Add seccomp bpf sandboxing to redbean

It's now possible to pass the `-S` or `-SS` flags to sandbox redbean
worker proecsses after they've been forked. The first `-S` flag is
intended to be a permissive builtin policy that limits system calls to
only that which the various parts of redbean serving need. The second
`-SS` flag is intended to be more restrictive, preventing things like
the Lua extensions you download off the web from using the HTTP client
or sockets APIs. In upcoming changes you'll be able to implement your
own Berkeley Packet Filter sandbox programs and load them via Lua.

libc/log/backtrace2.c

@@ -21,7 +21,6 @@
 #include "libc/bits/safemacros.internal.h"
 #include "libc/bits/weaken.h"
 #include "libc/calls/calls.h"
-#include "libc/calls/issandboxed.h"
 #include "libc/calls/sigbits.h"
 #include "libc/calls/strace.internal.h"
 #include "libc/dce.h"
@@ -160,7 +159,7 @@ static int PrintBacktraceUsingAddr2line(int fd, const struct StackFrame *bp) {
 }
 
 static int PrintBacktrace(int fd, const struct StackFrame *bp) {
-  if (!IsTiny() && !__issandboxed) {
+  if (!IsTiny() && !__isworker) {
     if (PrintBacktraceUsingAddr2line(fd, bp) != -1) {
       return 0;
     }

libc/log/checkfail.c

@@ -21,6 +21,7 @@
 #include "libc/calls/strace.internal.h"
 #include "libc/errno.h"
 #include "libc/fmt/fmt.h"
+#include "libc/intrin/kprintf.h"
 #include "libc/log/check.h"
 #include "libc/log/color.internal.h"
 #include "libc/log/internal.h"
@@ -28,6 +29,9 @@
 #include "libc/log/log.h"
 #include "libc/runtime/memtrack.internal.h"
 #include "libc/runtime/runtime.h"
+#include "libc/stdio/stdio.h"
+
+STATIC_YOINK("strerror_wr");
 
 /**
  * Handles failure of CHECK_xx() macros.
@@ -44,59 +48,26 @@ relegated void __check_fail(const char *suffix, const char *opstr,
   __strace = 0;
   g_ftrace = 0;
   e = errno;
-  p = __fatalbuf;
   __start_fatal(file, line);
   __stpcpy(hostname, "unknown");
   gethostname(hostname, sizeof(hostname));
-  p = __stpcpy(p, "check failed on ");
-  p = __stpcpy(p, hostname);
-  p = __stpcpy(p, " pid ");
-  p = __intcpy(p, __getpid());
-  p = __stpcpy(p, "\n");
-  p = __stpcpy(p, "\tCHECK_");
-  for (; *suffix; ++suffix) {
-    *p++ = *suffix - ('a' <= *suffix && *suffix <= 'z') * 32;
-  }
-  p = __stpcpy(p, "(");
-  p = __stpcpy(p, wantstr);
-  p = __stpcpy(p, ", ");
-  p = __stpcpy(p, gotstr);
-  p = __stpcpy(p, ");\n\t\t → 0x");
-  p = __hexcpy(p, want);
-  p = __stpcpy(p, " (");
-  p = __stpcpy(p, wantstr);
-  p = __stpcpy(p, ")\n\t\t");
-  p = __stpcpy(p, opstr);
-  p = __stpcpy(p, " 0x");
-  p = __hexcpy(p, got);
-  p = __stpcpy(p, " (");
-  p = __stpcpy(p, gotstr);
-  p = __stpcpy(p, ")\n");
+  kprintf("check failed on %s pid %d%n", hostname, getpid());
+  kprintf("\tCHECK_%^s(%s, %s);%n", suffix, wantstr, gotstr);
+  kprintf("\t\t → %p (%s)%n", want, wantstr);
+  kprintf("\t\t%s %p (%s)%n", opstr, got, gotstr);
   if (!isempty(fmt)) {
-    *p++ = '\t';
+    kprintf("\t");
     va_start(va, fmt);
-    p += (vsprintf)(p, fmt, va);
+    kvprintf(fmt, va);
     va_end(va);
-    *p++ = '\n';
+    kprintf("%n");
   }
-  p = __stpcpy(p, "\t");
-  p = __stpcpy(p, strerror(e));
-  p = __stpcpy(p, "\n\t");
-  p = __stpcpy(p, SUBTLE);
-  p = __stpcpy(p, program_invocation_name);
-  if (__argc > 1) p = __stpcpy(p, " \\");
-  p = __stpcpy(p, RESET);
-  p = __stpcpy(p, "\n");
-  __write(__fatalbuf, p - __fatalbuf);
+  kprintf("\t%m%n\t%s%s", SUBTLE, program_invocation_name);
   for (i = 1; i < __argc; ++i) {
-    p = __fatalbuf;
-    p = __stpcpy(p, "\t\t");
-    p = __stpcpy(p, __argv[i]);
-    if (i < __argc - 1) p = __stpcpy(p, " \\");
-    p = __stpcpy(p, "\n");
+    kprintf(" %s", __argv[i]);
   }
+  kprintf("%s%n", RESET);
   if (!IsTiny() && e == ENOMEM) {
-    __write("\n", 1);
     PrintMemoryIntervals(2, &_mmi);
   }
   __die();

