mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-07-26 04:20:30 +00:00
Make pledge() and unveil() work amazingly
This change reconciles our pledge() implementation with the OpenBSD
kernel source code. We now a polyfill that's much closer to OpenBSD's
behavior. For example, it was discovered that "stdio" permits threads.
There were a bunch of Linux system calls that needed to be added, like
sched_yield(). The exec / execnative category division is now dropped.
We're instead using OpenBSD's "prot_exec" promise for launching APE
binaries and dynamic shared objects. We also now filter clone() flags.
The pledge.com command has been greatly improved. It now does unveiling
by default when Landlock is available. It's now smart enough to unveil a
superset of paths that OpenBSD automatically unveils with pledge(), such
as /etc/localtime. pledge.com also now checks if the executable being
launched is a dynamic shared object, in which case it unveils libraries.
These changes now make it possible to pledge curl on ubuntu 20.04 glibc:
pledge.com -p 'stdio rpath prot_exec inet dns tty sendfd recvfd' \
curl -s https://justine.lol/hello.txt
Here's what pledging curl on Alpine 3.16 with Musl Libc looks like:
pledge.com -p 'stdio rpath prot_exec dns inet' \
curl -s https://justine.lol/hello.txt
Here's what pledging curl.com w/ ape loader looks like:
pledge.com -p 'stdio rpath prot_exec dns inet' \
o//examples/curl.com https://justine.lol/hello.txt
The most secure sandbox, is curl.com converted to static ELF:
o//tool/build/assimilate.com o//examples/curl.com
pledge.com -p 'stdio rpath dns inet' \
o//examples/curl.com https://justine.lol/hello.txt
A weird corner case needed to be handled when resolving symbolic links
during the unveiling process, that's arguably a Landlock bug. It's not
surprising since Musl and Glibc are also inconsistent here too.
This commit is contained in:
Justine Tunney
parent
92cb144fff
commit
98254a7c1f
28 changed files with 934 additions and 292 deletions
|
|
@ -332,7 +332,7 @@ scall timerfd_gettime 0xfffffffffffff11f globl # won't polyfill; see INTON/INTO
|
|||
scall recvmmsg 0x1dbffffffffff12b globl # ├─ end of life 2024-06-30 (extended)
|
||||
scall fanotify_init 0xfffffffffffff12c globl # ├─ last distro with the original gnome desktop
|
||||
scall fanotify_mark 0xfffffffffffff12d globl # └─ apple and google condemn the gplv3/gccrtev3
|
||||
scall prlimit 0xfffffffffffff12e globl
|
||||
scall prlimit 0xfffffffffffff12e globl # a.k.a. prlimit64()
|
||||
scall name_to_handle_at 0xfffffffffffff12f globl
|
||||
scall open_by_handle_at 0xfffffffffffff130 globl
|
||||
scall clock_adjtime 0xfffffffffffff131 globl
|
||||
|
|
@ -391,9 +391,9 @@ scall process_madvise 0xfffffffffffff1b8 globl
|
|||
scall epoll_pwait2 0xfffffffffffff1b9 globl
|
||||
scall mount_setattr 0xfffffffffffff1ba globl
|
||||
scall quotactl_fd 0xfffffffffffff1bb globl
|
||||
scall landlock_create_ruleset 0xfffffffffffff1bc globl
|
||||
scall landlock_add_rule 0xfffffffffffff1bd globl
|
||||
scall landlock_restrict_self 0xfffffffffffff1be globl
|
||||
scall sys_landlock_create_ruleset 0xfffffffffffff1bc globl hidden # Linux 5.13+
|
||||
scall sys_landlock_add_rule 0xfffffffffffff1bd globl hidden
|
||||
scall sys_landlock_restrict_self 0xfffffffffffff1be globl hidden
|
||||
scall memfd_secret 0xfffffffffffff1bf globl
|
||||
scall process_mrelease 0xfffffffffffff1c0 globl
|
||||
scall futex_waitv 0xfffffffffffff1c1 globl
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue