Fix bugs and add security features to redbean

- Fix a regression with the previous change that broke redbean - Add chroot(), resource limit, seccomp, and other stuff to redbean - Write lots and lots of documentation - Iron out more system call issues
2025-07-05 02:38:31 +00:00 · 2022-04-18 00:01:26 -07:00 · 2022-04-18 00:01:26 -07:00 · 7166679620
commit 7166679620
parent f1dfa4bdfa
182 changed files with 1855 additions and 918 deletions
--- a/libc/runtime/mmap.c
+++ b/libc/runtime/mmap.c
@ -112,6 +112,14 @@ noasan static bool Automap(int n, int *res) {
  }
 }

+noasan static size_t GetMemtrackSize(struct MemoryIntervals *mm) {
+  size_t i, n;
+  for (n = i = 0; i < mm->i; ++i) {
+    n += ((size_t)(mm->p[i].y - mm->p[i].x) + 1) << 16;
+  }
+  return n;
+}
+
 static noasan void *MapMemory(void *addr, size_t size, int prot, int flags,
                              int fd, int64_t off, int f, int x, int n) {
  struct DirectMap dm;
@ -225,6 +233,7 @@ noasan void *mmap(void *addr, size_t size, int prot, int flags, int fd,
  void *res;
  char *p = addr;
  struct DirectMap dm;
+  size_t virtualused, virtualneed;
  int a, b, i, f, m, n, x;
  if (UNLIKELY(!size)) {
    STRACE("size=0");
@ -268,6 +277,13 @@ noasan void *mmap(void *addr, size_t size, int prot, int flags, int fd,
  } else if (__isfdkind(fd, kFdZip)) {
    STRACE("fd is zipos handle");
    res = VIP(einval());
+  } else if (__virtualmax &&
+             (__builtin_add_overflow((virtualused = GetMemtrackSize(&_mmi)),
+                                     size, &virtualneed) ||
+              virtualneed > __virtualmax)) {
+    STRACE("%'zu size + %'zu inuse exceeds virtual memory limit %'zu", size,
+           virtualused, __virtualmax);
+    res = VIP(enomem());
  } else {
    if (fd == -1) {
      size = ROUNDUP(size, FRAMESIZE);