Release pledge.com v1.1

This change fixes bugs, adds more system calls, and improves compatibility with OpenBSD. Going forward, versions on the web will be pinned to a permanent version. There were many other changes over the last week which also improved this new release.
2025-02-07 06:53:33 +00:00 · 2022-07-22 13:44:00 -07:00 · 2022-07-22 13:44:00 -07:00 · 76d2f68c91
commit 76d2f68c91
parent b5904947e9
34 changed files with 164 additions and 89 deletions
--- a/libc/calls/struct/utsname-netbsd.internal.h
+++ b/libc/calls/struct/utsname-netbsd.internal.h
@ -0,0 +1,16 @@
+#ifndef COSMOPOLITAN_LIBC_CALLS_STRUCT_UTSNAME_NETBSD_INTERNAL_H_
+#define COSMOPOLITAN_LIBC_CALLS_STRUCT_UTSNAME_NETBSD_INTERNAL_H_
+#if !(__ASSEMBLER__ + __LINKER__ + 0)
+COSMOPOLITAN_C_START_
+
+struct utsname_netbsd {
+  char sysname[256];  /* name of os */
+  char nodename[256]; /* name of network node */
+  char release[256];  /* release level */
+  char version[256];  /* version level */
+  char machine[256];  /* hardware type */
+};
+
+COSMOPOLITAN_C_END_
+#endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
+#endif /* COSMOPOLITAN_LIBC_CALLS_STRUCT_UTSNAME_NETBSD_INTERNAL_H_ */
--- a/libc/calls/syscall-sysv.internal.h
+++ b/libc/calls/syscall-sysv.internal.h
@ -96,7 +96,7 @@ i32 sys_sync_file_range(i32, i64, i64, u32) hidden;
 i32 sys_tgkill(i32, i32, i32) hidden;
 i32 sys_tkill(i32, i32, void *) hidden;
 i32 sys_truncate(const char *, u64, u64) hidden;
-i32 sys_uname(char *) hidden;
+i32 sys_uname(void *) hidden;
 i32 sys_unlinkat(i32, const char *, i32) hidden;
 i32 sys_unveil(const char *, const char *) hidden;
 i64 sys_copy_file_range(i32, long *, i32, long *, u64, u32) hidden;
--- a/libc/calls/touch.c
+++ b/libc/calls/touch.c
@ -32,7 +32,7 @@
 int touch(const char *file, uint32_t mode) {
  int rc, fd, olderr;
  olderr = errno;
-  if ((rc = utimes(file, NULL)) == -1 && errno == ENOENT) {
+  if ((rc = utimes(file, 0)) == -1 && errno == ENOENT) {
    errno = olderr;
    if ((fd = open(file, O_CREAT | O_WRONLY, mode)) == -1) return -1;
    return close(fd);
--- a/libc/calls/uname.c
+++ b/libc/calls/uname.c
@ -19,6 +19,7 @@
 #include "libc/bits/weaken.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/strace.internal.h"
+#include "libc/calls/struct/utsname-netbsd.internal.h"
 #include "libc/calls/struct/utsname.h"
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/calls/syscall_support-sysv.internal.h"
@ -52,14 +53,14 @@ int uname(struct utsname *lool) {
  int rc;
  char *out, *p;
  size_t i, j, len;
-  char tmp[sizeof(struct utsname)];
  if (!lool) return efault();
  if (!lool || (IsAsan() && !__asan_is_valid(lool, sizeof(*lool)))) {
    rc = efault();
  } else {
-    bzero(tmp, sizeof(tmp));
    if (!IsWindows()) {
      if (IsLinux() || IsFreebsd()) {
+        char tmp[sizeof(struct utsname)];
+        bzero(tmp, sizeof(tmp));
        if ((rc = sys_uname(tmp)) != -1) {
          out = (char *)lool;
          for (i = j = 0;;) {
--- a/libc/intrin/promises.internal.h
+++ b/libc/intrin/promises.internal.h
@ -21,6 +21,7 @@
 #define PROMISE_SETTIME   17
 #define PROMISE_PROT_EXEC 18
 #define PROMISE_VMINFO    19
+#define PROMISE_TMPPATH   20

 #define PLEDGED(x) ((~__promises >> PROMISE_##x) & 1)

--- a/libc/mem/pledge.c
+++ b/libc/mem/pledge.c
@ -44,15 +44,16 @@
 #include "libc/sysv/consts/prot.h"
 #include "libc/sysv/errfuns.h"

-#define READONLY  0x8000
-#define WRITEONLY 0x4000
-#define INET      0x8000
-#define UNIX      0x4000
 #define ADDRLESS  0x2000
+#define INET      0x8000
 #define LOCK      0x8000
-#define TTY       0x8000
 #define NOEXEC    0x8000
+#define READONLY  0x8000
+#define STDIO     0x8000
 #define THREAD    0x8000
+#define TTY       0x8000
+#define UNIX      0x4000
+#define WRITEONLY 0x4000

