mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-01-31 03:27:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cosmopolitan/libc/intrin/promises.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

38 lines
997 B
C
Raw Normal View History

Make some touchups
2022-07-16 01:07:34 +00:00
#ifndef COSMOPOLITAN_LIBC_INTRIN_PROMISES_H_
#define COSMOPOLITAN_LIBC_INTRIN_PROMISES_H_
Make pledge() and unveil() work amazingly This change reconciles our pledge() implementation with the OpenBSD kernel source code. We now a polyfill that's much closer to OpenBSD's behavior. For example, it was discovered that "stdio" permits threads. There were a bunch of Linux system calls that needed to be added, like sched_yield(). The exec / execnative category division is now dropped. We're instead using OpenBSD's "prot_exec" promise for launching APE binaries and dynamic shared objects. We also now filter clone() flags. The pledge.com command has been greatly improved. It now does unveiling by default when Landlock is available. It's now smart enough to unveil a superset of paths that OpenBSD automatically unveils with pledge(), such as /etc/localtime. pledge.com also now checks if the executable being launched is a dynamic shared object, in which case it unveils libraries. These changes now make it possible to pledge curl on ubuntu 20.04 glibc: pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \ curl -s https://justine.lol/hello.txt Here's what pledging curl on Alpine 3.16 with Musl Libc looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ curl -s https://justine.lol/hello.txt Here's what pledging curl.com w/ ape loader looks like: pledge.com -p 'stdio rpath prot_exec dns inet' \ o//examples/curl.com https://justine.lol/hello.txt The most secure sandbox, is curl.com converted to static ELF: o//tool/build/assimilate.com o//examples/curl.com pledge.com -p 'stdio rpath dns inet' \ o//examples/curl.com https://justine.lol/hello.txt A weird corner case needed to be handled when resolving symbolic links during the unveiling process, that's arguably a Landlock bug. It's not surprising since Musl and Glibc are also inconsistent here too.
2022-07-20 04:18:33 +00:00
#define PROMISE_STDIO 0
#define PROMISE_RPATH 1
#define PROMISE_WPATH 2
#define PROMISE_CPATH 3
#define PROMISE_DPATH 4
#define PROMISE_FLOCK 5
#define PROMISE_FATTR 6
#define PROMISE_INET 7
#define PROMISE_UNIX 8
#define PROMISE_DNS 9
#define PROMISE_TTY 10
#define PROMISE_RECVFD 11
#define PROMISE_PROC 12
#define PROMISE_EXEC 13
#define PROMISE_ID 14
#define PROMISE_UNVEIL 15
#define PROMISE_SENDFD 16
#define PROMISE_SETTIME 17
#define PROMISE_PROT_EXEC 18
#define PROMISE_VMINFO 19
Release pledge.com v1.1 This change fixes bugs, adds more system calls, and improves compatibility with OpenBSD. Going forward, versions on the web will be pinned to a permanent version. There were many other changes over the last week which also improved this new release.
2022-07-22 20:44:00 +00:00
#define PROMISE_TMPPATH 20
Release pledge.com 1.7 and landlockmake.com 1.3 - pledge("chown") now supported - pledge("stdio") now allows killing self - Write tests for pselect() and ppoll()
2022-08-16 02:52:00 +00:00
#define PROMISE_CHOWN 21
Extend Pledge with anet (same as inet, but with no connect) (#827) * Add `anet` pledge for `inet` without connect This is useful for configurations where it's desirable to start redbean under these restrictions, but not to allow `connect` socket calls. * Update message on protected/unpledged syscalls for clarity * Update redbean to add reporting for unpledged sigaction Previously it would abort without indicating what signal it failed to install when sigaction is not pledged (although it fails all of them). * Move GetHostIps before processing command line options This allows using unix.pledge as part of the options without affecting retrieving host IP addresses (which requires `connect`). It may still fail under external `pledge` command as expected; in this case IPs would need to be passed manually. * Update tests for pledge anet promise
2023-06-03 14:50:29 +00:00
#define PROMISE_ANET 22
#define PROMISE_LEN_ 23
Make some touchups
2022-07-16 01:07:34 +00:00
Improve pledge() and unveil() The pledge.com command now supports the new [WIP] unveil() support. For example, to strongly sandbox our command for listing directories. o//tool/build/assimilate.com o//examples/ls.com pledge.com -v /etc -p 'stdio rpath' o//examples/ls.com /etc This file system sandboxing is going to be perfect for us, because APE binaries are self-contained static executables that really don't use the filesystem that much. On the other hand, with non-static executables, sandboxing is going to be more difficult. For example, here's how to sandbox the `ls` command on the latest Alpine: pledge.com -v rx:/lib -v /usr/lib -v /etc -p 'stdio rpath exec' ls /etc This change fixes the `execpromises` API with pledge(). This change also adds unix.unveil() to redbean. Fixes #494
2022-07-18 14:23:15 +00:00
#define PLEDGED(x) ((~__promises >> PROMISE_##x) & 1)
Make some touchups
2022-07-16 01:07:34 +00:00
COSMOPOLITAN_C_START_
Remove malloc() dependency on pledge() / unveil() This change also fixes a bug with gettid() being incorrect after fork(). We now implement the ENOENT behavior for getauxval(). The getuid() etc. system calls are now faster too. Plus issetugid() will work on BSDs.
2022-07-25 02:40:32 +00:00
extern unsigned long __promises;
extern unsigned long __execpromises;
Make some touchups
2022-07-16 01:07:34 +00:00
COSMOPOLITAN_C_END_
#endif /* COSMOPOLITAN_LIBC_INTRIN_PROMISES_H_ */
Reference in a new issue Copy permalink