From 6598940d8a3bdbcb66ba60ac8b7c5d7e9885cdc0 Mon Sep 17 00:00:00 2001
From: Stephen Gregoratto <dev@sgregoratto.me>
Date: Tue, 19 Jul 2022 01:26:40 +1000
Subject: [PATCH] Make unveil() improvements (#493)

- Merge the multiple masks to just one.
- Add documentation to for sys_unveil.
- Inline the chomp function in the unveil tool.
---
 libc/mem/unveil.c   | 115 +++++++++++++++++++++++++++++---------------
 tool/build/unveil.c |  19 +++++---
 2 files changed, 89 insertions(+), 45 deletions(-)

diff --git a/libc/mem/unveil.c b/libc/mem/unveil.c
index e18ab39a6..022ee615b 100644
--- a/libc/mem/unveil.c
+++ b/libc/mem/unveil.c
@@ -36,43 +36,44 @@
 #include "libc/sysv/consts/s.h"
 #include "libc/sysv/errfuns.h"
 
+#define UNVEIL_READ                                             \
+  (LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | \
+   LANDLOCK_ACCESS_FS_REFER)
+#define UNVEIL_WRITE (LANDLOCK_ACCESS_FS_WRITE_FILE)
+#define UNVEIL_EXEC  (LANDLOCK_ACCESS_FS_EXECUTE)
+#define UNVEIL_CREATE                                             \
+  (LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR |   \
+   LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK |   \
+   LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
+   LANDLOCK_ACCESS_FS_MAKE_SYM)
+
 #define FILE_BITS                                                 \
   (LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE | \
    LANDLOCK_ACCESS_FS_EXECUTE)
 
-/*
+/**
  * Long living state for landlock calls.
- * The bits are set at runtime to handle future API additions.
+ * fs_mask is set to use all the access rights from the latest landlock ABI.
+ * On init, the current supported abi is checked and unavailable rights are
+ * masked off.
+ *
  * As of 5.19, the latest abi is v2.
  *
  * TODO:
- *  - Documentation for sys_unveil.
  *  - Integrate with pledge and remove the file access?
  *  - Stuff state into the .protected section?
  */
 _Thread_local static struct {
-  int abi;
+  uint64_t fs_mask;
   int fd;
-  uint64_t read;
-  uint64_t write;
-  uint64_t exec;
-  uint64_t create;
 } State = {
-    .abi = 2,
-    .read = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR |
-            LANDLOCK_ACCESS_FS_REFER,
-    .write = LANDLOCK_ACCESS_FS_WRITE_FILE,
-    .exec = LANDLOCK_ACCESS_FS_EXECUTE,
-    .create = LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR |
-              LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG |
-              LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO |
-              LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM,
+    .fs_mask = UNVEIL_READ | UNVEIL_WRITE | UNVEIL_EXEC | UNVEIL_CREATE,
+    .fd = 0,
 };
 
 static int unveil_final(void) {
   int rc;
-  if (State.fd == -1) return 0;
-  assert(State.fd > 0);
+  if (State.fd == -1) return eperm();
   if ((rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) != -1 &&
       (rc = landlock_restrict_self(State.fd, 0)) != -1 &&
       (rc = sys_close(State.fd)) != -1)
@@ -89,12 +90,13 @@ static int err_close(int rc, int fd) {
 
 static int unveil_init(void) {
   int rc, fd;
-  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) < 0)
+  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) < 0) {
+    if (errno == EOPNOTSUPP) errno = ENOSYS;
     return -1;
-  State.abi = rc;
-  if (State.abi < 2) State.read &= ~LANDLOCK_ACCESS_FS_REFER;
+  }
+  if (rc < 2) State.fs_mask &= ~LANDLOCK_ACCESS_FS_REFER;
   const struct landlock_ruleset_attr attr = {
-      .handled_access_fs = State.read | State.write | State.exec | State.create,
+      .handled_access_fs = State.fs_mask,
   };
   if ((rc = landlock_create_ruleset(&attr, sizeof(attr), 0)) < 0) return -1;
   // grant file descriptor a higher number that's less likely to interfere
@@ -107,26 +109,21 @@ static int unveil_init(void) {
 static int sys_unveil_linux(const char *path, const char *permissions) {
   int rc;
   if (!State.fd && (rc = unveil_init()) == -1) return rc;
+  if ((path && !permissions) || (!path && permissions)) return einval();
   if (!path && !permissions) return unveil_final();
   struct landlock_path_beneath_attr pb = {0};
   for (const char *c = permissions; *c != '\0'; c++) {
     switch (*c) {
-      case 'r':
-        pb.allowed_access |= State.read;
-        break;
-      case 'w':
-        pb.allowed_access |= State.write;
-        break;
-      case 'x':
-        pb.allowed_access |= State.exec;
-        break;
-      case 'c':
-        pb.allowed_access |= State.create;
-        break;
-      default:
-        return einval();
+      // clang-format off
+      case 'r': pb.allowed_access |= UNVEIL_READ;   break;
+      case 'w': pb.allowed_access |= UNVEIL_WRITE;  break;
+      case 'x': pb.allowed_access |= UNVEIL_EXEC;   break;
+      case 'c': pb.allowed_access |= UNVEIL_CREATE; break;
+      default:  return einval();
+        // clang-format on
     }
   }
+  pb.allowed_access &= State.fs_mask;
   if ((rc = sys_open(path, O_PATH | O_CLOEXEC, 0)) == -1) return rc;
   pb.parent_fd = rc;
   struct stat st;
@@ -142,7 +139,49 @@ static int sys_unveil_linux(const char *path, const char *permissions) {
 }
 
