerably more progress on AARCH64 - Utilities like pledge.com now build - kprintf() will no longer balk at 48-bit addresses - There's a new aarch64-dbg build mode that should work - gc() and defer() are mostly pacified; avoid using them on aarch64 - THIRD_PART_STB now has Arm Neon intrinsics for fast image handling 2023-05-13 05:42:57 +00:00			`: "memory");`
Make progress towards aarch64 build 2023-05-02 02:43:59 +00:00			`#endif`
Support thread local storage 2022-05-16 20:20:08 +00:00			`}`

			`/**`
Correct more typos (#500) 2022-07-22 03:53:30 +00:00			`* Begins code morphing executable.`
Support thread local storage 2022-05-16 20:20:08 +00:00			`*`
Remove _Hide keyword It never did anything and isn't worthwhile as documentation. 2023-07-24 15:31:54 +00:00			`* The following example`
			`*`
			`* #include <cosmo.h>`
			`* #include <stdlib.h>`
			`*`
			`* privileged int main() { // privileged code is unmodifiable`
			`* ShowCrashReports(); // print report if trapped`
			`* __morph_begin(0); // make executable code R+W`
			`* (char )exit = 0xCC; // turn exit() into an INT3 trap`
			`* __morph_end(); // make executable code R+X`
			`* exit(0); // won't actually exit`
			`* }`
			`*`
			`* shows how the exit() function can be recompiled at runtime to become`
			`* an int3 (x86-64) debugger trap. What makes it tricky is Cosmopolitan`
			`* maintains a R^X invariant, in order to support OpenBSD. So when code`
			`* wants to modify some part of the executable image in memory the vast`
			`* majority of the code stops being executable during that time, unless`
			`* it's been linked into a special privileged section of the binary. It`
			`* is only possible to code morph from privileged functions. Privileged`
			`* functions are also only allowed to call other privileged functions.`
Support thread local storage 2022-05-16 20:20:08 +00:00			`*/`
Remove _Hide keyword It never did anything and isn't worthwhile as documentation. 2023-07-24 15:31:54 +00:00			`privileged void __morph_begin(void) {`
Fix bugs in cosmocc toolchain This change integrates e58abc1110b335a3341e8ad5821ad8e3880d9bb2 from https://github.com/ahgamut/musl-cross-make/ which fixes the issues we were having with our C language extension for symbolic constants. This change also performs some code cleanup and bug fixes to getaddrinfo(). It's now possible to compile projects like ncurses, readline and python without needing to patch anything upstream, except maybe a line or two. Pretty soon it should be possible to build a Linux distro on Cosmo. 2023-06-09 06:44:03 +00:00			`__morph_mprotect(__executable_start, __privileged_start - __executable_start,`
Introduce native support for MacOS ARM64 There's a new program named ape/ape-m1.c which will be used to build an embeddable binary that can load ape and elf executables. The support is mostly working so far, but still chasing down ABI issues. 2023-05-19 02:05:08 +00:00			`PROT_READ \| PROT_WRITE, kNtPageWritecopy);`
Support thread local storage 2022-05-16 20:20:08 +00:00			`}`

			`/**`
Remove _Hide keyword It never did anything and isn't worthwhile as documentation. 2023-07-24 15:31:54 +00:00			`* Finishes code morphing executable.`
Support thread local storage 2022-05-16 20:20:08 +00:00			`*/`
Remove _Hide keyword It never did anything and isn't worthwhile as documentation. 2023-07-24 15:31:54 +00:00			`privileged void __morph_end(void) {`
Fix bugs in cosmocc toolchain This change integrates e58abc1110b335a3341e8ad5821ad8e3880d9bb2 from https://github.com/ahgamut/musl-cross-make/ which fixes the issues we were having with our C language extension for symbolic constants. This change also performs some code cleanup and bug fixes to getaddrinfo(). It's now possible to compile projects like ncurses, readline and python without needing to patch anything upstream, except maybe a line or two. Pretty soon it should be possible to build a Linux distro on Cosmo. 2023-06-09 06:44:03 +00:00			`__morph_mprotect(__executable_start, __privileged_start - __executable_start,`
Introduce native support for MacOS ARM64 There's a new program named ape/ape-m1.c which will be used to build an embeddable binary that can load ape and elf executables. The support is mostly working so far, but still chasing down ABI issues. 2023-05-19 02:05:08 +00:00			`PROT_READ \| PROT_EXEC, kNtPageExecuteRead);`
Initial import 2020-06-15 14:18:57 +00:00			`}`