 // TODO(jart): fix chibicc
 #ifdef __chibicc__
@ -137,6 +138,7 @@ static const uint16_t kPledgeLinuxStdio[] = {
    __NR_linux_brk,                //
    __NR_linux_msync,              //
    __NR_linux_mmap | NOEXEC,      //
+    __NR_linux_mremap,             //
    __NR_linux_munmap,             //
    __NR_linux_mincore,            //
    __NR_linux_madvise,            //
@ -186,6 +188,7 @@ static const uint16_t kPledgeLinuxStdio[] = {
    __NR_linux_futex,              //
    __NR_linux_set_robust_list,    //
    __NR_linux_get_robust_list,    //
+    __NR_linux_prlimit | STDIO,    //
 };

 static const uint16_t kPledgeLinuxFlock[] = {
@ -373,9 +376,21 @@ static const uint16_t kPledgeLinuxUnveil[] = {
 };

 // placeholder group
+//
 // pledge.com checks this to do auto-unveiling
 static const uint16_t kPledgeLinuxVminfo[] = {
-    __NR_linux_openat | READONLY,  //
+    __NR_linux_sched_yield,  //
+};
+
+// placeholder group
+//
+// pledge.com uses this to auto-unveil /tmp and $TMPPATH with rwc
+// permissions. pledge() alone (without unveil() too) offers very
+// little security here. consider using them together.
+static const uint16_t kPledgeLinuxTmppath[] = {
+    __NR_linux_lstat,     //
+    __NR_linux_unlink,    //
+    __NR_linux_unlinkat,  //
 };

 static const struct Pledges {
@ -403,6 +418,7 @@ static const struct Pledges {
    [PROMISE_SETTIME] = {"settime", PLEDGE(kPledgeLinuxSettime)},       //
    [PROMISE_PROT_EXEC] = {"prot_exec", PLEDGE(kPledgeLinuxProtExec)},  //
    [PROMISE_VMINFO] = {"vminfo", PLEDGE(kPledgeLinuxVminfo)},          //
+    [PROMISE_TMPPATH] = {"tmppath", PLEDGE(kPledgeLinuxTmppath)},       //
 };

 static const struct sock_filter kFilterStart[] = {
@ -548,26 +564,30 @@ static bool AllowIoctl(struct Filter *f) {
 //   - TIOCSPGRP  (0x5410)
 //   - TIOCGPGRP  (0x540f)
 //   - TIOCSWINSZ (0x5414)
-//   - TIOCSBRK   (0x5427)
 //   - TCFLSH     (0x540b)
+//   - TCXONC     (0x540a)
+//   - TCSBRK     (0x5409)
+//   - TIOCSBRK   (0x5427)
 //
 static bool AllowIoctlTty(struct Filter *f) {
  static const struct sock_filter fragment[] = {
-      /* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_ioctl, 0, 14 - 1),
+      /* L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_ioctl, 0, 16 - 1),
      /* L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[1])),
-      /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5401, 12 - 3, 0),
-      /* L3*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5402, 12 - 4, 0),
-      /* L4*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5403, 12 - 5, 0),
-      /* L5*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5404, 12 - 6, 0),
-      /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5413, 12 - 7, 0),
-      /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5410, 12 - 8, 0),
-      /* L8*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x540f, 12 - 9, 0),
-      /* L9*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5414, 12 - 10, 0),
-      /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x540b, 12 - 11, 0),
-      /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5427, 0, 13 - 12),
-      /*L12*/ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
-      /*L13*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)),
-      /*L14*/ /* next filter */
+      /* L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5401, 14 - 3, 0),
+      /* L3*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5402, 14 - 4, 0),
+      /* L4*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5403, 14 - 5, 0),
+      /* L5*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5404, 14 - 6, 0),
+      /* L6*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5413, 14 - 7, 0),
+      /* L7*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5410, 14 - 8, 0),
+      /* L8*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x540f, 14 - 9, 0),
+      /* L9*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5414, 14 - 10, 0),
+      /*L10*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x540b, 14 - 11, 0),
+      /*L11*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x540a, 14 - 12, 0),
+      /*L12*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5409, 14 - 13, 0),
+      /*L13*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x5427, 0, 1),
+      /*L14*/ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+      /*L15*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)),
+      /*L16*/ /* next filter */
  };
  return AppendFilter(f, PLEDGE(fragment));
 }
@ -1099,6 +1119,24 @@ static bool AllowFchmodat(struct Filter *f) {
  return AppendFilter(f, PLEDGE(fragment));
 }

