Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.
This commit is contained in:
Justine Tunney 2022-08-07 16:18:33 -07:00
parent 13c1c45075
commit 5546559034
30 changed files with 713 additions and 86 deletions

View file

@ -158,6 +158,11 @@ const char *GetSiCodeName(int sig, int si_code) {
} else if (si_code == POLL_HUP) {
strcpy(b + 5, "HUP"); /* device disconnected */
}
} else if (sig == SIGSYS) {
NameIt(b, "SYS_", si_code);
if (si_code == SYS_SECCOMP) {
strcpy(b + 4, "SECCOMP");
}
}
return b;
}

View file

@ -90,13 +90,13 @@ __oncrash_sigbus:
.endfn __oncrash_sigbus,globl
.org 11*7
__oncrash_sigsys:
__oncrash_sigurg:
push %rbp
mov %rsp,%rbp
call __oncrash
pop %rbp
ret
.endfn __oncrash_sigsys,globl
.endfn __oncrash_sigurg,globl
// </SYNC-LIST>: showcrashreports.c, oncrashthunks.S, oncrash.c, internal.h

View file

@ -111,7 +111,7 @@ void ShowCrashReports(void) {
kCrashSigs[4] = SIGTRAP; /* bad system call */
kCrashSigs[5] = SIGABRT; /* abort() called */
kCrashSigs[6] = SIGBUS; /* misaligned, noncanonical ptr, etc. */
kCrashSigs[7] = SIGSYS; /* bad system call */
kCrashSigs[7] = SIGURG; /* placeholder */
/* </SYNC-LIST>: showcrashreports.c, oncrashthunks.S, oncrash.c */
if (!IsWindows()) {
bzero(&ss, sizeof(ss));