mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-07-02 17:28:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve upon the new pledge command

Browse source
This commit is contained in:
Justine Tunney 2022-07-14 04:32:33 -07:00
parent b707fca77a
commit 1d744ea11b
13 changed files with 382 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

36
tool/build/assimilate.c
View file

@ -126,21 +126,21 @@ void GetElfHeader(char ehdr[hasatleast 64], const char *image) {
ehdr[i++] = c;
} else {
kprintf("%s: ape printf elf header too long\n", prog);
exit(__COUNTER__);
exit(1);
}
}
if (i != 64) {
kprintf("%s: ape printf elf header too short\n", prog);
exit(__COUNTER__);
exit(2);
}
if (READ32LE(ehdr) != READ32LE("\177ELF")) {
kprintf("%s: ape printf elf header didn't have elf magic\n", prog);
exit(__COUNTER__);
exit(3);
}
return;
}
kprintf("%s: printf statement not found in first 4096 bytes\n", prog);
exit(__COUNTER__);
exit(4);
}
void GetMachoPayload(const char *image, size_t imagesize, int *out_offset,
@ -151,7 +151,7 @@ void GetMachoPayload(const char *image, size_t imagesize, int *out_offset,
int rc, skip, count, bs, offset, size;
if (!(script = memmem(image, imagesize, "'\n#'\"\n", 6))) {
kprintf("%s: ape shell script not found\n", prog);
exit(__COUNTER__);
exit(5);
}
script += 6;
DCHECK_EQ(REG_OK, regcomp(&rx,
@ -163,11 +163,11 @@ void GetMachoPayload(const char *image, size_t imagesize, int *out_offset,
if (rc != REG_OK) {
if (rc == REG_NOMATCH) {
kprintf("%s: ape macho dd command not found\n", prog);
exit(__COUNTER__);
exit(6);
}
regerror(rc, &rx, errstr, sizeof(errstr));
kprintf("%s: ape macho dd regex failed: %s\n", prog, errstr);
exit(__COUNTER__);
exit(7);
}
bs = atoi(script + rm[1].rm_so);
skip = atoi(script + rm[2].rm_so);
@ -175,23 +175,23 @@ void GetMachoPayload(const char *image, size_t imagesize, int *out_offset,
if (__builtin_mul_overflow(skip, bs, &offset) ||
__builtin_mul_overflow(count, bs, &size)) {
kprintf("%s: integer overflow parsing macho\n");
exit(__COUNTER__);
exit(8);
}
if (offset < 64) {
kprintf("%s: ape macho dd offset should be ≥64: %d\n", prog, offset);
exit(__COUNTER__);
exit(9);
}
if (offset >= imagesize) {
kprintf("%s: ape macho dd offset is outside file: %d\n", prog, offset);
exit(__COUNTER__);
exit(10);
}
if (size < 32) {
kprintf("%s: ape macho dd size should be ≥32: %d\n", prog, size);
exit(__COUNTER__);
exit(11);
}
if (size > imagesize - offset) {
kprintf("%s: ape macho dd size is outside file: %d\n", prog, size);
exit(__COUNTER__);
exit(12);
}
*out_offset = offset;
*out_size = size;
@ -218,20 +218,20 @@ void Assimilate(void) {
struct stat st;
if ((fd = open(prog, O_RDWR)) == -1) {
kprintf("%s: open(O_RDWR) failed: %m\n", prog);
exit(__COUNTER__);
exit(13);
}
if (fstat(fd, &st) == -1) {
kprintf("%s: fstat() failed: %m\n", prog);
exit(__COUNTER__);
exit(14);
}
if (st.st_size < 8192) {
kprintf("%s: ape binaries must be at least 4096 bytes\n", prog);
exit(__COUNTER__);
exit(15);
}
if ((p = mmap(0, st.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) ==
MAP_FAILED) {
kprintf("%s: mmap failed: %m\n", prog);
exit(__COUNTER__);
exit(16);
}
if (READ32LE(p) == READ32LE("\177ELF")) {
if (!g_force) {
@ -253,7 +253,7 @@ void Assimilate(void) {
}
if (READ64LE(p) != READ64LE("MZqFpD='")) {
kprintf("%s: this file is not an actually portable executable\n", prog);
exit(__COUNTER__);
exit(17);
}
if (g_mode == MODE_ELF) {
AssimilateElf(p, st.st_size);
@ -263,7 +263,7 @@ void Assimilate(void) {
Finish:
if (munmap(p, st.st_size) == -1) {
kprintf("%s: munmap() failed: %m\n", prog);
exit(__COUNTER__);
exit(18);
}
}

