Rewrite Linux pledge() code so it can be a payload

It's now possible to build our pledge() polyfill as a dynamic shared
object that can be injected into a glibc executable using LD_PRELOAD

tool/build/build.mk

@@ -117,6 +117,25 @@ o/$(MODE)/tool/build/printf.zip.o: o/$(MODE)/tool/build/printf
 o/$(MODE)/tool/build/dd.zip.o: o/$(MODE)/tool/build/dd
 	@$(COMPILE) -AZIPOBJ $(ZIPOBJ) $(ZIPOBJ_FLAGS) -0 -B -Pbin $(OUTPUT_OPTION) $<
 
+# we need pic because:
+#   so it can be an LD_PRELOAD payload
+o/$(MODE)/tool/build/sandbox.o:				\
+		OVERRIDE_CFLAGS +=			\
+			-fPIC
+
+o/$(MODE)/tool/build/sandbox.so:			\
+		o/$(MODE)/tool/build/sandbox.o		\
+		o/$(MODE)/libc/calls/pledge-linux.o	\
+		o/$(MODE)/libc/sysv/restorert.o
+	@$(COMPILE) -ALINK.so				\
+		$(CC)					\
+		-s					\
+		-shared					\
+		-nostdlib				\
+		-Wl,--gc-sections			\
+		$(LINKARGS)				\
+		$(OUTPUT_OPTION)
+
 .PHONY: o/$(MODE)/tool/build
 o/$(MODE)/tool/build:					\
 		o/$(MODE)/tool/build/emucrt		\

tool/build/pledge.c

@@ -20,6 +20,7 @@
 #include "libc/bits/safemacros.internal.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/landlock.h"
+#include "libc/calls/pledge.h"
 #include "libc/calls/struct/rlimit.h"
 #include "libc/calls/struct/sched_param.h"
 #include "libc/calls/struct/seccomp.h"
@@ -73,6 +74,7 @@ usage: pledge.com [-hnN] PROG ARGS...\n\
   -u UID          call setuid()\n\
   -c PATH         call chroot()\n\
   -v [PERM:]PATH  call unveil(PATH, PERM[rwxc])\n\
+  -k              kill process rather than eperm'ing\n\
   -n              set maximum niceness\n\
   -D              don't drop capabilities\n\
   -N              don't normalize file descriptors\n\
@@ -118,6 +120,7 @@ int ParsePromises(const char *, unsigned long *);
 
 int g_gflag;
 int g_uflag;
+int g_kflag;
 int g_hflag;
 bool g_nice;
 bool g_noclose;
@@ -140,14 +143,16 @@ static void GetOpts(int argc, char *argv[]) {
   g_promises = 0;
   g_fszquota = 256 * 1000 * 1000;
   g_proquota = GetCpuCount() * 100;
-  g_fszquota = 4 * 1000 * 1000 * 1000;
   g_memquota = 4L * 1024 * 1024 * 1024;
   if (!sysinfo(&si)) g_memquota = si.totalram;
-  while ((opt = getopt(argc, argv, "hnNp:u:g:c:C:D:P:M:F:v:")) != -1) {
+  while ((opt = getopt(argc, argv, "hnkNp:u:g:c:C:D:P:M:F:v:")) != -1) {
     switch (opt) {
       case 'n':
         g_nice = true;
         break;
+      case 'k':
+        g_kflag = true;
+        break;
       case 'N':
         g_noclose = true;
         break;
@@ -453,10 +458,12 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {
 
   if (~ipromises & (1ul << PROMISE_PROT_EXEC)) {
     if (UnveilIfExists("/usr/bin/ape", "rx") == -1) {
-      UnveilIfExists(xjoinpaths(firstnonnull(getenv("TMPDIR"),
-                                             firstnonnull(getenv("HOME"), ".")),
-                                ".ape"),
-                     "rx");
+      if ((p = getenv("TMPDIR"))) {
+        UnveilIfExists(xjoinpaths(p, ".ape"), "rx");
+      }
+      if ((p = getenv("HOME"))) {
+        UnveilIfExists(xjoinpaths(p, ".ape"), "rx");
+      }
     }
   }
 
@@ -671,7 +678,11 @@ int main(int argc, char *argv[]) {
   // model. we do this becasue it's only possible to have sigsys print
   // crash messages if we're not pledging exec, which is what this tool
   // always has to do currently.
-  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  if (g_kflag) {
+    __pledge_mode = kPledgeModeKillProcess;
+  } else {
+    __pledge_mode = kPledgeModeErrno;
+  }
 
   // apply sandbox
   if (pledge(g_promises, g_promises) == -1) {

tool/build/sandbox.c

@@ -0,0 +1,28 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/calls/pledge.h"
+#include "libc/calls/pledge.internal.h"
+#include "libc/intrin/promises.internal.h"
+
+hidden char __privileged_start;
+hidden char __privileged_end;
+
+__attribute__((__constructor__)) void InitializeSandbox(void) {
+  sys_pledge_linux(~(1ul << PROMISE_STDIO), kPledgeModeErrno, false);
+}

tool/net/redbean.c

@@ -21,6 +21,7 @@
 #include "libc/bits/safemacros.internal.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/ioctl.h"
+#include "libc/calls/pledge.h"
 #include "libc/calls/struct/dirent.h"
 #include "libc/calls/struct/flock.h"
 #include "libc/calls/struct/iovec.h"
@@ -6587,7 +6588,7 @@ static void UnveilRedbean(void) {
 }
 
 static int EnableSandbox(void) {
-  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  __pledge_mode = kPledgeModeErrno;
   switch (sandboxed) {
     case 0:
       return 0;