Loader path security (#1012)

The ape loader now passes the program executable name directly as a register. `x2` is used on aarch64, `%rdx` on x86_64. This is passed as the third argument to `cosmo()` (M1) or `Launch` (non-M1) and is assigned to the global `__program_executable_name`. `GetProgramExecutableName` now returns this global's value, setting it if it is initially null. `InitProgramExecutableName` first tries exotic, secure methods: `KERN_PROC_PATHNAME` on FreeBSD/NetBSD, and `/proc` on Linux. If those produce a reasonable response (i.e., not `"/usr/bin/ape"`, which happens with the loader before this change), that is used. Otherwise, if `issetugid()`, the empty string is used. Otherwise, the old argv/envp parsing code is run. The value returned from the loader is always the full absolute path of the binary to be executed, having passed through `realpath`. For the non-M1 loader, this necessitated writing `RealPath`, which uses `readlinkat` of `"/proc/self/fd/[progfd]"` on Linux, `F_GETPATH` on Xnu, and the `__realpath` syscall on OpenBSD. On FreeBSD/NetBSD, it punts to `GetProgramExecutableName`, which is secure on those OSes. With the loader, all platforms now have a secure program executable name. With no loader or an old loader, everything still works as it did, but setuid/setgid is not supported if the insecure pathfinding code would have been needed. Fixes #991.
2025-05-25 14:52:28 +00:00 · 2023-12-15 12:23:58 -05:00 · 2023-12-15 12:23:58 -05:00 · f94c11d978
commit f94c11d978
parent 8a10ccf9c4
10 changed files with 193 additions and 137 deletions
--- a/test/libc/calls/getprogramexecutablename_test.c
+++ b/test/libc/calls/getprogramexecutablename_test.c
@ -28,25 +28,26 @@
 #include "libc/testlib/testlib.h"

 static char *self;
-static bool skipcosmotests;
-
-void SetUp(void) {
-  self = GetProgramExecutableName();
-}

 void SetUpOnce(void) {
-  if (!getenv("COSMOPOLITAN_PROGRAM_EXECUTABLE")) {
-    fprintf(stderr,
-            "warning: old ape loader detected; skipping some tests %m\n");
-    skipcosmotests = true;
-  }
+  self = GetProgramExecutableName();
  testlib_enable_tmp_setup_teardown();
 }

 __attribute__((__constructor__)) static void Child(int argc, char *argv[]) {
+  static bool skiparg0tests;
+  if (!__program_executable_name && !IsFreebsd() && !IsNetbsd()) {
+    skiparg0tests = true;
+    if (argc < 2) {
+      fprintf(stderr, "warning: old/no loader; skipping argv[0] tests\n");
+    }
+  }
  if (argc >= 2 && !strcmp(argv[1], "Child")) {
-    ASSERT_EQ(3, argc);
+    ASSERT_EQ(argc, 4);
    EXPECT_STREQ(argv[2], GetProgramExecutableName());
+    if (!skiparg0tests) {
+      EXPECT_STREQ(argv[3], argv[0]);
+    }
    exit(g_testlib_failed);
  }
 }
@ -59,33 +60,33 @@ TEST(GetProgramExecutableName, ofThisFile) {

 TEST(GetProgramExecutableName, nullEnv) {
  SPAWN(fork);
-  execve(self, (char *[]){self, "Child", self, 0}, (char *[]){0});
+  execve(self, (char *[]){self, "Child", self, self, 0}, (char *[]){0});
  abort();
  EXITS(0);
 }

 TEST(GetProramExecutableName, weirdArgv0NullEnv) {
  SPAWN(fork);
-  execve(self, (char *[]){"hello", "Child", self, 0}, (char *[]){0});
+  execve(self, (char *[]){"hello", "Child", self, "hello", 0}, (char *[]){0});
  abort();
  EXITS(0);
 }

 TEST(GetProgramExecutableName, weirdArgv0CosmoVar) {
-  if (skipcosmotests) return;
  char buf[32 + PATH_MAX];
  stpcpy(stpcpy(buf, "COSMOPOLITAN_PROGRAM_EXECUTABLE="), self);
  SPAWN(fork);
-  execve(self, (char *[]){"hello", "Child", self, 0}, (char *[]){buf, 0});
+  execve(self, (char *[]){"hello", "Child", self, "hello", 0},
+         (char *[]){buf, 0});
  abort();
  EXITS(0);
 }

 TEST(GetProgramExecutableName, weirdArgv0WrongCosmoVar) {
-  if (skipcosmotests) return;
  char *bad = "COSMOPOLITAN_PROGRAM_EXECUTABLE=hi";
  SPAWN(fork);
-  execve(self, (char *[]){"hello", "Child", self, 0}, (char *[]){bad, 0});
+  execve(self, (char *[]){"hello", "Child", self, "hello", 0},
+         (char *[]){bad, 0});
  abort();
  EXITS(0);
 }
@ -104,13 +105,7 @@ TEST(GetProgramExecutableName, movedSelf) {
  ASSERT_NE(NULL, getcwd(buf, BUFSIZ - 5));
  stpcpy(buf + strlen(buf), "/test");
  SPAWN(fork);
-  execve(buf, (char *[]){"hello", "Child", buf, 0}, (char *[]){0});
+  execve(buf, (char *[]){"hello", "Child", buf, "hello", 0}, (char *[]){0});
  abort();
  EXITS(0);
 }
-
-void __InitProgramExecutableName(void);
-
-BENCH(GetProgramExecutableName, bench) {
-  EZBENCH2("Init", donothing, __InitProgramExecutableName());
-}