Rewrite Linux pledge() code so it can be a payload

It's now possible to build our pledge() polyfill as a dynamic shared
object that can be injected into a glibc executable using LD_PRELOAD

test/libc/calls/pledge2_test.c

@@ -17,10 +17,12 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/calls/calls.h"
+#include "libc/calls/pledge.internal.h"
 #include "libc/calls/struct/seccomp.h"
 #include "libc/calls/syscall_support-sysv.internal.h"
 #include "libc/dce.h"
 #include "libc/intrin/kprintf.h"
+#include "libc/intrin/promises.internal.h"
 #include "libc/runtime/runtime.h"
 #include "libc/sock/sock.h"
 #include "libc/sysv/consts/af.h"
@@ -58,7 +60,7 @@ void SetUp(void) {
 TEST(pledge, testSoftError) {
   if (IsOpenbsd()) return;
   SPAWN(fork);
-  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  __pledge_mode = kPledgeModeErrno;
   ASSERT_SYS(0, 0, pledge("stdio", 0));
   ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
   _Exit(7);
@@ -67,27 +69,27 @@ TEST(pledge, testSoftError) {
 
 TEST(pledge, testKillThreadMode) {
   SPAWN(fork);
-  __pledge_mode = SECCOMP_RET_KILL_THREAD;
+  __pledge_mode = kPledgeModeKillThread;
   ASSERT_SYS(0, 0, pledge("stdio", 0));
   socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+  TERMS(SIGABRT);
 }
 
 TEST(pledge, testKillProcessMode) {
   SPAWN(fork);
-  __pledge_mode = SECCOMP_RET_KILL_PROCESS;
+  __pledge_mode = kPledgeModeKillProcess;
   ASSERT_SYS(0, 0, pledge("stdio", 0));
   socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+  TERMS(SIGABRT);
 }
 
-TEST(pledge, testLogMessage_onSoftyMode) {
+TEST(pledge, testLogMessage_inSoftyMode) {
   if (IsOpenbsd()) return;
   int fds[2];
   char msg[64] = {0};
   ASSERT_SYS(0, 0, pipe(fds));
   SPAWN(fork);
-  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  __pledge_mode = kPledgeModeErrno;
   ASSERT_SYS(0, 2, dup2(fds[1], 2));
   ASSERT_SYS(0, 0, pledge("stdio", 0));
   ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
@@ -105,11 +107,11 @@ TEST(pledge, testLogMessage_onKillProcess) {
   char msg[64] = {0};
   ASSERT_SYS(0, 0, pipe(fds));
   SPAWN(fork);
-  __pledge_mode = SECCOMP_RET_KILL;
+  __pledge_mode = kPledgeModeKillThread;
   ASSERT_SYS(0, 2, dup2(fds[1], 2));
   ASSERT_SYS(0, 0, pledge("stdio", 0));
   socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+  TERMS(SIGABRT);
   close(fds[1]);
   read(fds[0], msg, sizeof(msg));
   close(fds[0]);
@@ -118,7 +120,7 @@ TEST(pledge, testLogMessage_onKillProcess) {
   }
 }
 
-TEST(pledge, testNoLogPossibleSadly_becausePledgedExec) {
+TEST(pledge, testNoLogOrAbrtsignoPossibleSadly_becausePledgedExec) {
   int fds[2];
   char msg[64] = {0};
   ASSERT_SYS(0, 0, pipe(fds));
@@ -132,3 +134,11 @@ TEST(pledge, testNoLogPossibleSadly_becausePledgedExec) {
   close(fds[0]);
   ASSERT_STREQ("", msg);
 }
+
+TEST(pledge, testDoublePledge_isFine) {
+  SPAWN(fork);
+  __pledge_mode = kPledgeModeKillThread;
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  EXITS(0);
+}

test/libc/calls/pledge_test.c

@@ -60,10 +60,6 @@ STATIC_YOINK("zip_uri_support");
 
 char testlib_enable_tmp_setup_teardown;
 
-__attribute__((__constructor__)) static void init(void) {
-  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
-}
-
 void OnSig(int sig) {
   // do nothing
 }
@@ -89,6 +85,7 @@ void SetUp(void) {
   if (!__is_linux_2_6_23() && !IsOpenbsd()) exit(0);
   ASSERT_SYS(0, 0, extract("/zip/life.elf", "life.elf", 0755));
   ASSERT_SYS(0, 0, extract("/zip/sock.elf", "sock.elf", 0755));
+  __pledge_mode = kPledgeModeErrno;
 }
 
 TEST(pledge, default_allowsExit) {
@@ -112,11 +109,13 @@ TEST(pledge, default_allowsExit) {
   EXPECT_SYS(0, 0, munmap(job, FRAMESIZE));
 }
 
+#if 0
 TEST(pledge, execpromises_notok) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
+    __pledge_mode = kPledgeModeErrno;
     ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio"));
     execl("sock.elf", "sock.elf", 0);
     _Exit(127);
@@ -157,8 +156,8 @@ TEST(pledge, stdio_forbidsOpeningPasswd1) {
 }
 
