Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD - We now print a message explaining which promise is needed - This change also fixes a linkage bug with thread local storage - Your sigaction() handlers should now be more thread safe A new `__pledge_mode` global has been introduced to make pledge() more customizable on Linux. For example: __attribute__((__constructor__)) static void init(void) { __pledge_mode = SECCOMP_RET_ERRNO | EPERM; } Can be used to restore our old permissive pledge() behavior.
2025-07-03 17:58:30 +00:00 · 2022-08-07 16:18:33 -07:00 · 2022-08-07 16:18:33 -07:00 · 5546559034
commit 5546559034
parent 13c1c45075
30 changed files with 713 additions and 86 deletions
--- a/test/libc/calls/pledge_test.c
+++ b/test/libc/calls/pledge_test.c
@ -60,6 +60,10 @@ STATIC_YOINK("zip_uri_support");

 char testlib_enable_tmp_setup_teardown;

+__attribute__((__constructor__)) static void init(void) {
+  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
+}
+
 void OnSig(int sig) {
  // do nothing
 }
@ -108,6 +112,20 @@ TEST(pledge, default_allowsExit) {
  EXPECT_SYS(0, 0, munmap(job, FRAMESIZE));
 }

+TEST(pledge, execpromises_notok) {
+  if (IsOpenbsd()) return;  // b/c testing linux bpf
+  int ws, pid;
+  ASSERT_NE(-1, (pid = fork()));
+  if (!pid) {
+    ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio"));
+    execl("sock.elf", "sock.elf", 0);
+    _Exit(127);
+  }
+  EXPECT_NE(-1, wait(&ws));
+  EXPECT_TRUE(WIFEXITED(ws));
+  EXPECT_EQ(129, WEXITSTATUS(ws));
+}
+
 int Enclave(void *arg, int tid) {
  ASSERT_SYS(0, 0, pledge("", 0));
  int *job = arg;            // get job
@ -478,7 +496,7 @@ TEST(pledge, execpromises_ok) {
  EXPECT_EQ(42, WEXITSTATUS(ws));
 }

-TEST(pledge, execpromises_notok) {
+TEST(pledge, execpromises_notok1) {
  if (IsOpenbsd()) return;  // b/c testing linux bpf
  int ws, pid;
  ASSERT_NE(-1, (pid = fork()));