+// The new_limit parameter of prlimit() must be
+//
+//   - NULL (0)
+//
+static bool AllowPrlimitStdio(struct Filter *f) {
+  static const struct sock_filter fragment[] = {
+      /*L0*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_prlimit, 0, 7 - 1),
+      /*L1*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[2])),
+      /*L2*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 0, 6 - 3),
+      /*L3*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(args[2]) + 4),
+      /*L4*/ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, 0, 6 - 5),
+      /*L5*/ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+      /*L6*/ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)),
+      /*L7*/ /* next filter */
+  };
+  return AppendFilter(f, PLEDGE(fragment));
+}
+
 static bool AppendPledge(struct Filter *f, const uint16_t *p, size_t len) {
  int i;
  for (i = 0; i < len; ++i) {
@ -1178,6 +1216,9 @@ static bool AppendPledge(struct Filter *f, const uint16_t *p, size_t len) {
      case __NR_linux_clone | THREAD:
        if (!AllowCloneThread(f)) return false;
        break;
+      case __NR_linux_prlimit | STDIO:
+        if (!AllowPrlimitStdio(f)) return false;
+        break;
      default:
        assert(~p[i] & ~0xfff);
        if (!AllowSyscall(f, p[i])) return false;
@ -1314,11 +1355,11 @@ int ParsePromises(const char *promises, unsigned long *out) {
 *   getgid, getgroups, times, getrusage, getitimer, getpgid, getpgrp,
 *   getpid, getppid, getresgid, getresuid, getrlimit, getsid, wait4,
 *   gettimeofday, getuid, lseek, madvise, brk, arch_prctl, uname,
- *   set_tid_address, clock_getres, clock_gettime, clock_nanosleep, mmap
- *   (PROT_EXEC and weird flags aren't allowed), mprotect (PROT_EXEC
- *   isn't allowed), msync, sync_file_range, migrate_pages, munmap,
- *   nanosleep, pipe, pipe2, read, readv, pread, recv, poll, recvfrom,
- *   preadv, write, writev, pwrite, pwritev, select, pselect6,
+ *   set_tid_address, clock_getres, clock_gettime, clock_nanosleep,
+ *   mremap, mmap, (PROT_EXEC and weird flags aren't allowed), mprotect
+ *   (PROT_EXEC isn't allowed), msync, sync_file_range, migrate_pages,
+ *   munmap, nanosleep, pipe, pipe2, read, readv, pread, recv, poll,
+ *   recvfrom, preadv, write, writev, pwrite, pwritev, select, pselect6,
 *   copy_file_range, sendfile, tee, splice, vmsplice, alarm, pause,
 *   send, sendto (only if addr is null), setitimer, shutdown, sigaction
 *   (but SIGSYS is forbidden), sigaltstack, sigprocmask, sigreturn,
@ -1393,6 +1434,10 @@ int ParsePromises(const char *promises, unsigned long *out) {
 *   `__promises` and automatically unveil() a subset of files top would
 *   need, e.g. /proc/stat, /proc/meminfo.
 *
+ * - "tmppath" allows unlink, unlinkat, and lstat. This is mostly a
+ *   placeholder group for pledge.com, which reads the `__promises`
+ *   global to determine if /tmp and $TMPPATH should be unveiled.
+ *
 * `execpromises` only matters if "exec" or "execnative" are specified
 * in `promises`. In that case, this specifies the promises that'll
 * apply once execve() happens. If this is NULL then the default is
--- a/libc/sysv/calls/clock_nanosleep.s
+++ b/libc/sysv/calls/clock_nanosleep.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall clock_nanosleep,0xffffff0f4ffff0e6,globl
+.scall clock_nanosleep,0x1ddfff0f4ffff0e6,globl
--- a/libc/sysv/calls/get_robust_list.s
+++ b/libc/sysv/calls/get_robust_list.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall get_robust_list,0xfffffffffffff112,globl
+.scall get_robust_list,0x0a8ffffffffff112,globl
--- a/libc/sysv/calls/posix_fallocate.s
+++ b/libc/sysv/calls/posix_fallocate.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall posix_fallocate,0xffffff212fffffff,globl,hidden
+.scall posix_fallocate,0x1dffff212fffffff,globl,hidden
--- a/libc/sysv/calls/set_robust_list.s
+++ b/libc/sysv/calls/set_robust_list.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall set_robust_list,0xfffffffffffff111,globl
+.scall set_robust_list,0x0a7ffffffffff111,globl
--- a/libc/sysv/calls/sys_creat.s
+++ b/libc/sysv/calls/sys_creat.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_creat,0xffffff008ffff055,globl,hidden
+.scall sys_creat,0x008fff008ffff055,globl,hidden
--- a/libc/sysv/calls/sys_futex.s
+++ b/libc/sysv/calls/sys_futex.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_futex,0xfff053fffffff0ca,globl,hidden
+.scall sys_futex,0x0a6053fffffff0ca,globl,hidden
--- a/libc/sysv/calls/sys_killpg.s
+++ b/libc/sysv/calls/sys_killpg.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_killpg,0xffffff092fffffff,globl,hidden
+.scall sys_killpg,0x092fff092fffffff,globl,hidden
--- a/libc/sysv/calls/sys_posix_spawn.s
+++ b/libc/sysv/calls/sys_posix_spawn.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_posix_spawn,0xfffffffff20f4fff,globl,hidden
+.scall sys_posix_spawn,0x1daffffff20f4fff,globl,hidden
--- a/libc/sysv/calls/sys_sync.s
+++ b/libc/sysv/calls/sys_sync.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_sync,0xfff02402420240a2,globl,hidden
+.scall sys_sync,0x02402402420240a2,globl,hidden
--- a/libc/sysv/calls/sys_uname.s
+++ b/libc/sysv/calls/sys_uname.s
@ -1,2 +1,2 @@
 .include "o/libc/sysv/macros.internal.inc"
-.scall sys_uname,0xffffff0a4ffff03f,globl,hidden
+.scall sys_uname,0x0a4fff0a4ffff03f,globl,hidden
--- a/libc/sysv/consts.sh
+++ b/libc/sysv/consts.sh
@ -1313,9 +1313,9 @@ syscon	rusage	RUSAGE_BOTH				-2			99			99			99			99			99			# woop
 #
 #	group	name					GNU/Systemd		XNU's Not UNIX!		FreeBSD			OpenBSD			NetBSD			The New Technology	Commentary
 syscon	futex	FUTEX_WAIT				0			0			0			1			0			0
-syscon	futex	FUTEX_WAKE				1			0			0			2			0			0
-syscon	futex	FUTEX_REQUEUE				3			0			0			3			0			0
-syscon	futex	FUTEX_PRIVATE_FLAG			128			0			0			128			0			0
+syscon	futex	FUTEX_WAKE				1			0			0			2			1			0
+syscon	futex	FUTEX_REQUEUE				3			0			0			3			3			0
+syscon	futex	FUTEX_PRIVATE_FLAG			128			0			0			128			128			0

 #	lio_listio() magnums
 #
@ -1871,9 +1871,9 @@ syscon	nr	__NR_kill				0x003e			0x2000025		0x0025			0x007a			0x025			0xfff
 syscon	nr	__NR_killpg				0xfff			0xfff			0x0092			0xfff			0xfff			0xfff
 syscon	nr	__NR_clone				0x0038			0xfff			0xfff			0xfff			0x11f			0xfff
 syscon	nr	__NR_tkill				0x00c8			0xfff			0xfff			0xfff			0xfff			0xfff
-syscon	nr	__NR_futex				0x00ca			0xfff			0xfff			0x0053			0xfff			0xfff
-syscon	nr	__NR_set_robust_list			0x0111			0xfff			0xfff			0xfff			0xfff			0xfff
-syscon	nr	__NR_get_robust_list			0x0112			0xfff			0xfff			0xfff			0xfff			0xfff
+syscon	nr	__NR_futex				0x00ca			0xfff			0xfff			0x0053			0x0a6			0xfff
+syscon	nr	__NR_set_robust_list			0x0111			0xfff			0xfff			0xfff			0x0a7			0xfff
+syscon	nr	__NR_get_robust_list			0x0112			0xfff			0xfff			0xfff			0x0a8			0xfff
 syscon	nr	__NR_uname				0x003f			0xfff			0x00a4			0xfff			0xfff			0xfff
 syscon	nr	__NR_semget				0x0040			0x20000ff		0x00dd			0x00dd			0x0dd			0xfff
 syscon	nr	__NR_semop				0x0041			0x2000100		0x00de			0x0122			0x0de			0xfff
@ -1895,7 +1895,7 @@ syscon	nr	__NR_fchdir				0x0051			0x200000d		0x000d			0x000d			0x00d			0xfff
 syscon	nr	__NR_rename				0x0052			0x2000080		0x0080			0x0080			0x080			0xfff
 syscon	nr	__NR_mkdir				0x0053			0x2000088		0x0088			0x0088			0x088			0xfff
 syscon	nr	__NR_rmdir				0x0054			0x2000089		0x0089			0x0089			0x089			0xfff
-syscon	nr	__NR_creat				0x0055			0xfff			0x0008			0xfff			0xfff			0xfff
+syscon	nr	__NR_creat				0x0055			0xfff			0x0008			0xfff			0x008			0xfff
 syscon	nr	__NR_link				0x0056			0x2000009		0x0009			0x0009			0x009			0xfff
 syscon	nr	__NR_unlink				0x0057			0x200000a		0x000a			0x000a			0x00a			0xfff
 syscon	nr	__NR_symlink				0x0058			0x2000039		0x0039			0x0039			0x039			0xfff
@ -1950,7 +1950,7 @@ syscon	nr	__NR_mlockall				0x0097			0x2000144		0x0144			0x010f			0x0f2			0xfff
 syscon	nr	__NR_munlockall				0x0098			0x2000145		0x0145			0x0110			0x0f3			0xfff
 syscon	nr	__NR_setrlimit				0x00a0			0x20000c3		0x00c3			0x00c3			0x0c3			0xfff
 syscon	nr	__NR_chroot				0x00a1			0x200003d		0x003d			0x003d			0x03d			0xfff
-syscon	nr	__NR_sync				0x00a2			0x2000024		0x0024			0x0024			0xfff			0xfff
+syscon	nr	__NR_sync				0x00a2			0x2000024		0x0024			0x0024			0x024			0xfff
 syscon	nr	__NR_acct				0x00a3			0x2000033		0x0033			0x0033			0x033			0xfff
 syscon	nr	__NR_settimeofday			0x00a4			0x200007a		0x007a			0x0044			0x1a3			0xfff
 syscon	nr	__NR_mount				0x00a5			0x20000a7		0x0015			0x0015			0x19a			0xfff
@ -2028,7 +2028,7 @@ syscon	nr	__NR_timer_delete			0x00e2			0xfff			0xfff			0xfff			0x0ec			0xfff
 syscon	nr	__NR_clock_settime			0x00e3			0xfff			0x00e9			0x0058			0x1ac			0xfff
 syscon	nr	__NR_clock_gettime			0x00e4			0xfff			0x00e8			0x0057			0x1ab			0xfff
 syscon	nr	__NR_clock_getres			0x00e5			0xfff			0x00ea			0x0059			0x1ad			0xfff
-syscon	nr	__NR_clock_nanosleep			0x00e6			0xfff			0x00f4			0xfff			0xfff			0xfff
+syscon	nr	__NR_clock_nanosleep			0x00e6			0xfff			0x00f4			0xfff			0x1dd			0xfff
 syscon	nr	__NR_tgkill				0x00ea			0xfff			0xfff			0xfff			0xfff			0xfff
 syscon	nr	__NR_mbind				0x00ed			0xfff			0xfff			0xfff			0xfff			0xfff
 syscon	nr	__NR_set_mempolicy			0x00ee			0xfff			0xfff			0xfff			0xfff			0xfff
@ -2076,7 +2076,7 @@ syscon	nr	__NR_preadv				0x0127			0xfff			0x0121			0x010b			0x121			0xfff
 syscon	nr	__NR_pwritev				0x0128			0xfff			0x0122			0x010c			0x122			0xfff
 syscon	nr	__NR_utimensat				0x0118			0xfff			0x0223			0x0054			0x1d3			0xfff
 syscon	nr	__NR_fallocate				0x011d			0xfff			0xfff			0xfff			0xfff			0xfff
-syscon	nr	__NR_posix_fallocate			0xfff			0xfff			0x0212			0xfff			0xfff			0xfff
+syscon	nr	__NR_posix_fallocate			0xfff			0xfff			0x0212			0xfff			0x1df			0xfff
 syscon	nr	__NR_accept4				0x0120			0xfff			0x021d			0x005d			0xfff			0xfff
 syscon	nr	__NR_dup3				0x0124			0xfff			0xfff			0x0066			0x1c6			0xfff
 syscon	nr	__NR_pipe2				0x0125			0xfff			0x021e			0x0065			0x1c5			0xfff
--- a/libc/sysv/consts/CLOSE_RANGE_CLOEXEC.S
+++ b/libc/sysv/consts/CLOSE_RANGE_CLOEXEC.S
@ -0,0 +1,2 @@
+#include "libc/sysv/consts/syscon.internal.h"
+.syscon close,CLOSE_RANGE_CLOEXEC,4,-1,-1,-1,-1,-1
--- a/libc/sysv/consts/CLOSE_RANGE_UNSHARE.S
+++ b/libc/sysv/consts/CLOSE_RANGE_UNSHARE.S
@ -0,0 +1,2 @@
+#include "libc/sysv/consts/syscon.internal.h"
+.syscon close,CLOSE_RANGE_UNSHARE,2,-1,-1,-1,-1,-1
--- a/libc/sysv/consts/EBADFD.S
+++ b/libc/sysv/consts/EBADFD.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon junkerr,EBADFD,77,9,0,0,0,0
+.syscon errno,EBADFD,77,9,0,0,0,0
--- a/libc/sysv/consts/FUTEX_PRIVATE_FLAG.S
+++ b/libc/sysv/consts/FUTEX_PRIVATE_FLAG.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon futex,FUTEX_PRIVATE_FLAG,128,0,0,128,0,0
+.syscon futex,FUTEX_PRIVATE_FLAG,128,0,0,128,128,0
--- a/libc/sysv/consts/FUTEX_REQUEUE.S
+++ b/libc/sysv/consts/FUTEX_REQUEUE.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon futex,FUTEX_REQUEUE,3,0,0,3,0,0
+.syscon futex,FUTEX_REQUEUE,3,0,0,3,3,0
--- a/libc/sysv/consts/FUTEX_WAKE.S
+++ b/libc/sysv/consts/FUTEX_WAKE.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon futex,FUTEX_WAKE,1,0,0,2,0,0
+.syscon futex,FUTEX_WAKE,1,0,0,2,1,0
--- a/libc/sysv/consts/__NR_clock_nanosleep.S
+++ b/libc/sysv/consts/__NR_clock_nanosleep.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_clock_nanosleep,0x00e6,0xfff,0x00f4,0xfff,0xfff,0xfff
+.syscon nr,__NR_clock_nanosleep,0x00e6,0xfff,0x00f4,0xfff,0x1dd,0xfff
--- a/libc/sysv/consts/__NR_creat.S
+++ b/libc/sysv/consts/__NR_creat.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_creat,0x0055,0xfff,0x0008,0xfff,0xfff,0xfff
+.syscon nr,__NR_creat,0x0055,0xfff,0x0008,0xfff,0x008,0xfff
--- a/libc/sysv/consts/__NR_futex.S
+++ b/libc/sysv/consts/__NR_futex.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_futex,0x00ca,0xfff,0xfff,0x0053,0xfff,0xfff
+.syscon nr,__NR_futex,0x00ca,0xfff,0xfff,0x0053,0x0a6,0xfff
--- a/libc/sysv/consts/__NR_get_robust_list.S
+++ b/libc/sysv/consts/__NR_get_robust_list.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_get_robust_list,0x0112,0xfff,0xfff,0xfff,0xfff,0xfff
+.syscon nr,__NR_get_robust_list,0x0112,0xfff,0xfff,0xfff,0x0a8,0xfff
--- a/libc/sysv/consts/__NR_posix_fallocate.S
+++ b/libc/sysv/consts/__NR_posix_fallocate.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_posix_fallocate,0xfff,0xfff,0x0212,0xfff,0xfff,0xfff
+.syscon nr,__NR_posix_fallocate,0xfff,0xfff,0x0212,0xfff,0x1df,0xfff
--- a/libc/sysv/consts/__NR_set_robust_list.S
+++ b/libc/sysv/consts/__NR_set_robust_list.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_set_robust_list,0x0111,0xfff,0xfff,0xfff,0xfff,0xfff
+.syscon nr,__NR_set_robust_list,0x0111,0xfff,0xfff,0xfff,0x0a7,0xfff
--- a/libc/sysv/consts/__NR_sync.S
+++ b/libc/sysv/consts/__NR_sync.S
@ -1,2 +1,2 @@
 #include "libc/sysv/consts/syscon.internal.h"
-.syscon nr,__NR_sync,0x00a2,0x2000024,0x0024,0x0024,0xfff,0xfff
+.syscon nr,__NR_sync,0x00a2,0x2000024,0x0024,0x0024,0x024,0xfff
--- a/libc/sysv/syscalls.sh
+++ b/libc/sysv/syscalls.sh
@ -92,17 +92,17 @@ scall	sys_setsockopt		0x0690690692069036	globl hidden
 scall	sys_getsockopt		0x0760760762076037	globl hidden
 scall	sys_fork		0x0020020022002039	globl hidden # xnu needs eax&=~-edx bc eax always holds pid and edx is 0 for parent and 1 for child
 #scall	vfork			0x042042042204203a	globl        # this syscall is from the moon so we implement it by hand in libc/runtime/vfork.S; probably removed from XNU in 12.5
-scall	sys_posix_spawn		0xfffffffff20f4fff	globl hidden # good luck figuring out how xnu defines this
+scall	sys_posix_spawn		0x1daffffff20f4fff	globl hidden # good luck figuring out how xnu defines this
 scall	__sys_execve		0x03b03b03b203b03b	globl hidden
 scall	__sys_wait4		0x1c100b007200703d	globl hidden
 scall	sys_kill		0x02507a025202503e	globl hidden # kill(pid, sig, 1) b/c xnu
-scall	sys_killpg		0xffffff092fffffff	globl hidden
+scall	sys_killpg		0x092fff092fffffff	globl hidden
 scall	sys_clone		0x11fffffffffff038	globl hidden
 scall	sys_tkill		0x13e0771b121690c8	globl hidden # thr_kill() on freebsd; _lwp_kill() on netbsd; thrkill() on openbsd where arg3 should be 0; bsdthread_terminate() on XNU which only has 1 arg
-scall	sys_futex		0xfff053fffffff0ca	globl hidden
-scall	set_robust_list		0xfffffffffffff111	globl
-scall	get_robust_list		0xfffffffffffff112	globl
-scall	sys_uname		0xffffff0a4ffff03f	globl hidden
+scall	sys_futex		0x0a6053fffffff0ca	globl hidden # raises SIGSYS on NetBSD
+scall	set_robust_list		0x0a7ffffffffff111	globl
+scall	get_robust_list		0x0a8ffffffffff112	globl
+scall	sys_uname		0x0a4fff0a4ffff03f	globl hidden
 scall	semget			0x0dd0dd0dd20ff040	globl # won't polyfill for windows
 scall	semop			0x0de1220de2100041	globl # won't polyfill for windows
 scall	semctl			0xfff1271fe20fe042	globl # won't polyfill for windows
@ -123,7 +123,7 @@ scall	sys_fchdir		0x00d00d00d200d051	globl hidden
 scall	sys_rename		0x0800800802080052	globl hidden
 scall	sys_mkdir		0x0880880882088053	globl hidden
 scall	sys_rmdir		0x0890890892089054	globl hidden
-scall	sys_creat		0xffffff008ffff055	globl hidden
+scall	sys_creat		0x008fff008ffff055	globl hidden
 scall	sys_link		0x0090090092009056	globl hidden
 scall	sys_unlink		0x00a00a00a200a057	globl hidden
 scall	sys_symlink		0x0390390392039058	globl hidden
@ -178,7 +178,7 @@ scall	mlockall		0x0f210f1442144097	globl
 scall	munlockall		0x0f31101452145098	globl
 scall	sys_setrlimit		0x0c30c30c320c30a0	globl hidden
 scall	sys_chroot		0x03d03d03d203d0a1	globl hidden
-scall	sys_sync		0xfff02402420240a2	globl hidden
+scall	sys_sync		0x02402402420240a2	globl hidden
 scall	acct			0x03303303320330a3	globl
 scall	settimeofday		0x1a304407a207a0a4	globl
 scall	sys_mount		0x19a01501520a70a5	globl hidden
@ -263,9 +263,9 @@ scall	ktimer_settime		0xffffff0edfffffff	globl
 scall	clock_settime		0x1ac0580e9ffff0e3	globl
 scall	sys_clock_gettime	0x1ab0570e8ffff0e4	globl hidden # Linux 2.6+ (c. 2003); XNU uses magic address
 scall	sys_clock_getres	0x1ad0590eaffff0e5	globl hidden
-scall	clock_nanosleep		0xffffff0f4ffff0e6	globl
+scall	clock_nanosleep		0x1ddfff0f4ffff0e6	globl
 scall	sys_tgkill		0xfffffffffffff0ea	globl hidden
-scall	mbind			0xfffffffffffff0ed	globl
+scall	mbind			0xfffffffffffff0ed	globl # numa numa yeah
 scall	set_mempolicy		0xfffffffffffff0ee	globl
 scall	get_mempolicy		0xfffffffffffff0ef	globl
 scall	mq_open			0x101ffffffffff0f0	globl # won't polyfill
@ -312,7 +312,7 @@ scall	sys_preadv		0x12110b121221c127	globl hidden #  ├─ last distro with sys
 scall	sys_pwritev		0x12210c122221d128	globl hidden #  ├─ rob landley unleashes busybox gpl lawsuits
 scall	__sys_utimensat		0x1d3054223ffff118	globl hidden #  ├─ python modules need this due to pep513
 scall	fallocate		0xfffffffffffff11d	globl hidden #  ├─ end of life 2020-11-30 (extended)
-scall	posix_fallocate		0xffffff212fffffff	globl hidden #  └─ cosmopolitan supports rhel5+
+scall	posix_fallocate		0x1dffff212fffffff	globl hidden #  └─ cosmopolitan supports rhel5+
 scall	__sys_accept4		0xfff05d21dffff120	globl hidden # Linux 2.6.28+
 scall	__sys_dup3		0x1c6066fffffff124	globl hidden # Linux 2.6.27+
 scall	__sys_pipe2		0x1c506521effff125	globl hidden # Linux 2.6.27+
--- a/test/libc/runtime/clone_test.c
+++ b/test/libc/runtime/clone_test.c
@ -20,6 +20,7 @@
 #include "libc/calls/struct/timespec.h"
 #include "libc/dce.h"
 #include "libc/errno.h"
+#include "libc/intrin/futex.internal.h"
 #include "libc/intrin/kprintf.h"
 #include "libc/intrin/spinlock.h"
 #include "libc/intrin/wait0.internal.h"
@ -36,6 +37,7 @@
 #include "libc/sysv/consts/clock.h"
 #include "libc/sysv/consts/clone.h"
 #include "libc/sysv/consts/map.h"
+#include "libc/sysv/consts/nr.h"
 #include "libc/sysv/consts/o.h"
 #include "libc/sysv/consts/prot.h"
 #include "libc/sysv/consts/sig.h"
@ -62,6 +64,10 @@ void *__initialize_tls(char tib[64]) {
  return tib;
 }

+int Hog(void *arg, int tid) {
+  return 0;
+}
+
 void SetUp(void) {
  x = 0;
  me = gettid();
--- a/third_party/lua/lunix.c
+++ b/third_party/lua/lunix.c
@ -480,25 +480,19 @@ static int LuaUnixChmod(lua_State *L) {
 //     ├─→ content:str
 //     └─→ nil, unix.Errno
 static int LuaUnixReadlink(lua_State *L) {
-  char *buf;
+  size_t got;
  ssize_t rc;
-  const char *path;
-  int dirfd, olderr = errno;
-  size_t got, bufsiz = 8192;
-  path = luaL_checkstring(L, 1);
-  dirfd = luaL_optinteger(L, 2, AT_FDCWD);
-  buf = LuaAllocOrDie(L, bufsiz);
-  if ((rc = readlinkat(dirfd, path, buf, bufsiz)) != -1) {
-    got = rc;
-    if (got < bufsiz) {
-      lua_pushlstring(L, buf, got);
-      free(buf);
+  luaL_Buffer lb;
+  int olderr = errno;
+  if ((rc = readlinkat(luaL_optinteger(L, 2, AT_FDCWD), luaL_checkstring(L, 1),
+                       luaL_buffinitsize(L, &lb, BUFSIZ), BUFSIZ)) != -1) {
+    if ((got = rc) < BUFSIZ) {
+      luaL_pushresultsize(&lb, got);
      return 1;
    } else {
      enametoolong();
    }
  }
-  free(buf);
  return LuaUnixSysretErrno(L, "readlink", olderr);
 }