 /**
- * Unveil parts of a restricted filesystem view.
+ * Restricts filesystem operations, e.g.
+ *
+ *    unveil("/etc", "r");
+ *
+ * Unveiling restricts the visibility of the filesystem to a set of allowed
+ * paths with specific operations. This system call is supported natively on
+ * OpenBSD and polyfilled on Linux using the Landlock LSM[1].
+ *
+ * On OpenBSD, accessing paths outside of the allowed set raises ENOENT, and
+ * accessing ones with incorrect permissions raises EACCES. On Linux, both these
+ * cases raise EACCES.
+ *
+ * Using unveil is irreversible. On OpenBSD, the first call immediately enforces
+ * the filesystem visibilty, and existing paths can only be updated with equal
+ * or lesser permissions. Filesystem operations that try to access invisible
+ * paths will raise ENOENT, and operations without the correct permissions raise
+ * EACCES. Unveiling can be disabled by either passing two NULL arguments or by
+ * calling pledge() without the "unveil" promise.
+ *
+ * Landlock is more permissive than OpenBSD's unveil. Filesystem visibility is
+ * only enforced after disabling, and path permissions can be increased at any
+ * time. Finally, both accessing invisible paths or ones with incorrect
+ * permissions will raise EACCES.
+ *
+ * `permissions` is a string consisting of zero or more of the following
+ * characters:
+ *
+ * - 'r' makes `path` available for read-only path operations, corresponding to
+ *   the pledge promise "rpath".
+ * - `w` makes `path` available for write operations, corresponding to the
+ *   pledge promise "wpath".
+ * - `x` makes `path` available for execute operations, corresponding to the
+ *   pledge promises "exec" and "execnative".
+ * - `c` allows `path` to be created and removed, corresponding to the pledge
+ *   promise "cpath".
+ *
+ * [1] https://docs.kernel.org/userspace-api/landlock.html
+ *
+ * @return 0 on success, or -1 w/ errno
+ * @raise ENOSYS if host os isn't Linux or OpenBSD
+ * @raise ENOSYS if Landlock isn't supported on this kernel
+ * @raise EINVAL if one argument is set and the other is not
+ * @raise EINVAL if an invalid character in `permissions` was found
  */
 int unveil(const char *path, const char *permissions) {
   int rc;
diff --git a/tool/build/unveil.c b/tool/build/unveil.c
index dc7343433..b13cd7042 100644
--- a/tool/build/unveil.c
+++ b/tool/build/unveil.c
@@ -38,9 +38,7 @@ https://justine.lol/pledge/\n\
 https://github.com/jart\n\
 \n\
 this program lets you launch linux commands in a filesystem sandbox\n\
-inspired by the design of openbsd's unveil() system call. Visit\n\
-the https://justine.lol/pledge/ page for online documentation.\n\
-\n\
+inspired by the design of openbsd's unveil() system call.\n\
 "
 
 wontreturn void usage(void) {
@@ -61,7 +59,6 @@ int main(int argc, char *argv[]) {
   if (!(IsLinux() || IsOpenbsd()))
     errx(1, "this program is only intended for Linux and OpenBSD");
 
-  // parse flags
   while ((opt = getopt(argc, argv, "h")) != -1) {
     switch (opt) {
       case 'h':
@@ -79,7 +76,13 @@ int main(int argc, char *argv[]) {
 
   while ((len = getline(&line, &size, stdin)) != -1) {
     count++;
-    _chomp(line);
+
+    bool chomped = false;
+    while (!chomped)
+      if (line[len-1] == '\r' || line[len-1] == '\n')
+        line[--len] = '\0';
+      else
+        chomped = true;
 
     char *tok = line;
     const char *p;
@@ -98,9 +101,11 @@ int main(int argc, char *argv[]) {
       err(1, "unveil(%s, %s)", fields[0], fields[1]);
   }
   free(line);
-  if (ferror(stdin)) err(1, "getline");
+  if (ferror(stdin))
+    err(1, "getline");
 
-  if (unveil(NULL, NULL) == -1) err(1, "unveil disable");
+  if (unveil(NULL, NULL) == -1)
+    err(1, "unveil(NULL, NULL)");
 
   __sys_execve(prog, argv + optind, environ);
   err(127, "execve");