Improve pledge() and unveil() further

- Fix getpriority()
- Add AT_MINSIGSTKSZ
- Fix bugs in BPF code
- Show more stuff in printargs.com
- Write manual test for pledge.com
- pledge() now generates tinier BPF code
- Have pledge("exec") only enable execve()
- Fix pledge.com chroot setuid functionality
- Improve pledge.com unveiling of ape loader

libc/calls/getpriority.c

@@ -24,6 +24,10 @@
 /**
  * Returns nice value of thing.
  *
+ * Since -1 might be a valid return value for this API, it's necessary
+ * to clear `errno` beforehand and see if it changed, in order to truly
+ * determine if an error happened.
+ *
  * @param which can be PRIO_PROCESS, PRIO_PGRP, PRIO_USER
  * @param who is the pid, pgid, or uid (0 means current)
  * @return value ∈ [-NZERO,NZERO) or -1 w/ errno
@@ -32,7 +36,9 @@
 int getpriority(int which, unsigned who) {
   int rc;
   if (!IsWindows()) {
-    rc = sys_getpriority(which, who) - 20;
+    if ((rc = sys_getpriority(which, who)) != -1) {
+      rc = 20 - rc;
+    }
   } else {
     rc = sys_getsetpriority_nt(which, who, 0, sys_getpriority_nt);
   }

libc/calls/sched_getparam.c

@@ -21,6 +21,8 @@
 
 /**
  * Gets scheduler policy parameter.
+ *
+ * @return 0 on success, or -1 w/ errno
  * @raise ENOSYS on XNU, Windows
  */
 int sched_getparam(int pid, struct sched_param *param) {

libc/calls/sched_getscheduler.c

@@ -20,12 +20,22 @@
 #include "libc/calls/strace.internal.h"
 #include "libc/calls/struct/sched_param.h"
 #include "libc/dce.h"
+#include "libc/intrin/describeflags.internal.h"
 
 /**
  * Gets scheduler policy for `pid`.
  *
- * @param pid is id of process (where 0 is same as getpid())
+ * @param pid is the id of the process whose scheduling policy should be
+ *     queried. Setting `pid` to zero means the same thing as getpid().
+ *     This applies to all threads associated with the process. Linux is
+ *     special; the kernel treats this as a thread id (noting that
+ *     `getpid() == gettid()` is always the case on Linux for the main
+ *     thread) and will only take effect for the specified tid.
+ *     Therefore this function is POSIX-compliant iif `!__threaded`.
  * @return scheduler policy, or -1 w/ errno
+ * @error ESRCH if `pid` not found
+ * @error EPERM if not permitted
+ * @error EINVAL if `pid` is negative on Linux
  */
 int sched_getscheduler(int pid) {
   int rc;
@@ -34,6 +44,6 @@ int sched_getscheduler(int pid) {
   } else {
     rc = sys_sched_getscheduler(pid);
   }
-  STRACE("sched_getscheduler(%d) → %d% m", pid, rc);
+  STRACE("sched_getscheduler(%d) → %s% m", pid, DescribeSchedPolicy(rc));
   return rc;
 }

libc/calls/sched_setscheduler.c

@@ -35,12 +35,12 @@
  * before processes with numerically lower priority values.
  *
  * @param pid is the id of the process whose scheduling policy should be
- *     changed. This applies to all threads associated with the process.
- *     Linux is special; the kernel treats this as a thread id (noting
- *     that `getpid() == gettid()` is always the case on Linux for the
- *     main thread) and will only take effect for the specified tid.
+ *     changed. Setting `pid` to zero means the same thing as getpid().
+ *     This applies to all threads associated with the process. Linux is
+ *     special; the kernel treats this as a thread id (noting that
+ *     `getpid() == gettid()` is always the case on Linux for the main
+ *     thread) and will only take effect for the specified tid.
  *     Therefore this function is POSIX-compliant iif `!__threaded`.
- *     Setting `pid` to zero means the same thing as getpid().
  *
  * @param policy specifies the kernel's timesharing strategy.
  *

libc/calls/setpriority.c

@@ -27,12 +27,14 @@
  * @param which can be PRIO_PROCESS, PRIO_PGRP, PRIO_USER
  * @param who is the pid, pgid, or uid, 0 meaning current
  * @param value ∈ [-NZERO,NZERO) which is clamped automatically
- * @return nonzero on success or -1 w/ errno
+ * @return 0 on success or -1 w/ errno
+ * @error EACCES if lower that RLIMIT_NICE
+ * @error EACCES on Linux without CAP_SYS_NICE
  * @see getpriority(), nice()
  */
 int setpriority(int which, unsigned who, int value) {
   if (!IsWindows()) {
-    return sys_setpriority(which, who, value); /* TODO(jart): -20 */
+    return sys_setpriority(which, who, value);
   } else {
     return sys_getsetpriority_nt(which, who, value, sys_setpriority_nt);
   }

