mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-07-13 14:39:10 +00:00
Improve pledge() usability and consistency
- We now kill the program on violations like OpenBSD - We now print a message explaining which promise is needed - This change also fixes a linkage bug with thread local storage - Your sigaction() handlers should now be more thread safe A new `__pledge_mode` global has been introduced to make pledge() more customizable on Linux. For example: __attribute__((__constructor__)) static void init(void) { __pledge_mode = SECCOMP_RET_ERRNO | EPERM; } Can be used to restore our old permissive pledge() behavior.
This commit is contained in:
parent
13c1c45075
commit
5546559034
30 changed files with 713 additions and 86 deletions
134
test/libc/calls/pledge2_test.c
Normal file
134
test/libc/calls/pledge2_test.c
Normal file
|
@ -0,0 +1,134 @@
|
|||
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
||||
│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi│
|
||||
╞══════════════════════════════════════════════════════════════════════════════╡
|
||||
│ Copyright 2022 Justine Alexandra Roberts Tunney │
|
||||
│ │
|
||||
│ Permission to use, copy, modify, and/or distribute this software for │
|
||||
│ any purpose with or without fee is hereby granted, provided that the │
|
||||
│ above copyright notice and this permission notice appear in all copies. │
|
||||
│ │
|
||||
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
||||
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
||||
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
||||
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
||||
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
||||
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
||||
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
||||
│ PERFORMANCE OF THIS SOFTWARE. │
|
||||
╚─────────────────────────────────────────────────────────────────────────────*/
|
||||
#include "libc/calls/calls.h"
|
||||
#include "libc/calls/struct/seccomp.h"
|
||||
#include "libc/calls/syscall_support-sysv.internal.h"
|
||||
#include "libc/dce.h"
|
||||
#include "libc/intrin/kprintf.h"
|
||||
#include "libc/runtime/runtime.h"
|
||||
#include "libc/sock/sock.h"
|
||||
#include "libc/sysv/consts/af.h"
|
||||
#include "libc/sysv/consts/ipproto.h"
|
||||
#include "libc/sysv/consts/sig.h"
|
||||
#include "libc/sysv/consts/sock.h"
|
||||
#include "libc/testlib/testlib.h"
|
||||
|
||||
#define SPAWN(METHOD) \
|
||||
{ \
|
||||
int ws, pid; \
|
||||
ASSERT_NE(-1, (pid = METHOD())); \
|
||||
if (!pid) {
|
||||
|
||||
#define EXITS(rc) \
|
||||
_Exit(0); \
|
||||
} \
|
||||
ASSERT_NE(-1, wait(&ws)); \
|
||||
ASSERT_TRUE(WIFEXITED(ws)); \
|
||||
ASSERT_EQ(rc, WEXITSTATUS(ws)); \
|
||||
}
|
||||
|
||||
#define TERMS(sig) \
|
||||
_Exit(0); \
|
||||
} \
|
||||
ASSERT_NE(-1, wait(&ws)); \
|
||||
ASSERT_TRUE(WIFSIGNALED(ws)); \
|
||||
ASSERT_EQ(sig, WTERMSIG(ws)); \
|
||||
}
|
||||
|
||||
void SetUp(void) {
|
||||
if (!__is_linux_2_6_23() && !IsOpenbsd()) exit(0);
|
||||
}
|
||||
|
||||
TEST(pledge, testSoftError) {
|
||||
if (IsOpenbsd()) return;
|
||||
SPAWN(fork);
|
||||
__pledge_mode = SECCOMP_RET_ERRNO | EPERM;
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
|
||||
_Exit(7);
|
||||
EXITS(7);
|
||||
}
|
||||
|
||||
TEST(pledge, testKillThreadMode) {
|
||||
SPAWN(fork);
|
||||
__pledge_mode = SECCOMP_RET_KILL_THREAD;
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
|
||||
}
|
||||
|
||||
TEST(pledge, testKillProcessMode) {
|
||||
SPAWN(fork);
|
||||
__pledge_mode = SECCOMP_RET_KILL_PROCESS;
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
