Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.
This commit is contained in:
Justine Tunney 2022-08-07 16:18:33 -07:00
parent 13c1c45075
commit 5546559034
30 changed files with 713 additions and 86 deletions

View file

@ -16,6 +16,7 @@
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/sysv/consts/nrlinux.h"
#include "libc/macros.internal.h"
.privileged
@ -25,8 +26,8 @@ __restore_bt:
.endfn __restore_bt,globl,hidden
nop # gap so that __get_symbol(st, addr - 1) fails
.align 16
__restore_rt: # @see gdb/amd64-linux-tdep.c
mov $0x000f,%rax # [sic]
__restore_rt: # @see gdb/amd64-linux-tdep.c
mov $__NR_linux_sigreturn,%rax # [sic]
syscall
.align 16
.endfn __restore_rt,globl,hidden