mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-07-29 14:00:29 +00:00
Improve pledge() usability and consistency
- We now kill the program on violations like OpenBSD - We now print a message explaining which promise is needed - This change also fixes a linkage bug with thread local storage - Your sigaction() handlers should now be more thread safe A new `__pledge_mode` global has been introduced to make pledge() more customizable on Linux. For example: __attribute__((__constructor__)) static void init(void) { __pledge_mode = SECCOMP_RET_ERRNO | EPERM; } Can be used to restore our old permissive pledge() behavior.
This commit is contained in:
parent
13c1c45075
commit
5546559034
30 changed files with 713 additions and 86 deletions
|
@ -259,7 +259,7 @@ SECURITY
|
|||
|
||||
-S (online policy)
|
||||
|
||||
This causes unix.pledge("stdio rpath inet dns") to be called on
|
||||
This causes unix.pledge("stdio rpath inet dns id") to be called on
|
||||
workers after fork() is called. This permits read-only operations
|
||||
and APIs like Fetch() that let workers send and receive data with
|
||||
private and public Internet hosts. Access to the unix module is
|
||||
|
@ -267,10 +267,12 @@ SECURITY
|
|||
|
||||
-SS (offline policy)
|
||||
|
||||
This causes unix.pledge("stdio rpath") to be called on workers
|
||||
This causes unix.pledge("stdio rpath id") to be called on workers
|
||||
after after fork() is called. This prevents workers from talking
|
||||
to the network (other than the client) and allows read-only file
|
||||
system access (e.g. `-D DIR` flag).
|
||||
system access (e.g. `-D DIR` flag). The `id` group helps you to
|
||||
call other functions important to redbean security, such as the
|
||||
unix.setrlimit() function.
|
||||
|
||||
-SSS (contained policy)
|
||||
|
||||
|
@ -281,6 +283,11 @@ SECURITY
|
|||
should only be able to serve from its own zip file in this mode.
|
||||
Lua script access to the unix module is highly restricted.
|
||||
|
||||
Unlike the unix.pledge() function, these sandboxing flags use a more
|
||||
permissive policy on Linux. Rather than killing the process, they'll
|
||||
cause system calls to fail with EPERM instead. Therefore these flags
|
||||
should be gentler when you want security errors to be recoverable.
|
||||
|
||||
See http://redbean.dev for further details.
|
||||
|
||||
────────────────────────────────────────────────────────────────────────────────
|
||||
|
@ -3834,8 +3841,11 @@ UNIX MODULE
|
|||
This can be used to sandbox your redbean workers. It allows finer
|
||||
customization compared to the `-S` flag.
|
||||
|
||||
Pledging causes most system calls to become unavailable. On Linux the
|
||||
disabled calls will return EPERM whereas OpenBSD kills the process.
|
||||
Pledging causes most system calls to become unavailable. If a
|
||||
forbidden system call is used, then the process will be killed. In
|
||||
that case, on OpenBSD, your system log will explain which promise
|
||||
you need. On Linux, we report the promise to stderr, with one
|
||||
exception: reporting is currently not possible if you pledge exec.
|
||||
|
||||
Using pledge is irreversible. On Linux it causes PR_SET_NO_NEW_PRIVS
|
||||
to be set on your process.
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include "libc/calls/struct/flock.h"
|
||||
#include "libc/calls/struct/iovec.h"
|
||||
#include "libc/calls/struct/rusage.h"
|
||||
#include "libc/calls/struct/seccomp.h"
|
||||
#include "libc/calls/struct/sigaction.h"
|
||||
#include "libc/calls/struct/stat.h"
|
||||
#include "libc/calls/struct/termios.h"
|
||||
|
@ -32,6 +33,7 @@
|
|||
#include "libc/dns/dns.h"
|
||||
#include "libc/dns/hoststxt.h"
|
||||
#include "libc/dos.h"
|
||||
#include "libc/errno.h"
|
||||
#include "libc/fmt/conv.h"
|
||||
#include "libc/fmt/itoa.h"
|
||||
#include "libc/intrin/kprintf.h"
|
||||
|
@ -6585,17 +6587,18 @@ static void UnveilRedbean(void) {
|
|||
}
|
||||
|
||||
static int EnableSandbox(void) {
|
||||
__pledge_mode = SECCOMP_RET_ERRNO | EPERM;
|
||||
switch (sandboxed) {
|
||||
case 0:
|
||||
return 0;
|
||||
case 1: // -S
|
||||
DEBUGF("(stat) applying '%s' sandbox policy", "online");
|
||||
UnveilRedbean();
|
||||
return pledge("stdio rpath inet dns", 0);
|
||||
return pledge("stdio rpath inet dns id", 0);
|
||||
case 2: // -SS
|
||||
DEBUGF("(stat) applying '%s' sandbox policy", "offline");
|
||||
UnveilRedbean();
|
||||
return pledge("stdio rpath", 0);
|
||||
return pledge("stdio rpath id", 0);
|
||||
default: // -SSS
|
||||
DEBUGF("(stat) applying '%s' sandbox policy", "contained");
|
||||
UnveilRedbean();
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue