Loader path security (#1012)

The ape loader now passes the program executable name directly as a
register. `x2` is used on aarch64, `%rdx` on x86_64. This is passed
as the third argument to `cosmo()` (M1) or `Launch` (non-M1) and is
assigned to the global `__program_executable_name`.

`GetProgramExecutableName` now returns this global's value, setting
it if it is initially null. `InitProgramExecutableName` first tries
exotic, secure methods: `KERN_PROC_PATHNAME` on FreeBSD/NetBSD, and
`/proc` on Linux. If those produce a reasonable response (i.e., not
`"/usr/bin/ape"`, which happens with the loader before this change),
that is used. Otherwise, if `issetugid()`, the empty string is used.
Otherwise, the old argv/envp parsing code is run.

The value returned from the loader is always the full absolute path
of the binary to be executed, having passed through `realpath`. For
the non-M1 loader, this necessitated writing `RealPath`, which uses
`readlinkat` of `"/proc/self/fd/[progfd]"` on Linux, `F_GETPATH` on
Xnu, and the `__realpath` syscall on OpenBSD. On FreeBSD/NetBSD, it
punts to `GetProgramExecutableName`, which is secure on those OSes.

With the loader, all platforms now have a secure program executable
name. With no loader or an old loader, everything still works as it
did, but setuid/setgid is not supported if the insecure pathfinding
code would have been needed.

Fixes #991.

ape/loader.c

@@ -87,6 +87,8 @@
 #define MIN(X, Y) ((Y) > (X) ? (X) : (Y))
 #define MAX(X, Y) ((Y) < (X) ? (X) : (Y))
 
+#define PATH_MAX 1024   /* XXX verify */
+
 #define SupportsLinux()   (SUPPORT_VECTOR & LINUX)
 #define SupportsXnu()     (SUPPORT_VECTOR & XNU)
 #define SupportsFreebsd() (SUPPORT_VECTOR & FREEBSD)
@@ -212,17 +214,18 @@ struct PathSearcher {
   const char *name;
   const char *syspath;
   unsigned long namelen;
-  char path[1024];
+  char path[PATH_MAX];
 };
 
 struct ApeLoader {
   union ElfPhdrBuf phdr;
   struct PathSearcher ps;
-  char path[1024];
+  char path[PATH_MAX];
 };
 
 EXTERN_C long SystemCall(long, long, long, long, long, long, long, int);
-EXTERN_C void Launch(void *, long, void *, int) __attribute__((__noreturn__));
+EXTERN_C void
+Launch(void *, long, void *, void *, int) __attribute__((__noreturn__));
 
 extern char __executable_start[];
 extern char _end[];
@@ -239,12 +242,13 @@ static int StrCmp(const char *l, const char *r) {
   return (l[i] & 255) - (r[i] & 255);
 }
 
-static const char *BaseName(const char *s) {
-  int c;
-  const char *b = "";
+#if 0
+
+static const char *StrRChr(const char *s, int c) {
+  const char *b = 0;
   if (s) {
-    while ((c = *s++)) {
-      if (c == '/') {
+    for (; *s; ++s) {
+      if (*s == c) {
         b = s;
       }
     }
@@ -252,6 +256,13 @@ static const char *BaseName(const char *s) {
   return b;
 }
 
+static const char *BaseName(const char *s) {
+  const char *b = StrRChr(s, '/');
+  return b ? b + 1 : s;
+}
+
+#endif
+
 static void Bzero(void *a, unsigned long n) {
   long z;
   char *p, *e;
@@ -343,7 +354,7 @@ static char *Utox(char p[19], unsigned long x) {
   return p;
 }
 
-static char *Utoa(char p[21], unsigned long x) {
+static char *Utoa(char p[20], unsigned long x) {
   char t;
   unsigned long i, a, b;
   i = 0;
@@ -534,6 +545,40 @@ __attribute__((__noreturn__)) static void Pexit(int os, const char *c, int rc,
   Exit(127, os);
 }
 
+#define PSFD "/proc/self/fd/"
+
+static int RealPath(int os, int fd, char *path, char **resolved) {
+  char buf[PATH_MAX];
+  int rc;
+  if (IsLinux()) {
+    char psfd[sizeof(PSFD) + 19];
+    MemMove(psfd, PSFD, sizeof(PSFD) - 1);
+    Utoa(psfd + sizeof(PSFD) - 1, fd);
+    rc = SystemCall(-100, (long)psfd, (long)buf, PATH_MAX, 0, 0, 0,
+                    IsAarch64() ? 78 : 267);
+    if (rc >= 0) {
+      if (rc == PATH_MAX) {
+        rc = -36;
+      } else {
+        buf[rc] = 0;
+      }
+    }
+  } else if (IsXnu()) {
+    rc = SystemCall(fd, 50, (long)buf, 0, 0, 0, 0, 92 | 0x2000000);
+  } else if (IsOpenbsd()) {
+    rc = SystemCall((long)path, (long)buf, 0, 0, 0, 0, 0, 115);
+  } else {
+    *resolved = 0;
+    return 0;
+  }
+  if (rc >= 0) {
+    MemMove(path, buf, StrLen(buf) + 1);
+    *resolved = path;
+    rc = 0;
+  }
+  return rc;
+}
+
 static char AccessCommand(struct PathSearcher *ps, unsigned long pathlen) {
   if (pathlen + 1 + ps->namelen + 1 > sizeof(ps->path)) return 0;
   if (pathlen && ps->path[pathlen - 1] != '/') ps->path[pathlen++] = '/';
@@ -599,8 +644,9 @@ static char *Commandv(struct PathSearcher *ps, int os, const char *name,
   }
 }
 
-__attribute__((__noreturn__)) static void Spawn(int os, const char *exe, int fd,
-                                                long *sp, unsigned long pagesz,
+__attribute__((__noreturn__)) static void Spawn(int os, const char *exe,
+                                                char *path, int fd, long *sp,
+                                                unsigned long pagesz,
                                                 struct ElfEhdr *e,
                                                 struct ElfPhdr *p) {
   long rc;
@@ -757,12 +803,12 @@ __attribute__((__noreturn__)) static void Spawn(int os, const char *exe, int fd,
   Msyscall(dynbase + code, codesize, os);
 
   /* call program entrypoint */
-  Launch(IsFreebsd() ? sp : 0, dynbase + e->e_entry, sp, os);
+  Launch(IsFreebsd() ? sp : 0, dynbase + e->e_entry, path, sp, os);
 }
 
 static const char *TryElf(struct ApeLoader *M, union ElfEhdrBuf *ebuf,
-                          const char *exe, int fd, long *sp, long *auxv,
-                          unsigned long pagesz, int os) {
+                          const char *exe, char *path, int fd, long *sp,
+                          long *auxv, unsigned long pagesz, int os) {
   long i, rc;
   unsigned size;
   struct ElfEhdr *e;
@@ -877,7 +923,7 @@ static const char *TryElf(struct ApeLoader *M, union ElfEhdrBuf *ebuf,
   }
 
   /* we're now ready to load */
-  Spawn(os, exe, fd, sp, pagesz, e, p);
+  Spawn(os, exe, path, fd, sp, pagesz, e, p);
 }
 
 __attribute__((__noreturn__)) static void ShowUsage(int os, int fd, int rc) {
@@ -1035,6 +1081,8 @@ EXTERN_C __attribute__((__noreturn__)) void ApeLoader(long di, long *sp,
     Pexit(os, prog, 0, "not found (maybe chmod +x or ./ needed)");
   } else if ((fd = Open(exe, O_RDONLY, 0, os)) < 0) {
     Pexit(os, exe, fd, "open");
+  } else if ((rc = RealPath(os, fd, exe, &prog)) < 0) {
+    Pexit(os, exe, rc, "realpath");
   } else if ((rc = Pread(fd, ebuf->buf, sizeof(ebuf->buf), 0, os)) < 0) {
     Pexit(os, exe, rc, "read");
   } else if ((unsigned long)rc < sizeof(ebuf->ehdr)) {
@@ -1042,12 +1090,6 @@ EXTERN_C __attribute__((__noreturn__)) void ApeLoader(long di, long *sp,
   }
   pe = ebuf->buf + rc;
 
-  /* change argv[0] to resolved path if it's ambiguous */
-  if (argc > 0 && ((*prog != '/' && *exe == '/' && !StrCmp(prog, argv[0])) ||
-                   !StrCmp(BaseName(prog), argv[0]))) {
-    argv[0] = exe;
-  }
-
   /* ape intended behavior
      1. if ape, will scan shell script for elf printf statements
      2. shell script may have multiple lines producing elf headers
@@ -1080,9 +1122,9 @@ EXTERN_C __attribute__((__noreturn__)) void ApeLoader(long di, long *sp,
         }
       }
       if (i >= sizeof(ebuf->ehdr)) {
-        TryElf(M, ebuf, exe, fd, sp, auxv, pagesz, os);
+        TryElf(M, ebuf, exe, prog, fd, sp, auxv, pagesz, os);
       }
     }
   }
-  Pexit(os, exe, 0, TryElf(M, ebuf, exe, fd, sp, auxv, pagesz, os));
+  Pexit(os, exe, 0, TryElf(M, ebuf, exe, prog, fd, sp, auxv, pagesz, os));
 }