Improve crash backtrace reliability

We're now able to pretty print a C++ backtrace upon crashing in pretty much any runtime execution scenario. The default pledge sandbox policy on Linux is now to return EPERM. If you call pledge and have debugging functions linked (e.g. GetSymbolTable) then the symbol table shall get loaded before any security policy is put in place. This change updates build/bootstrap/fixupobj too and fixes some other sneaky build errors.
2025-06-30 08:18:30 +00:00 · 2024-05-07 17:36:17 -07:00 · 2024-05-07 17:36:17 -07:00 · 19c81863a3
commit 19c81863a3
parent 7d31fc311a
17 changed files with 103 additions and 64 deletions
--- a/libc/calls/pledge.c
+++ b/libc/calls/pledge.c
@ -24,11 +24,13 @@
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/dce.h"
 #include "libc/errno.h"
-#include "libc/intrin/kprintf.h"
 #include "libc/intrin/promises.internal.h"
 #include "libc/intrin/strace.internal.h"
+#include "libc/intrin/weaken.h"
 #include "libc/nexgen32e/vendor.internal.h"
 #include "libc/runtime/runtime.h"
+#include "libc/runtime/symbols.internal.h"
+#include "libc/runtime/zipos.internal.h"
 #include "libc/sysv/consts/pr.h"
 #include "libc/sysv/errfuns.h"

@ -199,22 +201,22 @@
 * `__pledge_mode` is available to improve the experience of pledge() on
 * Linux. It should specify one of the following penalties:
 *
+ * - `PLEDGE_PENALTY_RETURN_EPERM` causes system calls to just return an
+ *   `EPERM` error instead of killing. This is the default on Linux.
+ *   This is a gentler solution that allows code to display a friendly
+ *   warning. Please note this may lead to weird behaviors if the
+ *   software being sandboxed is lazy about checking error results.
+ *
 * - `PLEDGE_PENALTY_KILL_THREAD` causes the violating thread to be
- *   killed. This is the default on Linux. It's effectively the same as
- *   killing the process, since redbean has no threads. The termination
- *   signal can't be caught and will be either `SIGSYS` or `SIGABRT`.
- *   Consider enabling stderr logging below so you'll know why your
- *   program failed. Otherwise check the system log.
+ *   killed. It's effectively the same as killing the process, since
+ *   redbean has no threads. The termination signal can't be caught and
+ *   will be either `SIGSYS` or `SIGABRT`. Consider enabling stderr
+ *   logging below so you'll know why your program failed. Otherwise
+ *   check the system log.
 *
 * - `PLEDGE_PENALTY_KILL_PROCESS` causes the process and all its
 *   threads to be killed. This is always the case on OpenBSD.
 *
- * - `PLEDGE_PENALTY_RETURN_EPERM` causes system calls to just return an
- *   `EPERM` error instead of killing. This is a gentler solution that
- *   allows code to display a friendly warning. Please note this may
- *   lead to weird behaviors if the software being sandboxed is lazy
- *   about checking error results.
- *
 * `mode` may optionally bitwise or the following flags:
 *
 * - `PLEDGE_STDERR_LOGGING` enables friendly error message logging
@ -240,6 +242,8 @@
 int pledge(const char *promises, const char *execpromises) {
  int e, rc;
  unsigned long ipromises, iexecpromises;
+  if (_weaken(GetSymbolTable))
+    _weaken(GetSymbolTable)();
  if (!promises) {
    // OpenBSD says NULL argument means it doesn't change, i.e.
    // pledge(0,0) on OpenBSD does nothing. The Cosmopolitan Libc