Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.

test/libc/calls/pledge2_test.c

@@ -0,0 +1,134 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/calls/calls.h"
+#include "libc/calls/struct/seccomp.h"
+#include "libc/calls/syscall_support-sysv.internal.h"
+#include "libc/dce.h"
+#include "libc/intrin/kprintf.h"
+#include "libc/runtime/runtime.h"
+#include "libc/sock/sock.h"
+#include "libc/sysv/consts/af.h"
+#include "libc/sysv/consts/ipproto.h"
+#include "libc/sysv/consts/sig.h"
+#include "libc/sysv/consts/sock.h"
+#include "libc/testlib/testlib.h"
+
+#define SPAWN(METHOD)                \
+  {                                  \
+    int ws, pid;                     \
+    ASSERT_NE(-1, (pid = METHOD())); \
+    if (!pid) {
+
+#define EXITS(rc)                 \
+  _Exit(0);                       \
+  }                               \
+  ASSERT_NE(-1, wait(&ws));       \
+  ASSERT_TRUE(WIFEXITED(ws));     \
+  ASSERT_EQ(rc, WEXITSTATUS(ws)); \
+  }
+
+#define TERMS(sig)              \
+  _Exit(0);                     \
+  }                             \
+  ASSERT_NE(-1, wait(&ws));     \
+  ASSERT_TRUE(WIFSIGNALED(ws)); \
+  ASSERT_EQ(sig, WTERMSIG(ws)); \
+  }
+
+void SetUp(void) {
+  if (!__is_linux_2_6_23() && !IsOpenbsd()) exit(0);
+}
+
+TEST(pledge, testSoftError) {
+  if (IsOpenbsd()) return;
+  SPAWN(fork);
+  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
+  _Exit(7);
+  EXITS(7);
+}
+
+TEST(pledge, testKillThreadMode) {
+  SPAWN(fork);
+  __pledge_mode = SECCOMP_RET_KILL_THREAD;
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+}
+
+TEST(pledge, testKillProcessMode) {
+  SPAWN(fork);
+  __pledge_mode = SECCOMP_RET_KILL_PROCESS;
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+}
+
+TEST(pledge, testLogMessage_onSoftyMode) {
+  if (IsOpenbsd()) return;
+  int fds[2];
+  char msg[64] = {0};
+  ASSERT_SYS(0, 0, pipe(fds));
+  SPAWN(fork);
+  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+  ASSERT_SYS(0, 2, dup2(fds[1], 2));
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  ASSERT_SYS(EPERM, -1, socket(AF_INET, SOCK_STREAM, IPPROTO_TCP));
+  EXITS(0);
+  close(fds[1]);
+  read(fds[0], msg, sizeof(msg));
+  close(fds[0]);
+  if (IsLinux()) {
+    ASSERT_STARTSWITH("error: has not pledged inet", msg);
+  }
+}
+
+TEST(pledge, testLogMessage_onKillProcess) {
+  int fds[2];
+  char msg[64] = {0};
+  ASSERT_SYS(0, 0, pipe(fds));
+  SPAWN(fork);
+  __pledge_mode = SECCOMP_RET_KILL;
+  ASSERT_SYS(0, 2, dup2(fds[1], 2));
+  ASSERT_SYS(0, 0, pledge("stdio", 0));
+  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+  close(fds[1]);
+  read(fds[0], msg, sizeof(msg));
+  close(fds[0]);
+  if (IsLinux()) {
+    ASSERT_STARTSWITH("error: has not pledged inet", msg);
+  }
+}
+
+TEST(pledge, testNoLogPossibleSadly_becausePledgedExec) {
+  int fds[2];
+  char msg[64] = {0};
+  ASSERT_SYS(0, 0, pipe(fds));
+  SPAWN(fork);
+  ASSERT_SYS(0, 2, dup2(fds[1], 2));
+  ASSERT_SYS(0, 0, pledge("stdio exec", "stdio exec"));
+  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+  TERMS(IsOpenbsd() ? SIGABRT : SIGSYS);
+  close(fds[1]);
+  read(fds[0], msg, sizeof(msg));
+  close(fds[0]);
+  ASSERT_STREQ("", msg);
+}

test/libc/calls/pledge_test.c

@@ -60,6 +60,10 @@ STATIC_YOINK("zip_uri_support");
 
 char testlib_enable_tmp_setup_teardown;
 
+__attribute__((__constructor__)) static void init(void) {
+  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+}
+
 void OnSig(int sig) {
   // do nothing
 }
@@ -108,6 +112,20 @@ TEST(pledge, default_allowsExit) {
   EXPECT_SYS(0, 0, munmap(job, FRAMESIZE));
 }
 
+TEST(pledge, execpromises_notok) {
+  if (IsOpenbsd()) return;  // b/c testing linux bpf
+  int ws, pid;
+  ASSERT_NE(-1, (pid = fork()));
+  if (!pid) {
+    ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio"));
+    execl("sock.elf", "sock.elf", 0);
+    _Exit(127);
+  }
+  EXPECT_NE(-1, wait(&ws));
+  EXPECT_TRUE(WIFEXITED(ws));
+  EXPECT_EQ(129, WEXITSTATUS(ws));
+}
+
 int Enclave(void *arg, int tid) {
   ASSERT_SYS(0, 0, pledge("", 0));
   int *job = arg;            // get job
@@ -478,7 +496,7 @@ TEST(pledge, execpromises_ok) {
   EXPECT_EQ(42, WEXITSTATUS(ws));
 }
 
-TEST(pledge, execpromises_notok) {
+TEST(pledge, execpromises_notok1) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
   ASSERT_NE(-1, (pid = fork()));

test/libc/calls/unveil_test.c

@@ -367,22 +367,13 @@ TEST(unveil, usedTwice_forbidden_worksWithPledge) {
     ASSERT_SYS(EACCES_OR_ENOENT, -1, open("garden/secret.txt", O_RDONLY));
     // verify the first filter is still working
     *gotsome = true;
-    ASSERT_SYS(EPERM, -1, socket(AF_UNIX, SOCK_STREAM, 0));
-    if (IsLinux()) {
-      ASSERT_SYS(0, 0, stat("garden/secret.txt", &st));
-      ASSERT_EQ(5, st.st_size);  // wut linux metadata is accessible
-    }
+    socket(AF_UNIX, SOCK_STREAM, 0);
     _Exit(0);
   }
   ASSERT_NE(-1, wait(&ws));
   ASSERT_TRUE(*gotsome);
-  if (IsOpenbsd()) {
-    ASSERT_TRUE(WIFSIGNALED(ws));
-    ASSERT_EQ(SIGABRT, WTERMSIG(ws));
-  } else {
-    ASSERT_TRUE(WIFEXITED(ws));
-    ASSERT_EQ(0, WEXITSTATUS(ws));
-  }
+  ASSERT_TRUE(WIFSIGNALED(ws));
+  ASSERT_EQ(IsOpenbsd() ? SIGABRT : SIGSYS, WTERMSIG(ws));
   EXPECT_SYS(0, 0, munmap(gotsome, FRAMESIZE));
 }