libc/intrin/describeschedpolicy.c

@@ -27,14 +27,29 @@
  * Describes clock_gettime() clock argument.
  */
 const char *(DescribeSchedPolicy)(char buf[48], int x) {
-  struct DescribeFlags flags[] = {
-      {SCHED_RESET_ON_FORK, "RESET_ON_FORK"},  //
-      {SCHED_OTHER, "OTHER"},                  //
-      {SCHED_FIFO, "FIFO"},                    //
-      {SCHED_RR, "RR"},                        //
-      {SCHED_BATCH, "BATCH"},                  //
-      {SCHED_IDLE, "IDLE"},                    //
-      {SCHED_DEADLINE, "DEADLINE"},            //
-  };
-  return DescribeFlags(buf, 48, flags, ARRAYLEN(flags), "SCHED_", x);
+  char *p = buf;
+  if (x == -1) {
+    goto DoNumber;
+  }
+  if (x & SCHED_RESET_ON_FORK) {
+    x &= ~SCHED_RESET_ON_FORK;
+    p = stpcpy(p, "SCHED_RESET_ON_FORK");
+  }
+  if (x == SCHED_OTHER) {
+    stpcpy(p, "SCHED_OTHER");
+  } else if (x == SCHED_FIFO) {
+    stpcpy(p, "SCHED_FIFO");
+  } else if (x == SCHED_RR) {
+    stpcpy(p, "SCHED_RR");
+  } else if (x == SCHED_BATCH) {
+    stpcpy(p, "SCHED_BATCH");
+  } else if (x == SCHED_IDLE) {
+    stpcpy(p, "SCHED_IDLE");
+  } else if (x == SCHED_DEADLINE) {
+    stpcpy(p, "SCHED_DEADLINE");
+  } else {
+  DoNumber:
+    FormatInt32(p, x);
+  }
+  return buf;
 }

libc/runtime/printargs.c

@@ -19,6 +19,7 @@
 #include "libc/calls/calls.h"
 #include "libc/calls/strace.internal.h"
 #include "libc/calls/struct/rlimit.h"
+#include "libc/calls/struct/sched_param.h"
 #include "libc/calls/struct/sigset.h"
 #include "libc/calls/struct/termios.h"
 #include "libc/calls/struct/utsname.h"
@@ -29,6 +30,7 @@
 #include "libc/errno.h"
 #include "libc/intrin/describeflags.internal.h"
 #include "libc/intrin/kprintf.h"
+#include "libc/intrin/promises.internal.h"
 #include "libc/macros.internal.h"
 #include "libc/nexgen32e/cpuid4.internal.h"
 #include "libc/nexgen32e/kcpuids.h"
@@ -52,6 +54,7 @@
 #include "libc/sysv/consts/f.h"
 #include "libc/sysv/consts/poll.h"
 #include "libc/sysv/consts/pr.h"
+#include "libc/sysv/consts/prio.h"
 #include "libc/sysv/consts/rlim.h"
 #include "libc/sysv/consts/sig.h"
 #include "libc/sysv/consts/termios.h"
@@ -107,6 +110,7 @@ static const struct AuxiliaryValue {
     {"%-14p", &AT_TIMEKEEP, "AT_TIMEKEEP"},
     {"%-14p", &AT_STACKPROT, "AT_STACKPROT"},
     {"%-14p", &AT_EHDRFLAGS, "AT_EHDRFLAGS"},
+    {"%-14d", &AT_MINSIGSTKSZ, "AT_MINSIGSTKSZ"},
 };
 
 static const char *FindNameById(const struct IdName *names, unsigned long id) {
@@ -161,6 +165,7 @@ textstartup void __printargs(const char *prologue) {
   uintptr_t *auxp;
   struct rlimit rlim;
   struct utsname uts;
+  struct sched_param sp;
   struct termios termios;
   struct AuxiliaryValue *auxinfo;
   union {
@@ -168,6 +173,8 @@ textstartup void __printargs(const char *prologue) {
     struct pollfd pfds[128];
   } u;
 
+  if (!PLEDGED(STDIO)) return;
+
   --__ftrace;
   --__strace;
   e = errno;
@@ -296,6 +303,24 @@ textstartup void __printargs(const char *prologue) {
     PRINT("  error: sigprocmask() failed %m");
   }
 
+  if (PLEDGED(PROC)) {
+    PRINT("");
+    PRINT("SCHEDULER");
+    errno = 0;
+    PRINT(" ☼ getpriority(PRIO_PROCESS) → %d% m", getpriority(PRIO_PROCESS, 0));
+    errno = 0;
+    PRINT(" ☼ getpriority(PRIO_PGRP)    → %d% m", getpriority(PRIO_PGRP, 0));
+    errno = 0;
+    PRINT(" ☼ getpriority(PRIO_USER)    → %d% m", getpriority(PRIO_USER, 0));
+    errno = 0;
+    PRINT(" ☼ sched_getscheduler()      → %s% m",
+          DescribeSchedPolicy(sched_getscheduler(0)));
+    errno = 0;
+    if (sched_getparam(0, &sp) != -1) {
+      PRINT(" ☼ sched_getparam()          → %d% m", sp.sched_priority);
+    }
+  }
+
   if (IsLinux()) {
     PRINT("");
     PRINT("CAPABILITIES");

libc/sysv/consts.sh

@@ -464,6 +464,7 @@ syscon	auxv	AT_EXECFN				31			31			15			999			2014			31			# address of string co
 syscon	auxv	AT_SYSINFO_EHDR				33			0			0			0			0			0
 syscon	auxv	AT_STACKBASE				0			0			0			0			13			0
 syscon	auxv	AT_EXECPATH				31			31			15			999			2014			31			# FreeBSD name for AT_EXECFN
+syscon	auxv	AT_MINSIGSTKSZ				51			0			0			0			0			0			# FreeBSD name for AT_EXECFN
 syscon	auxv	AT_CANARY				0			0			16			0			0			0
 syscon	auxv	AT_CANARYLEN				0			0			17			0			0			0
 syscon	auxv	AT_NCPUS				0			0			19			0			0			0

libc/sysv/consts/AT_MINSIGSTKSZ.S

@@ -0,0 +1,2 @@
+#include "libc/sysv/consts/syscon.internal.h"
+.syscon auxv,AT_MINSIGSTKSZ,51,0,0,0,0,0

libc/sysv/consts/auxv.h

@@ -6,21 +6,29 @@ COSMOPOLITAN_C_START_
 
 extern const long AT_BASE;
 extern const long AT_BASE_PLATFORM;
+extern const long AT_CANARY;
+extern const long AT_CANARYLEN;
 extern const long AT_CLKTCK;
 extern const long AT_DCACHEBSIZE;
 extern const long AT_EGID;
+extern const long AT_EHDRFLAGS;
 extern const long AT_ENTRY;
 extern const long AT_EUID;
 extern const long AT_EXECFD;
 extern const long AT_EXECFN;
+extern const long AT_EXECPATH;
 extern const long AT_FLAGS;
 extern const long AT_GID;
 extern const long AT_HWCAP2;
 extern const long AT_HWCAP;
 extern const long AT_ICACHEBSIZE;
+extern const long AT_MINSIGSTKSZ;
+extern const long AT_NCPUS;
 extern const long AT_NOTELF;
 extern const long AT_NO_AUTOMOUNT;
 extern const long AT_OSRELDATE;
+extern const long AT_PAGESIZES;
+extern const long AT_PAGESIZESLEN;
 extern const long AT_PAGESZ;
 extern const long AT_PHDR;
 extern const long AT_PHENT;
@@ -28,40 +36,41 @@ extern const long AT_PHNUM;
 extern const long AT_PLATFORM;
 extern const long AT_RANDOM;
 extern const long AT_SECURE;
+extern const long AT_STACKBASE;
+extern const long AT_STACKPROT;
 extern const long AT_SYSINFO_EHDR;
+extern const long AT_TIMEKEEP;
 extern const long AT_UCACHEBSIZE;
 extern const long AT_UID;
-extern const long AT_STACKBASE;
-extern const long AT_EXECPATH;
-extern const long AT_CANARY;
-extern const long AT_CANARYLEN;
-extern const long AT_NCPUS;
-extern const long AT_PAGESIZES;
-extern const long AT_PAGESIZESLEN;
-extern const long AT_TIMEKEEP;
-extern const long AT_STACKPROT;
-extern const long AT_EHDRFLAGS;
 
