mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-03-02 23:18:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

[WIP] Polyfill OpenBSD unveil for Linux (#490)

Browse source
This commit is contained in:
Stephen Gregoratto 2022-07-18 19:12:42 +10:00 committed by GitHub
parent 4f4889ddf7
commit 1c6b5c0acd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 258 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
libc/calls/calls.h
View file

@ -181,6 +181,7 @@ int umask(int);
int unlink(const char *);
int unlink_s(const char **);
int unlinkat(int, const char *, int);
int unveil(const char *, const char *);
int vfork(void) returnstwice;
int wait(int *);
int waitpid(int, int *, int);

2
libc/calls/landlock.h
View file

@ -1,6 +1,8 @@
#ifndef COSMOPOLITAN_LIBC_CALLS_LANDLOCK_H_
#define COSMOPOLITAN_LIBC_CALLS_LANDLOCK_H_
#define LANDLOCK_CREATE_RULESET_VERSION 0x0001ul
#define LANDLOCK_ACCESS_FS_EXECUTE 0x0001ul
#define LANDLOCK_ACCESS_FS_WRITE_FILE 0x0002ul
#define LANDLOCK_ACCESS_FS_READ_FILE 0x0004ul

1
libc/calls/syscall-sysv.internal.h
View file

@ -111,6 +111,7 @@ u32 sys_geteuid(void) hidden;
u32 sys_getgid(void) hidden;
u32 sys_getuid(void) hidden;
u32 sys_umask(u32) hidden;
i32 sys_unveil(const char *, const char *) hidden;
void *__sys_mmap(void *, u64, u32, u32, i64, i64, i64) hidden;
void *sys_mremap(void *, u64, u64, i32, void *) hidden;
void sys_exit(int) hidden;

144
libc/mem/unveil.c Normal file
View file

@ -0,0 +1,144 @@
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi
Copyright 2020 Justine Alexandra Roberts Tunney
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/assert.h"
#include "libc/calls/calls.h"
#include "libc/calls/landlock.h"
#include "libc/calls/strace.internal.h"
#include "libc/calls/struct/stat.h"
#include "libc/calls/syscall-sysv.internal.h"
#include "libc/calls/syscall_support-sysv.internal.h"
#include "libc/errno.h"
#include "libc/mem/mem.h"
#include "libc/str/str.h"
#include "libc/sysv/consts/o.h"
#include "libc/sysv/consts/pr.h"
#include "libc/sysv/consts/s.h"
#include "libc/sysv/errfuns.h"
#define FILE_BITS \
(LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE | \
LANDLOCK_ACCESS_FS_EXECUTE)
/*
* Long living state for landlock calls.
* The bits are set at runtime to handle future API additions.
* As of 5.19, the latest abi is v2.
*
* TODO:
* - Documentation for sys_unveil.
* - Integrate with pledge and remove the file access?
* - Stuff state into the .protected section?
*/
static struct {
int abi;
int fd;
uint64_t read;
uint64_t write;
uint64_t exec;
uint64_t create;
} State = {
.abi = 2,
.fd = 0,
.read = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR |
LANDLOCK_ACCESS_FS_REFER,
.write = LANDLOCK_ACCESS_FS_WRITE_FILE,
.exec = LANDLOCK_ACCESS_FS_EXECUTE,
.create = LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR |
LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG |
LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO |
LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM,
};
forceinline int unveil_final(void) {
int rc;
if (State.fd == -1) return 0;
assert(State.fd > 0);
if ((rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) != -1 &&
(rc = landlock_restrict_self(State.fd, 0)) != -1 &&
(rc = close(State.fd)) != -1)
State.fd = -1;
return rc;
}
forceinline int unveil_init(void) {
int rc;
if ((rc = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)) <
0)
return -1;
State.abi = rc;
if (State.abi < 2) State.read &= ~LANDLOCK_ACCESS_FS_REFER;
const struct landlock_ruleset_attr attr = {
.handled_access_fs = State.read | State.write | State.exec | State.create,
};
if ((rc = landlock_create_ruleset(&attr, sizeof(attr), 0)) < 0) return -1;
State.fd = rc;
return 0;
}
forceinline int err_close(int rc, int fd) {
int serrno = errno;
close(fd);
errno = serrno;
return rc;
}
static int sys_unveil_linux(const char *path, const char *permissions) {
int rc;
if (State.fd == 0 && (rc = unveil_init()) == -1) return rc;
if (path == NULL && permissions == NULL) return unveil_final();
struct landlock_path_beneath_attr pb = {0};
for (const char *c = permissions; *c != '\0'; c++) {
switch (*c) {
case 'r':
pb.allowed_access |= State.read;
break;
case 'w':
pb.allowed_access |= State.write;
break;
case 'x':
pb.allowed_access |= State.exec;
break;
case 'c':
pb.allowed_access |= State.create;
break;
default:
return einval();
}
}
if ((rc = open(path, O_RDONLY | O_PATH | O_CLOEXEC)) == -1) return rc;
pb.parent_fd = rc;
struct stat st;
if ((rc = fstat(pb.parent_fd, &st)) == -1) return err_close(rc, pb.parent_fd);
if (!S_ISDIR(st.st_mode)) pb.allowed_access &= FILE_BITS;
if ((rc = landlock_add_rule(State.fd, LANDLOCK_RULE_PATH_BENEATH, &pb, 0)))
return err_close(rc, pb.parent_fd);
close(pb.parent_fd);
return rc;
}
int unveil(const char *path, const char *permissions) {
int rc;
if (IsLinux()) {
rc = sys_unveil_linux(path, permissions);
} else {
rc = sys_unveil(path, permissions);
}
STRACE("unveil(%#s, %#s) → %d% m", path, permissions, rc);
return rc;
}

