Unbloat the build

This change resurrects ae5d06dc53
This commit is contained in:
Justine Tunney 2022-08-11 00:15:29 -07:00
parent 2d64b9994b
commit 10fd8bdb70
1397 changed files with 1204 additions and 5031 deletions

View file

@ -0,0 +1,33 @@
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi
Copyright 2022 Justine Alexandra Roberts Tunney
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/calls/struct/timespec.h"
#include "libc/limits.h"
/**
* Converts timespec interval to nanoseconds.
*/
int64_t _timespec_tonanos(struct timespec x) {
int64_t ns;
if (!__builtin_mul_overflow(x.tv_sec, 1000000000ul, &ns) &&
!__builtin_add_overflow(ns, x.tv_nsec, &ns)) {
return ns;
} else {
return INT64_MAX;
}
}

View file

@ -33,6 +33,7 @@
* - /tmp/
*
* This guarantees trailing slash.
* We also guarantee `kTmpPath` won't be longer than `PATH_MAX / 2`.
*/
char kTmpPath[PATH_MAX];
@ -46,7 +47,7 @@ __attribute__((__constructor__)) static void kTmpPathInit(void) {
uint32_t n;
char16_t path16[PATH_MAX];
if ((s = getenv("TMPDIR")) && (n = strlen(s)) < PATH_MAX) {
if ((s = getenv("TMPDIR")) && (n = strlen(s)) < PATH_MAX / 2) {
memcpy(kTmpPath, s, n);
if (n && kTmpPath[n - 1] != '/') {
kTmpPath[n + 0] = '/';

View file

@ -8,6 +8,7 @@ struct timespec {
};
int sys_futex(int *, int, int, const struct timespec *, int *);
int64_t _timespec_tonanos(struct timespec) pureconst;
int64_t _timespec_tomicros(struct timespec) pureconst;
int64_t _timespec_tomillis(struct timespec) pureconst;
struct timespec _timespec_frommicros(int64_t) pureconst;

View file

@ -93,13 +93,15 @@ _Thread_local static struct {
} State;
static int unveil_final(void) {
int rc;
int e, rc;
struct sock_fprog sandbox = {
.filter = kUnveilBlacklist,
.len = ARRAYLEN(kUnveilBlacklist),
};
if ((rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) != -1 &&
(rc = landlock_restrict_self(State.fd, 0)) != -1 &&
e = errno;
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
errno = e;
if ((rc = landlock_restrict_self(State.fd, 0)) != -1 &&
(rc = sys_close(State.fd)) != -1 &&
(rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &sandbox)) != -1) {
State.fd = 0;
@ -117,9 +119,11 @@ static int err_close(int rc, int fd) {
static int unveil_init(void) {
int rc, fd;
State.fs_mask = UNVEIL_READ | UNVEIL_WRITE | UNVEIL_EXEC | UNVEIL_CREATE;
if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) <
0) {
if (errno == EOPNOTSUPP) errno = ENOSYS;
if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) ==
-1) {
if (errno == EOPNOTSUPP) {
errno = ENOSYS;
}
return -1;
}
if (rc < 2) {
@ -250,7 +254,7 @@ int sys_unveil_linux(const char *path, const char *permissions) {
}
/**
* Restricts filesystem operations, e.g.
* Makes files accessible, e.g.
*
* unveil(".", "r"); // current directory + children are visible
* unveil("/etc", "r"); // make /etc readable too
@ -264,6 +268,10 @@ int sys_unveil_linux(const char *path, const char *permissions) {
* should become unhidden. When you're finished, you call `unveil(0,0)`
* which commits your policy.
*
* This function requires OpenBSD or Linux 5.13+. We don't consider lack
* of system support to be an ENOSYS error, because the files will still
* become unveiled. Therefore we return 0 in such cases.
*
* There are some differences between unveil() on Linux versus OpenBSD.
*
* 1. Build your policy and lock it in one go. On OpenBSD, policies take
@ -333,8 +341,6 @@ int sys_unveil_linux(const char *path, const char *permissions) {
* the pledge promise "cpath".
*
* @return 0 on success, or -1 w/ errno
* @raise ENOSYS if host os isn't Linux or OpenBSD
* @raise ENOSYS if Landlock isn't supported on this kernel
* @raise EINVAL if one argument is set and the other is not
* @raise EINVAL if an invalid character in `permissions` was found
* @raise EPERM if unveil() is called after locking