libc/log/oncrash.c

@@ -19,7 +19,6 @@
 #include "libc/bits/weaken.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/internal.h"
-#include "libc/calls/issandboxed.h"
 #include "libc/calls/sigbits.h"
 #include "libc/calls/strace.internal.h"
 #include "libc/calls/struct/sigaction.h"
@@ -200,10 +199,8 @@ relegated void ShowCrashReport(int err, int sig, struct siginfo *si,
   names.version[0] = 0;
   names.nodename[0] = 0;
   __stpcpy(host, "unknown");
-  if (!__issandboxed) {
-    gethostname(host, sizeof(host));
-    uname(&names);
-  }
+  gethostname(host, sizeof(host));
+  uname(&names);
   p = buf;
   errno = err;
   kprintf("%n%serror%s: Uncaught %G (%s) on %s pid %d%n"
@@ -292,8 +289,7 @@ relegated noinstrument void __oncrash(int sig, struct siginfo *si,
         DebugBreak();
       } else if (__nocolor || g_isrunningundermake) {
         gdbpid = -1;
-      } else if (!IsTiny() && IsLinux() && FindDebugBinary() &&
-                 !__issandboxed) {
+      } else if (!IsTiny() && IsLinux() && FindDebugBinary() && !__isworker) {
         RestoreDefaultCrashSignalHandlers();
         gdbpid = AttachDebugger(
             ((sig == SIGTRAP || sig == SIGQUIT) &&

libc/log/restoretty.c

@@ -17,7 +17,6 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/calls/calls.h"
-#include "libc/calls/issandboxed.h"
 #include "libc/calls/struct/termios.h"
 #include "libc/calls/termios.h"
 #include "libc/errno.h"
@@ -52,7 +51,7 @@ const void *const g_oldtermios_ctor[] initarray = {
 
 void __restore_tty(int fd) {
   int e;
-  if (!__issandboxed) {
+  if (!__isworker) {
     e = errno;
     if (g_oldtermios.c_lflag && !__nocolor && isatty(fd)) {
       write(fd, ANSI_RESTORE, strlen(ANSI_RESTORE));

libc/log/startfatal.c

@@ -28,7 +28,7 @@
  */
 relegated void __start_fatal(const char *file, int line) {
   __restore_tty(1);
-  kprintf("\r%serror%s:%s:%d:%s%s: ", !__nocolor ? "\e[J\e[30;101m" : "",
+  kprintf("%r%serror%s:%s:%d:%s%s: ", !__nocolor ? "\e[J\e[30;101m" : "",
           !__nocolor ? "\e[94;49m" : "", file, line,
           program_invocation_short_name, !__nocolor ? "\e[0m" : "");
 }