|
||||
}
|
||||
|
||||
TEST(pledge, testLogMessage_onSoftyMode) {
|
||||
if (IsOpenbsd()) return;
|
||||
int fds[2];
|
||||
char msg[64] = {0};
|
||||
ASSERT_SYS(0, 0, pipe(fds));
|
||||
SPAWN(fork);
|
||||
__pledge_mode = SECCOMP_RET_ERRNO | EPERM;
|
||||
ASSERT_SYS(0, 2, dup2(fds[1], 2));
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
|
||||
EXITS(0);
|
||||
close(fds[1]);
|
||||
read(fds[0], msg, sizeof(msg));
|
||||
close(fds[0]);
|
||||
if (IsLinux()) {
|
||||
ASSERT_STARTSWITH("error: has not pledged inet", msg);
|
||||
}
|
||||
}
|
||||
|
||||
TEST(pledge, testLogMessage_onKillProcess) {
|
||||
int fds[2];
|
||||
char msg[64] = {0};
|
||||
ASSERT_SYS(0, 0, pipe(fds));
|
||||
SPAWN(fork);
|
||||
__pledge_mode = SECCOMP_RET_KILL;
|
||||
ASSERT_SYS(0, 2, dup2(fds[1], 2));
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
|
||||
close(fds[1]);
|
||||
read(fds[0], msg, sizeof(msg));
|
||||
close(fds[0]);
|
||||
if (IsLinux()) {
|
||||
ASSERT_STARTSWITH("error: has not pledged inet", msg);
|
||||
}
|
||||
}
|
||||
|
||||
TEST(pledge, testNoLogPossibleSadly_becausePledgedExec) {
|
||||
int fds[2];
|
||||
char msg[64] = {0};
|
||||
ASSERT_SYS(0, 0, pipe(fds));
|
||||
SPAWN(fork);
|
||||
ASSERT_SYS(0, 2, dup2(fds[1], 2));
|
||||
ASSERT_SYS(0, 0, pledge("stdio exec", "stdio exec"));
|
||||
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
|
||||
close(fds[1]);
|
||||
read(fds[0], msg, sizeof(msg));
|
||||
close(fds[0]);
|
||||
ASSERT_STREQ("", msg);
|
||||
}
|
|
@ -60,6 +60,10 @@ STATIC_YOINK("zip_uri_support");
|
|||
|
||||
char testlib_enable_tmp_setup_teardown;
|
||||
|
||||
__attribute__((__constructor__)) static void init(void) {
|
||||
__pledge_mode = SECCOMP_RET_ERRNO | EPERM;
|
||||
}
|
||||
|
||||
void OnSig(int sig) {
|
||||
// do nothing
|
||||
}
|
||||
|
@ -108,6 +112,20 @@ TEST(pledge, default_allowsExit) {
|
|||
EXPECT_SYS(0, 0, munmap(job, FRAMESIZE));
|
||||
}
|
||||
|
||||
TEST(pledge, execpromises_notok) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio"));
|
||||
execl("sock.elf", "sock.elf", 0);
|
||||
_Exit(127);
|
||||
}
|
||||
EXPECT_NE(-1, wait(&ws));
|
||||
EXPECT_TRUE(WIFEXITED(ws));
|
||||
EXPECT_EQ(129, WEXITSTATUS(ws));
|
||||
}
|
||||
|
||||
int Enclave(void *arg, int tid) {
|
||||
ASSERT_SYS(0, 0, pledge("", 0));
|
||||
int *job = arg; // get job
|
||||
|
@ -478,7 +496,7 @@ TEST(pledge, execpromises_ok) {
|
|||
EXPECT_EQ(42, WEXITSTATUS(ws));
|
||||
}
|
||||
|
||||
TEST(pledge, execpromises_notok) {
|
||||
TEST(pledge, execpromises_notok1) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
|
|
|
@ -367,22 +367,13 @@ TEST(unveil, usedTwice_forbidden_worksWithPledge) {
|
|||
ASSERT_SYS(EACCES_OR_ENOENT, -1, open("garden/secret.txt", O_RDONLY));
|
||||
// verify the first filter is still working
|
||||
*gotsome = true;
|
||||
ASSERT_SYS(EPERM, -1, socket(AF_UNIX, SOCK_STREAM, 0));
|
||||
if (IsLinux()) {
|
||||
ASSERT_SYS(0, 0, stat("garden/secret.txt", &st));
|
||||
ASSERT_EQ(5, st.st_size); // wut linux metadata is accessible
|
||||
}
|
||||
socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
_Exit(0);
|
||||
}
|
||||
ASSERT_NE(-1, wait(&ws));
|
||||
ASSERT_TRUE(*gotsome);
|
||||
if (IsOpenbsd()) {
|
||||
ASSERT_TRUE(WIFSIGNALED(ws));
|
||||
ASSERT_EQ(SIGABRT, WTERMSIG(ws));
|
||||
} else {
|
||||
ASSERT_TRUE(WIFEXITED(ws));
|
||||
ASSERT_EQ(0, WEXITSTATUS(ws));
|
||||
}
|
||||
ASSERT_TRUE(WIFSIGNALED(ws));
|
||||
ASSERT_EQ(IsOpenbsd() ? SIGABRT : SIGSYS, WTERMSIG(ws));
|
||||
EXPECT_SYS(0, 0, munmap(gotsome, FRAMESIZE));
|
||||
}
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue