mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-05-22 21:32:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Address weakness with new pledge("anet") promise

Browse source 
The intent with pledge("anet") has been to prevent outbound connections.
However we were only doing that for TCP sockets, and outbound UDP could
still get through, by using socket() plus sendto(). This change fixed
that by preventing UDP sockets from being created.

Credit goes to chc4 on Hacker News for finding this.
This commit is contained in:
Justine Tunney 2023-06-18 18:06:47 -07:00
parent fb2bd313ae
commit 48b2afb192
No known key found for this signature in database
GPG key ID: BE714B4575D6E328
3 changed files with 74 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
test/libc/calls/pledge_test.c
View file

@ -365,6 +365,23 @@ TEST(pledge, inet_forbidsOtherSockets) {
EXPECT_TRUE(WIFEXITED(ws) && !WEXITSTATUS(ws));
}
TEST(pledge, anet_forbidsUdpSocketsAndConnect) {
if (IsOpenbsd()) return; // b/c testing linux bpf
int ws, pid, yes = 1;
ASSERT_NE(-1, (pid = fork()));
if (!pid) {
ASSERT_SYS(0, 0, pledge("stdio anet", 0));
ASSERT_SYS(0, 3, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP));
ASSERT_SYS(EPERM, -1, setsockopt(3, SOL_SOCKET, SO_TIMESTAMP, &yes, 4));
struct sockaddr_in sin = {AF_INET, 0, {htonl(0x7f000001)}};
ASSERT_SYS(EPERM, -1, connect(4, (struct sockaddr *)&sin, sizeof(sin)));
_Exit(0);
}
EXPECT_NE(-1, wait(&ws));
EXPECT_EQ(0, ws);
}
TEST(pledge, mmap) {
if (IsOpenbsd()) return; // b/c testing linux bpf
char *p;