mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-06-27 14:58:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Write some tests for unveil()

Browse source 
See #490
This commit is contained in:
Justine Tunney 2022-07-18 02:11:06 -07:00
parent 1c6b5c0acd
commit 38c3fa63fe
14 changed files with 646 additions and 352 deletions
Download patch file Download diff file Expand all files Collapse all files

11
libc/mem/pledge.c
View file

@ -302,6 +302,12 @@ static const uint16_t kPledgeLinuxExec2[] = {
__NR_linux_execveat, //
};
static const uint16_t kPledgeLinuxUnveil[] = {
__NR_linux_landlock_create_ruleset, //
__NR_linux_landlock_add_rule, //
__NR_linux_landlock_restrict_self, //
};
static const struct Pledges {
const char *name;
const uint16_t *syscalls;
@ -325,6 +331,7 @@ static const struct Pledges {
[PROMISE_EXEC] = {"exec", PLEDGE(kPledgeLinuxExec)}, //
[PROMISE_EXECNATIVE] = {"execnative", PLEDGE(kPledgeLinuxExec2)}, //
[PROMISE_ID] = {"id", PLEDGE(kPledgeLinuxId)}, //
[PROMISE_UNVEIL] = {"unveil", PLEDGE(kPledgeLinuxUnveil)}, //
[PROMISE_MAX + 1] = {0}, //
};
@ -1231,6 +1238,10 @@ static void SetPromises(const char *promises) {
* System call origin verification can't be enabled. If you always
* assimilate your APE binaries, then this should be preferred.
*
* - "unveil" allows unveil() to be called, as well as the underlying
* landlock_create_ruleset, landlock_add_rule, landlock_restrict_self
* calls on Linux.
*
* @return 0 on success, or -1 w/ errno
* @raise ENOSYS if host os isn't Linux or OpenBSD
* @raise EINVAL if `execpromises` is used on Linux