Add anet pledge for inet without connect

This is useful for configurations where it's desirable to start redbean under these restrictions, but not to allow `connect` socket calls.
2025-08-08 10:50:28 +00:00 · 2023-06-01 17:26:34 -07:00 · 2023-06-01 17:26:34 -07:00 · c36417db9d
commit c36417db9d
parent 72f8bd10b7
4 changed files with 27 additions and 1 deletions
--- a/libc/calls/pledge-linux.c
+++ b/libc/calls/pledge-linux.c
@ -811,6 +811,22 @@ static const uint16_t kPledgeInet[] = {
    __NR_linux_getsockname,            //
 };

+// anet is similar to init, but without connect;
+// this allows to accept, but not initiate socket connections
+static const uint16_t kPledgeAnet[] = {
+    __NR_linux_socket | INET,          //
+    __NR_linux_listen,                 //
+    __NR_linux_bind,                   //
+    __NR_linux_sendto,                 //
+    __NR_linux_accept,                 //
+    __NR_linux_accept4,                //
+    __NR_linux_ioctl | INET,           //
+    __NR_linux_getsockopt | RESTRICT,  //
+    __NR_linux_setsockopt | RESTRICT,  //
+    __NR_linux_getpeername,            //
+    __NR_linux_getsockname,            //
+};
+
 static const uint16_t kPledgeUnix[] = {
    __NR_linux_socket | UNIX,          //
    __NR_linux_listen,                 //
@ -955,6 +971,7 @@ const struct Pledges kPledge[PROMISE_LEN_] = {
    [PROMISE_FLOCK] = {"flock", PLEDGE(kPledgeFlock)},             //
    [PROMISE_FATTR] = {"fattr", PLEDGE(kPledgeFattr)},             //
    [PROMISE_INET] = {"inet", PLEDGE(kPledgeInet)},                //
+    [PROMISE_ANET] = {"anet", PLEDGE(kPledgeAnet)},                //
    [PROMISE_UNIX] = {"unix", PLEDGE(kPledgeUnix)},                //
    [PROMISE_DNS] = {"dns", PLEDGE(kPledgeDns)},                   //
    [PROMISE_TTY] = {"tty", PLEDGE(kPledgeTty)},                   //
--- a/libc/calls/pledge.c
+++ b/libc/calls/pledge.c
@ -143,6 +143,9 @@
 * - "inet" allows socket(AF_INET), listen, bind, connect, accept,
 *   accept4, getpeername, getsockname, setsockopt, getsockopt, sendto.
 *
+ * - "anet" allows socket(AF_INET), listen, bind, accept,
+ *   accept4, getpeername, getsockname, setsockopt, getsockopt, sendto.
+ *
 * - "unix" allows socket(AF_UNIX), listen, bind, connect, accept,
 *   accept4, getpeername, getsockname, setsockopt, getsockopt.
 *
--- a/libc/intrin/promises.internal.h
+++ b/libc/intrin/promises.internal.h
@ -23,7 +23,8 @@
 #define PROMISE_VMINFO    19
 #define PROMISE_TMPPATH   20
 #define PROMISE_CHOWN     21
-#define PROMISE_LEN_      22
+#define PROMISE_ANET      22
+#define PROMISE_LEN_      23

 #define PLEDGED(x) ((~__promises >> PROMISE_##x) & 1)

--- a/tool/net/help.txt
+++ b/tool/net/help.txt
@ -4347,6 +4347,11 @@ UNIX MODULE
      Allows socket (AF_INET), listen, bind, connect, accept,
      getpeername, getsockname, setsockopt, getsockopt.

+    anet
+
+      Allows socket (AF_INET), listen, bind, accept,
+      getpeername, getsockname, setsockopt, getsockopt.
+
    unix

      Allows socket (AF_UNIX), listen, bind, connect, accept,