mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-02-07 06:53:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Landlock sandboxing to GNU Make

Browse source
This commit is contained in:
Justine Tunney 2022-07-21 09:16:27 -07:00
parent 1837dc2e85
commit 9172fd42a0
1 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
third_party/make/job.c vendored
View file

@ -24,6 +24,11 @@ this program. If not, see <http://www.gnu.org/licenses/>. */
#include "third_party/make/commands.h" #include "third_party/make/commands.h"
#include "third_party/make/os.h" #include "third_party/make/os.h"
#include "third_party/make/variable.h" #include "third_party/make/variable.h"
#include "libc/log/log.h"
#include "libc/runtime/stack.h"
#include "libc/calls/calls.h"
#include "libc/x/x.h"
#include "third_party/make/dep.h"
#ifdef WINDOWS32 #ifdef WINDOWS32
const char *default_shell = "sh.exe"; const char *default_shell = "sh.exe";
@ -1564,6 +1569,14 @@ start_waiting_jobs (void)
} }
void Unveil (const char *path, const char *perm)
{
int e;
e = errno;
unveil(path, perm);
errno = e;
}
/* POSIX: /* POSIX:
Create a child process executing the command in ARGV. Create a child process executing the command in ARGV.
Returns the PID or -1. */ Returns the PID or -1. */
@ -1585,7 +1598,7 @@ child_execute_job (struct childbase *child, int good_stdin, char **argv)
fderr = child->output.err; fderr = child->output.err;
} }
pid = vfork(); pid = fork();
if (pid != 0) if (pid != 0)
return pid; return pid;
@ -1605,6 +1618,48 @@ child_execute_job (struct childbase *child, int good_stdin, char **argv)
if (fderr != FD_STDERR) if (fderr != FD_STDERR)
EINTRLOOP (r, dup2 (fderr, FD_STDERR)); EINTRLOOP (r, dup2 (fderr, FD_STDERR));
/* [jart] sandbox command based on prerequisites */
intptr_t loc = (intptr_t)child; /* we can cast if it's on the heap ;_; */
if (!(GetStackAddr() < loc && loc < GetStackAddr() + GetStackSize())) {
struct dep *d;
struct child *c;
char pathbuf[PATH_MAX];
char outpathbuf[PATH_MAX];
c = (struct child *)child;
if (c->file->deps) {
argv[0] = commandv (argv[0], pathbuf, sizeof (pathbuf));
Unveil (argv[0], "rx");
Unveil ("o/tmp", "rwcx");
Unveil ("/dev/zero", "r");
Unveil ("/dev/null", "rw");
Unveil ("/dev/full", "rw");
Unveil ("/etc/hosts", "r");
Unveil ("/dev/stdin", "rw");
Unveil ("/dev/stdout", "rw");
Unveil ("/dev/stderr", "rw");
Unveil ("/usr/bin/ape", "rx");
Unveil ("/etc/console", "rw");
Unveil ("/etc/services", "r");
Unveil ("libc/integral", "r");
Unveil ("/etc/protocols", "r");
Unveil ("build/bootstrap", "rx");
Unveil ("/etc/resolv.conf", "r");
Unveil ("o/third_party/gcc", "rx");
Unveil ("libc/disclaimer.inc", "r");
if (strlen(c->file->name) < PATH_MAX) {
const char *dir;
strcpy (outpathbuf, c->file->name);
dir = dirname (outpathbuf);
makedirs (dir, 0755);
Unveil (dir, "rwc");
}
for (d = c->file->deps; d; d = d->next)
/* TODO(jart): remove w (do code morphing outside package.com) */
Unveil (d->file->name, "rwx");
Unveil (0, 0);
}
}
/* Run the command. */ /* Run the command. */
exec_command (argv, child->environment); exec_command (argv, child->environment);