mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-06-01 02:02:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Loader path security (#1012)

Browse source 
The ape loader now passes the program executable name directly as a
register. `x2` is used on aarch64, `%rdx` on x86_64. This is passed
as the third argument to `cosmo()` (M1) or `Launch` (non-M1) and is
assigned to the global `__program_executable_name`.

`GetProgramExecutableName` now returns this global's value, setting
it if it is initially null. `InitProgramExecutableName` first tries
exotic, secure methods: `KERN_PROC_PATHNAME` on FreeBSD/NetBSD, and
`/proc` on Linux. If those produce a reasonable response (i.e., not
`"/usr/bin/ape"`, which happens with the loader before this change),
that is used. Otherwise, if `issetugid()`, the empty string is used.
Otherwise, the old argv/envp parsing code is run.

The value returned from the loader is always the full absolute path
of the binary to be executed, having passed through `realpath`. For
the non-M1 loader, this necessitated writing `RealPath`, which uses
`readlinkat` of `"/proc/self/fd/[progfd]"` on Linux, `F_GETPATH` on
Xnu, and the `__realpath` syscall on OpenBSD. On FreeBSD/NetBSD, it
punts to `GetProgramExecutableName`, which is secure on those OSes.

With the loader, all platforms now have a secure program executable
name. With no loader or an old loader, everything still works as it
did, but setuid/setgid is not supported if the insecure pathfinding
code would have been needed.

Fixes #991.
This commit is contained in:
Jōshin 2023-12-15 12:23:58 -05:00 committed by GitHub
parent 8a10ccf9c4
commit f94c11d978
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 193 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

13
ape/launch.S
View file

@ -31,17 +31,16 @@
//
// @param rdi is passed through as-is
// @param rsi is address of entrypoint (becomes zero)
// @param rdx is stack pointer (becomes zero)
// @param rcx is passed through as-is
// @param rdx is passed through as-is
// @param rcx is stack pointer (becomes r8)
// @noreturn
Launch:
#ifdef __aarch64__
mov x16,x1
mov sp,x2
mov sp,x3
mov x1,0
mov x2,0
mov x3,0
mov x3,x4
mov x4,0
mov x5,0
mov x6,0
@ -71,6 +70,8 @@ Launch:
#else
mov %rcx,%rsp
mov %r8,%rcx
xor %r8d,%r8d
xor %r9d,%r9d
xor %r10d,%r10d
@ -79,8 +80,6 @@ Launch:
xor %r13d,%r13d
xor %r14d,%r14d
xor %r15d,%r15d
mov %rdx,%rsp
xor %edx,%edx
push %rsi
xor %esi,%esi
xor %ebp,%ebp