2
tool/build/compile.c
View file

@ -777,7 +777,7 @@ int main(int argc, char *argv[]) {
ccversion = atoi(optarg);
break;
case 'P':
proquota = sizetol(optarg, 1024);
proquota = atoi(optarg);
break;
case 'F':
fszquota = sizetol(optarg, 1000);

206
tool/build/pledge.c
View file

@ -18,35 +18,47 @@
*/
#include "libc/calls/calls.h"
#include "libc/calls/struct/rlimit.h"
#include "libc/calls/struct/sched_param.h"
#include "libc/calls/syscall-sysv.internal.h"
#include "libc/dce.h"
#include "libc/errno.h"
#include "libc/fmt/conv.h"
#include "libc/intrin/kprintf.h"
#include "libc/macros.internal.h"
#include "libc/math.h"
#include "libc/nexgen32e/kcpuids.h"
#include "libc/runtime/runtime.h"
#include "libc/runtime/sysconf.h"
#include "libc/sock/sock.h"
#include "libc/sock/struct/pollfd.h"
#include "libc/stdio/stdio.h"
#include "libc/str/str.h"
#include "libc/sysv/consts/ioprio.h"
#include "libc/sysv/consts/o.h"
#include "libc/sysv/consts/ok.h"
#include "libc/sysv/consts/poll.h"
#include "libc/sysv/consts/prio.h"
#include "libc/sysv/consts/rlimit.h"
#include "libc/sysv/consts/sched.h"
#include "libc/x/x.h"
#include "third_party/getopt/getopt.h"
STATIC_YOINK("strerror_wr");
#define GETOPTS "hFp:u:g:c:"
#define USAGE \
"\
usage: pledge.com [-h] PROG ARGS...\n\
-h show help\n\
-g GID call setgid()\n\
-u UID call setuid()\n\
-c PATH call chroot()\n\
-F don't normalize file descriptors\n\
-p PLEDGE may contain any of following separated by spaces\n\
usage: pledge.com [-hnN] PROG ARGS...\n\
-h show help\n\
-g GID call setgid()\n\
-u UID call setuid()\n\
-c PATH call chroot()\n\
-n maximum niceness\n\
-N don't normalize file descriptors\n\
-C SECS set cpu limit [default: inherited]\n\
-M BYTES set virtual memory limit [default: 4gb]\n\
-P PROCS set process limit [default: GetCpuCount()*2]\n\
-F BYTES set individual file size limit [default: 4gb]\n\
-p PLEDGE may contain any of following separated by spaces\n\
- stdio: allow stdio and benign system calls\n\
- rpath: read-only path ops\n\
- wpath: write path ops\n\
@ -80,17 +92,29 @@ the https://justine.lol/pledge/ page for online documentation.\n\
int g_gflag;
int g_uflag;
int g_hflag;
bool g_nice;
bool g_noclose;
const char *g_pflag;
long g_cpuquota;
long g_fszquota;
long g_memquota;
long g_proquota;
const char *g_chroot;
const char *g_promises;
static void GetOpts(int argc, char *argv[]) {
int opt;
g_pflag = "";
while ((opt = getopt(argc, argv, GETOPTS)) != -1) {
g_promises = 0;
g_proquota = GetCpuCount() * 2;
g_fszquota = 256 * 1000 * 1000;
g_fszquota = 4 * 1000 * 1000 * 1000;
g_memquota = 4L * 1024 * 1024 * 1024;
while ((opt = getopt(argc, argv, "hnNp:u:g:c:C:P:M:F:")) != -1) {
switch (opt) {
case 'p':
g_pflag = optarg;
case 'n':
g_nice = true;
break;
case 'N':
g_noclose = true;
break;
case 'c':
g_chroot = optarg;
@ -101,8 +125,24 @@ static void GetOpts(int argc, char *argv[]) {
case 'u':
g_uflag = atoi(optarg);
break;
case 'C':
g_cpuquota = atoi(optarg);
break;
case 'P':
g_proquota = atoi(optarg);
break;
case 'M':
g_memquota = sizetol(optarg, 1024);
break;
case 'F':
g_noclose = true;
g_fszquota = sizetol(optarg, 1000);
break;
