Use LD_PRELOAD to inject pledge() in glibc progs

We're now able to drop both `exec` and `prot_exec` privileges automatically when launching glibc dynamic executables. We also have really outstanding standard error logging now, that explains which promises are needed, even in cases where `exec` is used.
2025-06-28 07:18:30 +00:00 · 2022-08-08 21:23:37 -07:00 · 2022-08-08 21:23:37 -07:00 · 6b3d257588
commit 6b3d257588
parent 0277d7d6e9
5 changed files with 286 additions and 178 deletions
--- a/tool/build/dso/sandbox.c
+++ b/tool/build/dso/sandbox.c
@ -0,0 +1,50 @@
+/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
+│vi: set net ft=c ts=2 sts=2 sw=2 fenc=utf-8                                :vi│
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ Copyright 2022 Justine Alexandra Roberts Tunney                              │
+│                                                                              │
+│ Permission to use, copy, modify, and/or distribute this software for         │
+│ any purpose with or without fee is hereby granted, provided that the         │
+│ above copyright notice and this permission notice appear in all copies.      │
+│                                                                              │
+│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
+│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
+│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
+│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
+│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
+│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
+│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
+│ PERFORMANCE OF THIS SOFTWARE.                                                │
+╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/calls/calls.h"
+#include "libc/calls/pledge.h"
+#include "libc/calls/pledge.internal.h"
+#include "libc/intrin/promises.internal.h"
+#include "libc/runtime/runtime.h"
+
+/*
+ * runs pledge at glibc executable load time, e.g.
+ * strace -vff bash -c '_PLEDGE=4194303,0,1 LD_PRELOAD=$HOME/sandbox.so ls'
+ */
+
+hidden uint8_t __privileged_start[1];
+hidden uint8_t __privileged_end[1];
+
+__attribute__((__constructor__)) void init(void) {
+  int c, i, j;
+  const char *s;
+  uint64_t arg[3] = {0};
+  s = getenv("_PLEDGE");
+  for (i = j = 0; i < 3; ++i) {
+    while ((c = s[j] & 255)) {
+      ++j;
+      if ('0' <= c & c <= '9') {
+        arg[i] *= 10;
+        arg[i] += c - '0';
+      } else {
+        break;
+      }
+    }
+  }
+  sys_pledge_linux(~arg[0], arg[1], arg[2]);
+}