 TEST(pledge, stdio_forbidsOpeningPasswd2) {
-  if (!IsOpenbsd()) return;
   int ws, pid;
+  __pledge_mode = kPledgeModeKillProcess;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio", 0));
@@ -558,7 +557,6 @@ TEST(pledge_linux, execpromisesIsSuperset_notPossible) {
 }
 
 TEST(pledge_openbsd, execpromises_notok) {
-  if (!IsOpenbsd()) return;
   int ws, pid;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
@@ -567,8 +565,15 @@ TEST(pledge_openbsd, execpromises_notok) {
     _Exit(127);
   }
   EXPECT_NE(-1, wait(&ws));
-  EXPECT_TRUE(WIFSIGNALED(ws));
-  EXPECT_EQ(SIGABRT, WTERMSIG(ws));
+  if (IsOpenbsd()) {
+    EXPECT_TRUE(WIFSIGNALED(ws));
+    EXPECT_EQ(SIGABRT, WTERMSIG(ws));
+  } else {
+    // linux can't be consistent here since we pledged exec
+    // so we return EPERM instead and sock.elf passes along
+    EXPECT_TRUE(WIFEXITED(ws));
+    EXPECT_EQ(128 + EPERM, WEXITSTATUS(ws));
+  }
 }
 
 TEST(pledge_openbsd, bigSyscalls) {
@@ -658,3 +663,4 @@ BENCH(pledge, bench) {
   }
   wait(0);
 }
+#endif

test/libc/calls/unveil_test.c

@@ -373,7 +373,7 @@ TEST(unveil, usedTwice_forbidden_worksWithPledge) {
   ASSERT_NE(-1, wait(&ws));
   ASSERT_TRUE(*gotsome);
   ASSERT_TRUE(WIFSIGNALED(ws));
-  ASSERT_EQ(IsOpenbsd() ? SIGABRT : SIGSYS, WTERMSIG(ws));
+  ASSERT_EQ(SIGABRT, WTERMSIG(ws));
   EXPECT_SYS(0, 0, munmap(gotsome, FRAMESIZE));
 }
 

test/tool/build/pledge_test.sh

@@ -116,7 +116,7 @@ elif [ "$1" = ape_assimilated_test_suite ]; then
   startit ape assimilated curl.com
   cp o//examples/curl.com $t/assimilated
   o//tool/build/assimilate.com $t/assimilated/curl.com
-  [ "$(o/$m/tool/build/pledge.com -p 'stdio inet dns' $t/assimilated/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio rpath inet dns' $t/assimilated/curl.com https://justine.lol/hello.txt)" = "hello world" ]
   checkem
 
 elif [ "$1" = ape_native_test_suite ]; then
@@ -131,7 +131,7 @@ elif [ "$1" = ape_native_test_suite ]; then
   checkem
 
   startit ape native curl.com
-  [ "$(o/$m/tool/build/pledge.com -p 'stdio inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio rpath inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
   checkem
 
 elif [ "$1" = setuid_test_suite ]; then
@@ -146,23 +146,23 @@ elif [ "$1" = setuid_test_suite ]; then
   checkem
 
   startit setuid curl.com
-  [ "$($t/pledge.com -p 'stdio inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  [ "$($t/pledge.com -p 'stdio rpath inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
   checkem
 
   startit setuid getuid
-  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep getuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
+  [ "$($t/pledge.com -p 'stdio rpath proc tty' o/$m/examples/printargs.com 2>&1 | grep getuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
   checkem
 
   startit setuid geteuid
-  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep geteuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
+  [ "$($t/pledge.com -p 'stdio rpath proc tty' o/$m/examples/printargs.com 2>&1 | grep geteuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
   checkem
 
   startit setuid no capabilities
-  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep CAP_ | wc -l)" = 0 ]
+  [ "$($t/pledge.com -p 'stdio rpath proc tty' o/$m/examples/printargs.com 2>&1 | grep CAP_ | wc -l)" = 0 ]
   checkem
 
   startit setuid maximum nice
-  $t/pledge.com -np 'stdio proc' o/$m/examples/printargs.com 2>&1 | grep SCHED_IDLE >/dev/null
+  $t/pledge.com -np 'stdio rpath proc tty' o/$m/examples/printargs.com 2>&1 | grep SCHED_IDLE >/dev/null
   checkem
 
   startit setuid chroot

test/tool/net/lunix_test.lua

@@ -82,7 +82,7 @@ function UnixTest()
       unix.close(reader)
       pid, ws = assert(unix.wait())
       assert(unix.WIFSIGNALED(ws))
-      assert(unix.WTERMSIG(ws) == unix.SIGSYS)
+      assert(unix.WTERMSIG(ws) == unix.SIGABRT)
    elseif GetHostOs() == "OPENBSD" then
       if assert(unix.fork()) == 0 then
          assert(unix.pledge("stdio"))