Improve pledge() and unveil()

The pledge.com command now supports the new [WIP] unveil() support. For example, to strongly sandbox our command for listing directories. o//tool/build/assimilate.com o//examples/ls.com pledge.com -v /etc -p 'stdio rpath' o//examples/ls.com /etc This file system sandboxing is going to be perfect for us, because APE binaries are self-contained static executables that really don't use the filesystem that much. On the other hand, with non-static executables, sandboxing is going to be more difficult. For example, here's how to sandbox the `ls` command on the latest Alpine: pledge.com -v rx:/lib -v /usr/lib -v /etc -p 'stdio rpath exec' ls /etc This change fixes the `execpromises` API with pledge(). This change also adds unix.unveil() to redbean. Fixes #494
2025-07-06 19:28:29 +00:00 · 2022-07-18 07:23:15 -07:00 · 2022-07-18 07:23:15 -07:00 · e81edf7b04
commit e81edf7b04
parent b1d9d11be1
19 changed files with 535 additions and 150 deletions
--- a/libc/calls/execve.c
+++ b/libc/calls/execve.c
@ -17,6 +17,7 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/bits/likely.h"
+#include "libc/bits/weaken.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/strace.internal.h"
 #include "libc/calls/syscall-nt.internal.h"
@ -24,10 +25,13 @@
 #include "libc/dce.h"
 #include "libc/intrin/asan.internal.h"
 #include "libc/intrin/kprintf.h"
+#include "libc/intrin/promises.internal.h"
 #include "libc/log/libfatal.internal.h"
 #include "libc/sysv/consts/o.h"
 #include "libc/sysv/errfuns.h"

+int sys_pledge_linux(unsigned long);
+
 /**
 * Replaces current process with program.
 *
@ -66,7 +70,13 @@ int execve(const char *prog, char *const argv[], char *const envp[]) {
    }
 #endif
    if (!IsWindows()) {
-      rc = sys_execve(prog, argv, envp);
+      rc = 0;
+      if (IsLinux() && __execpromises && weaken(sys_pledge_linux)) {
+        rc = weaken(sys_pledge_linux)(__execpromises);
+      }
+      if (!rc) {
+        rc = sys_execve(prog, argv, envp);
+      }
    } else {
      rc = sys_execve_nt(prog, argv, envp);
    }
--- a/libc/calls/faccessat.c
+++ b/libc/calls/faccessat.c
@ -22,6 +22,7 @@
 #include "libc/calls/syscall-nt.internal.h"
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/dce.h"
+#include "libc/errno.h"
 #include "libc/intrin/asan.internal.h"
 #include "libc/intrin/describeflags.internal.h"
 #include "libc/sysv/consts/at.h"
@ -36,18 +37,27 @@
 * @param path is a filename or directory
 * @param mode can be R_OK, W_OK, X_OK, F_OK
 * @param flags can have AT_EACCESS, AT_SYMLINK_NOFOLLOW
+ * @note on Linux flags is only supported on Linux 5.8+
 * @return 0 if ok, or -1 and sets errno
 * @asyncsignalsafe
 */
 int faccessat(int dirfd, const char *path, int mode, uint32_t flags) {
-  int rc;
+  int e, rc;
  if (IsAsan() && !__asan_is_valid(path, 1)) {
    rc = efault();
  } else if (weaken(__zipos_notat) &&
             weaken(__zipos_notat)(dirfd, path) == -1) {
    rc = -1; /* TODO(jart): implement me */
  } else if (!IsWindows()) {
-    rc = sys_faccessat(dirfd, path, mode, flags);
+    e = errno;
+    if (!flags) goto NoFlags;
+    if ((rc = sys_faccessat2(dirfd, path, mode, flags)) == -1) {
+      if (errno == ENOSYS) {
+        errno = e;
+      NoFlags:
+        rc = sys_faccessat(dirfd, path, mode, flags);
+      }
+    }
  } else {
    rc = sys_faccessat_nt(dirfd, path, mode, flags);
  }
--- a/libc/calls/syscall-sysv.internal.h
+++ b/libc/calls/syscall-sysv.internal.h
@ -33,6 +33,7 @@ i32 sys_dup2(i32, i32) hidden;
 i32 sys_dup3(i32, i32, i32) hidden;
 i32 sys_execve(const char *, char *const[], char *const[]) hidden;
 i32 sys_faccessat(i32, const char *, i32, u32) hidden;
+i32 sys_faccessat2(i32, const char *, i32, u32) hidden;
 i32 sys_fadvise(i32, i64, i64, i32) hidden;
 i32 sys_fchdir(i32) hidden;
 i32 sys_fchmod(i32, u32) hidden;
@ -95,6 +96,7 @@ i32 sys_tkill(i32, i32, void *) hidden;
 i32 sys_truncate(const char *, u64, u64) hidden;
 i32 sys_uname(char *) hidden;
 i32 sys_unlinkat(i32, const char *, i32) hidden;
+i32 sys_unveil(const char *, const char *) hidden;
 i64 sys_copy_file_range(i32, long *, i32, long *, u64, u32) hidden;
 i64 sys_getrandom(void *, u64, u32) hidden;
 i64 sys_pread(i32, void *, u64, i64, i64) hidden;
@ -111,7 +113,6 @@ u32 sys_geteuid(void) hidden;
 u32 sys_getgid(void) hidden;
 u32 sys_getuid(void) hidden;
 u32 sys_umask(u32) hidden;
-i32 sys_unveil(const char *, const char *) hidden;
 void *__sys_mmap(void *, u64, u32, u32, i64, i64, i64) hidden;
 void *sys_mremap(void *, u64, u64, i32, void *) hidden;
 void sys_exit(int) hidden;