case 'p':
if (g_promises) {
g_promises = xstrcat(g_promises, ' ', optarg);
} else {
g_promises = optarg;
}
break;
case 'h':
case '?':
@ -113,13 +153,20 @@ static void GetOpts(int argc, char *argv[]) {
exit(64);
}
}
if (!g_promises) {
g_promises = "stdio rpath execnative";
}
g_promises = xstrcat(g_promises, ' ', "execnative");
}
const char *prog;
char pledges[1024];
char pathbuf[PATH_MAX];
struct pollfd pfds[256];
int GetBaseCpuFreqMhz(void) {
return KCPUIDS(16H, EAX) & 0x7fff;
}
int GetPollMaxFds(void) {
int n;
struct rlimit rl;
@ -140,17 +187,17 @@ void NormalizeFileDescriptors(void) {
}
if (poll(pfds, n, 0) == -1) {
kprintf("error: poll() failed: %m\n");
exit(__COUNTER__);
exit(1);
}
for (i = 0; i < 3; ++i) {
if (pfds[i].revents & POLLNVAL) {
if ((fd = open("/dev/null", O_RDWR)) == -1) {
kprintf("error: open(\"/dev/null\") failed: %m\n");
exit(__COUNTER__);
exit(2);
}
if (fd != i) {
kprintf("error: open() is broken: %d vs. %d\n", fd, i);
exit(__COUNTER__);
exit(3);
}
}
}
@ -158,12 +205,87 @@ void NormalizeFileDescriptors(void) {
if (~pfds[i].revents & POLLNVAL) {
if (close(pfds[i].fd) == -1) {
kprintf("error: close(%d) failed: %m\n", pfds[i].fd);
exit(__COUNTER__);
exit(4);
}
}
}
}
void SetCpuLimit(int secs) {
int mhz, lim;
struct rlimit rlim;
if (secs <= 0) return;
if (!(mhz = GetBaseCpuFreqMhz())) return;
lim = ceil(3100. / mhz * secs);
rlim.rlim_cur = lim;
rlim.rlim_max = lim + 1;
if (setrlimit(RLIMIT_CPU, &rlim) != -1) {
return;
} else if (getrlimit(RLIMIT_CPU, &rlim) != -1) {
if (lim < rlim.rlim_cur) {
rlim.rlim_cur = lim;
if (setrlimit(RLIMIT_CPU, &rlim) != -1) {
return;
}
}
}
kprintf("error: setrlimit(RLIMIT_CPU) failed: %m\n");
exit(20);
}
void SetFszLimit(long n) {
struct rlimit rlim;
if (n <= 0) return;
rlim.rlim_cur = n;
rlim.rlim_max = n << 1;
if (setrlimit(RLIMIT_FSIZE, &rlim) != -1) {
return;
} else if (getrlimit(RLIMIT_FSIZE, &rlim) != -1) {
rlim.rlim_cur = n;
if (setrlimit(RLIMIT_FSIZE, &rlim) != -1) {
return;
}
}
kprintf("error: setrlimit(RLIMIT_FSIZE) failed: %m\n");
exit(21);
}
void SetMemLimit(long n) {
struct rlimit rlim = {n, n};
if (n <= 0) return;
if (setrlimit(RLIMIT_AS, &rlim) == -1) {
kprintf("error: setrlimit(RLIMIT_AS) failed: %m\n");
exit(22);
}
}
void SetProLimit(long n) {
struct rlimit rlim = {n, n};
if (n <= 0) return;
if (setrlimit(RLIMIT_NPROC, &rlim) == -1) {
kprintf("error: setrlimit(RLIMIT_NPROC) failed: %m\n");
exit(22);
}
}
void MakeProcessNice(void) {
if (!g_nice) return;
if (setpriority(PRIO_PROCESS, 0, 19) == -1) {
kprintf("error: setpriority(PRIO_PROCESS, 0, 19) failed: %m\n");
exit(23);
}
if (ioprio_set(IOPRIO_WHO_PROCESS, 0,
IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)) == -1) {
kprintf("error: ioprio_set() failed: %m\n");
exit(23);
}
struct sched_param p = {sched_get_priority_min(SCHED_IDLE)};
if (sched_setscheduler(0, SCHED_IDLE, &p) == -1) {
kprintf("error: sched_setscheduler(SCHED_IDLE) failed: %m\n");
exit(23);
}
}
int main(int argc, char *argv[]) {
bool hasfunbits;
int useruid, usergid;
@ -172,13 +294,13 @@ int main(int argc, char *argv[]) {
if (!IsLinux()) {
kprintf("error: this program is only intended for linux\n");
exit(__COUNTER__);
exit(5);
}
// parse flags
GetOpts(argc, argv);
if (optind == argc) {
kprintf("error: too few args\n", g_pflag);
kprintf("error: too few args\n");
write(2, USAGE, sizeof(USAGE) - 1);
exit(64);
}
@ -187,6 +309,13 @@ int main(int argc, char *argv[]) {
NormalizeFileDescriptors();
}
// set resource limits
MakeProcessNice();
SetCpuLimit(g_cpuquota);
SetFszLimit(g_fszquota);
SetMemLimit(g_memquota);
SetProLimit(g_proquota);
// test for weird chmod bits
usergid = getgid();
ownergid = getegid();
@ -203,7 +332,7 @@ int main(int argc, char *argv[]) {
if (hasfunbits) {
if (g_uflag || g_gflag) {
kprintf("error: setuid flags forbidden on setuid binaries\n");
_Exit(__COUNTER__);
_Exit(6);
}
}
@ -213,7 +342,7 @@ int main(int argc, char *argv[]) {
oldfsgid = setfsgid(usergid);
if (access(g_chroot, R_OK) == -1) {
kprintf("error: access(%#s) failed: %m\n", g_chroot);
_Exit(__COUNTER__);
_Exit(7);
}
setfsuid(oldfsuid);
setfsgid(oldfsgid);
@ -230,11 +359,11 @@ int main(int argc, char *argv[]) {
if (g_chroot) {
if (chdir(g_chroot) == -1) {
kprintf("error: chdir(%#s) failed: %m\n", g_chroot);
_Exit(__COUNTER__);
_Exit(8);
}
if (chroot(g_chroot) == -1) {
kprintf("error: chroot(%#s) failed: %m\n", g_chroot);
_Exit(__COUNTER__);
_Exit(9);
}
}
@ -245,7 +374,7 @@ int main(int argc, char *argv[]) {
}
if (!(prog = commandv(argv[optind], pathbuf, sizeof(pathbuf)))) {
kprintf("error: command not found: %m\n", argv[optind]);
_Exit(__COUNTER__);
_Exit(10);
}
if (hasfunbits) {
setfsuid(oldfsuid);
@ -257,21 +386,21 @@ int main(int argc, char *argv[]) {
// setgid binaries must use the gid of the user that ran it
if (setgid(usergid) == -1) {
kprintf("error: setgid(%d) failed: %m\n", usergid);
_Exit(__COUNTER__);
_Exit(11);
}
if (getgid() != usergid || getegid() != usergid) {
kprintf("error: setgid() broken\n");
_Exit(__COUNTER__);
_Exit(12);
}
} else if (g_gflag) {
// otherwise we trust the gid flag
if (setgid(g_gflag) == -1) {
kprintf("error: setgid(%d) failed: %m\n", g_gflag);
_Exit(__COUNTER__);
_Exit(13);
}
if (getgid() != g_gflag || getegid() != g_gflag) {
kprintf("error: setgid() broken\n");
_Exit(__COUNTER__);
_Exit(14);
}
}
@ -280,29 +409,28 @@ int main(int argc, char *argv[]) {
// setuid binaries must use the uid of the user that ran it
if (setuid(useruid) == -1) {
kprintf("error: setuid(%d) failed: %m\n", useruid);
_Exit(__COUNTER__);
_Exit(15);
}
if (getuid() != useruid || geteuid() != useruid) {
kprintf("error: setuid() broken\n");
_Exit(__COUNTER__);
_Exit(16);
}
} else if (g_uflag) {
// otherwise we trust the uid flag
if (setuid(g_uflag) == -1) {
kprintf("error: setuid(%d) failed: %m\n", g_uflag);
_Exit(__COUNTER__);
_Exit(17);
}
if (getuid() != g_uflag || geteuid() != g_uflag) {
kprintf("error: setuid() broken\n");
_Exit(__COUNTER__);
_Exit(18);
}
}
// apply sandbox
ksnprintf(pledges, sizeof(pledges), "%s execnative", g_pflag);
if (pledge(pledges, 0) == -1) {
kprintf("error: pledge(%#s) failed: %m\n", pledges);
_Exit(__COUNTER__);
if (pledge(g_promises, 0) == -1) {
kprintf("error: pledge(%#s) failed: %m\n", g_promises);
_Exit(19);
}
// launch program