2
libc/sysv/calls/sys_unveil.s Normal file
View file

@ -0,0 +1,2 @@
.include "o/libc/sysv/macros.internal.inc"
.scall sys_unveil,0xfff072ffffffffff,globl

1
libc/sysv/syscalls.sh
View file

@ -399,6 +399,7 @@ scall memfd_secret 0xfffffffffffff1bf globl
scall process_mrelease 0xfffffffffffff1c0 globl
scall futex_waitv 0xfffffffffffff1c1 globl
scall set_mempolicy_home_node 0xfffffffffffff1c2 globl
scall sys_unveil 0xfff072ffffffffff globl
# The Fifth Bell System Interface, Community Edition
# » besiyata dishmaya

107
tool/build/unveil.c Normal file
View file

@ -0,0 +1,107 @@
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi
Copyright 2022 Justine Alexandra Roberts Tunney
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/calls/calls.h"
#include "libc/calls/syscall-sysv.internal.h"
#include "libc/intrin/kprintf.h"
#include "libc/log/bsd.h"
#include "libc/runtime/runtime.h"
#include "libc/stdio/stdio.h"
#include "libc/str/str.h"
#include "third_party/getopt/getopt.h"
#define USAGE \
"\
usage: pledge.com [-h] PROG ARGS...\n\
-h show help\n\
\n\
unveil.com v1.o\n\
copyright 2022 justine alexandra roberts tunney\n\
https://twitter.com/justinetunney\n\
https://linkedin.com/in/jtunney\n\
https://justine.lol/pledge/\n\
https://github.com/jart\n\
\n\
this program lets you launch linux commands in a filesystem sandbox\n\
inspired by the design of openbsd's unveil() system call. Visit\n\
the https://justine.lol/pledge/ page for online documentation.\n\
\n\
"
wontreturn void usage(void) {
write(2, USAGE, sizeof(USAGE) - 1);
exit(1);
}
int main(int argc, char *argv[]) {
const char *prog;
char pathbuf[PATH_MAX];
char *line = NULL;
size_t size = 0;
size_t count = 0;
ssize_t len;
int opt;
const char *fields[2];
if (!(IsLinux() || IsOpenbsd()))
errx(1, "this program is only intended for Linux and OpenBSD");
// parse flags
while ((opt = getopt(argc, argv, "h")) != -1) {
switch (opt) {
case 'h':
case '?':
default:
usage();
}
}
if (optind == argc) {
warnx("No command provided");
usage();
}
if (!(prog = commandv(argv[optind], pathbuf, sizeof(pathbuf))))
err(1, "command not found: %s", argv[optind]);
while ((len = getline(&line, &size, stdin)) != -1) {
count++;
_chomp(line);
char *tok = line;
const char *p;
size_t i = 0;
while ((p = strsep(&tok, " \t")) != NULL) {
if (*p == '\0') {
p++;
continue;
}
if (i > 1) errx(1, "<stdin>:%zu - too many fields", count);
fields[i++] = p;
}
if (i != 2) errx(1, "<stdin>:%zu - malformed line", count);
if (unveil(fields[0], fields[1]) == -1)
err(1, "unveil(%s, %s)", fields[0], fields[1]);
}
free(line);
if (ferror(stdin)) err(1, "getline");
if (unveil(NULL, NULL) == -1) err(1, "unveil disable");
__sys_execve(prog, argv + optind, environ);
err(127, "execve");
}