mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-07-06 11:18:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Release redbean 2.0.14

Browse source
This commit is contained in:
Justine Tunney 2022-07-22 17:07:25 -07:00
parent 76d2f68c91
commit 742251dd92
3 changed files with 20 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tool/net/help.txt
View file

@ -3908,14 +3908,14 @@ UNIX MODULE
such as non-assimilated APE binaries, or programs that link
dynamic shared objects, i.e. most Linux distro binaries.
`execpromises` only matters if "exec" or "execnative" are specified
in `promises`. In that case, this specifies the promises that'll
apply once execve() happens. If this is NULL then the default is
used, which is unrestricted. OpenBSD allows child processes to escape
the sandbox (so a pledged OpenSSH server process can do things like
spawn a root shell). Linux however requires monotonically decreasing
privileges. This function will will perform some validation on Linux
to make sure that `execpromises` is a subset of `promises`. Your libc
`execpromises` only matters if "exec" is specified in `promises`. In
that case, this specifies the promises that'll apply once execve()
happens. If this is NULL then the default is used, which is
unrestricted. OpenBSD allows child processes to escape the sandbox
(so a pledged OpenSSH server process can do things like spawn a root
shell). Linux however requires monotonically decreasing privileges.
This function will will perform some validation on Linux to make
sure that `execpromises` is a subset of `promises`. Your libc
wrapper for execve() will then apply its SECCOMP BPF filter later.
Since Linux has to do this before calling sys_execve(), the executed
process will be weakened to have execute permissions too.