--- a/tool/build/pledge.c
+++ b/tool/build/pledge.c
@ -90,6 +90,7 @@ usage: pledge.com [-hnN] PROG ARGS...\n\
     - exec: implied by default\n\
     - prot_exec: allow creating executable memory\n\
     - vminfo: allows /proc/stat, /proc/self/maps, etc.\n\
+     - tmppath: allows /tmp, $TMPPATH, lstat, unlink\n\
 \n\
 pledge.com v1.1\n\
 copyright 2022 justine alexandra roberts tunney\n\
@ -413,7 +414,7 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {
    UnveilIfExists("/dev/stdout", "rw");
    UnveilIfExists("/dev/stderr", "rw");
    UnveilIfExists("/dev/urandom", "r");
-    UnveilIfExists("/dev/localtime", "r");
+    UnveilIfExists("/etc/localtime", "r");
    UnveilIfExists("/proc/self/fd", "rw");
    UnveilIfExists("/proc/self/stat", "r");
    UnveilIfExists("/proc/self/status", "r");
@ -445,8 +446,10 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {

  if (~ipromises & (1ul << PROMISE_TTY)) {
    UnveilIfExists(ttyname(0), "rw");
-    UnveilIfExists("/etc/tty", "rw");
-    UnveilIfExists("/etc/console", "rw");
+    UnveilIfExists("/dev/tty", "rw");
+    UnveilIfExists("/dev/console", "rw");
+    UnveilIfExists("/etc/terminfo", "r");
+    UnveilIfExists("/usr/lib/terminfo", "r");
    UnveilIfExists("/usr/share/terminfo", "r");
  }

@ -463,6 +466,11 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {
    UnveilIfExists("/sys/devices/system/cpu", "r");
  }

+  if (~ipromises & (1ul << PROMISE_TMPPATH)) {
+    UnveilIfExists("/tmp", "rwc");
+    UnveilIfExists(getenv("TMPPATH"), "rwc");
+  }
+
  for (int i = 0; i < unveils.n; ++i) {
    char *s, *t;
    const char *path;
@ -476,7 +484,7 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {
      perm = "r";
      path = s;
    }
-    Unveil(path, perm);
+    UnveilIfExists(path, perm);
  }

  if (unveil(0, 0) == -1) {