 COSMOPOLITAN_C_END_
 #endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
 
 #define AT_BASE          SYMBOLIC(AT_BASE)
 #define AT_BASE_PLATFORM SYMBOLIC(AT_BASE_PLATFORM)
+#define AT_CANARY        SYMBOLIC(AT_CANARY)
+#define AT_CANARYLEN     SYMBOLIC(AT_CANARYLEN)
 #define AT_CLKTCK        SYMBOLIC(AT_CLKTCK)
 #define AT_DCACHEBSIZE   SYMBOLIC(AT_DCACHEBSIZE)
 #define AT_EGID          SYMBOLIC(AT_EGID)
+#define AT_EHDRFLAGS     SYMBOLIC(AT_EHDRFLAGS)
 #define AT_ENTRY         SYMBOLIC(AT_ENTRY)
 #define AT_EUID          SYMBOLIC(AT_EUID)
 #define AT_EXECFD        SYMBOLIC(AT_EXECFD)
 #define AT_EXECFN        SYMBOLIC(AT_EXECFN)
+#define AT_EXECPATH      SYMBOLIC(AT_EXECPATH)
 #define AT_FLAGS         SYMBOLIC(AT_FLAGS)
 #define AT_GID           SYMBOLIC(AT_GID)
 #define AT_HWCAP         SYMBOLIC(AT_HWCAP)
 #define AT_HWCAP2        SYMBOLIC(AT_HWCAP2)
 #define AT_ICACHEBSIZE   SYMBOLIC(AT_ICACHEBSIZE)
+#define AT_MINSIGSTKSZ   SYMBOLIC(AT_MINSIGSTKSZ)
+#define AT_NCPUS         SYMBOLIC(AT_NCPUS)
 #define AT_NOTELF        SYMBOLIC(AT_NOTELF)
 #define AT_NO_AUTOMOUNT  SYMBOLIC(AT_NO_AUTOMOUNT)
 #define AT_OSRELDATE     SYMBOLIC(AT_OSRELDATE)
+#define AT_PAGESIZES     SYMBOLIC(AT_PAGESIZES)
+#define AT_PAGESIZESLEN  SYMBOLIC(AT_PAGESIZESLEN)
 #define AT_PAGESZ        SYMBOLIC(AT_PAGESZ)
 #define AT_PHDR          SYMBOLIC(AT_PHDR)
 #define AT_PHENT         SYMBOLIC(AT_PHENT)
@@ -69,18 +78,11 @@ COSMOPOLITAN_C_END_
 #define AT_PLATFORM      SYMBOLIC(AT_PLATFORM)
 #define AT_RANDOM        SYMBOLIC(AT_RANDOM)
 #define AT_SECURE        SYMBOLIC(AT_SECURE)
+#define AT_STACKBASE     SYMBOLIC(AT_STACKBASE)
+#define AT_STACKPROT     SYMBOLIC(AT_STACKPROT)
 #define AT_SYSINFO_EHDR  SYMBOLIC(AT_SYSINFO_EHDR)
+#define AT_TIMEKEEP      SYMBOLIC(AT_TIMEKEEP)
 #define AT_UCACHEBSIZE   SYMBOLIC(AT_UCACHEBSIZE)
 #define AT_UID           SYMBOLIC(AT_UID)
-#define AT_STACKBASE     SYMBOLIC(AT_STACKBASE)
-#define AT_EXECPATH      SYMBOLIC(AT_EXECPATH)
-#define AT_CANARY        SYMBOLIC(AT_CANARY)
-#define AT_CANARYLEN     SYMBOLIC(AT_CANARYLEN)
-#define AT_NCPUS         SYMBOLIC(AT_NCPUS)
-#define AT_PAGESIZES     SYMBOLIC(AT_PAGESIZES)
-#define AT_PAGESIZESLEN  SYMBOLIC(AT_PAGESIZESLEN)
-#define AT_TIMEKEEP      SYMBOLIC(AT_TIMEKEEP)
-#define AT_STACKPROT     SYMBOLIC(AT_STACKPROT)
-#define AT_EHDRFLAGS     SYMBOLIC(AT_EHDRFLAGS)
 
 #endif /* COSMOPOLITAN_LIBC_CALLS_AUXV_H_ */

test/libc/calls/printargs_test.c

@@ -23,7 +23,7 @@
 #include "libc/x/x.h"
 
 __attribute__((__constructor__)) static void init(void) {
-  pledge("stdio rpath tty", 0);
+  pledge("stdio rpath tty proc", 0);
   errno = 0;
 }
 

test/libc/calls/sched_setscheduler_test.c

@@ -22,6 +22,7 @@
 #include "libc/dce.h"
 #include "libc/errno.h"
 #include "libc/intrin/kprintf.h"
+#include "libc/limits.h"
 #include "libc/runtime/runtime.h"
 #include "libc/sysv/consts/sched.h"
 #include "libc/testlib/testlib.h"
@@ -53,6 +54,10 @@ bool CanTuneRealtimeSchedulers(void) {
   }
 }
 
+TEST(sched_getscheduler, einval) {
+  ASSERT_SYS(IsLinux() ? EINVAL : ESRCH, -1, sched_getscheduler(INT_MIN));
+}
+
 TEST(sched_setscheduler, test) {
   struct sched_param p = {sched_get_priority_min(SCHED_OTHER)};
   EXPECT_SYS(0, DEFAULT_POLICY, sched_setscheduler(0, SCHED_OTHER, &p));

test/libc/mem/pledge_test.c

@@ -372,7 +372,6 @@ TEST(pledge, chmod_ignoresDangerBits) {
 TEST(pledge, open_rpath) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_SYS(0, 0, touch("foo", 0644));
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
@@ -389,7 +388,6 @@ TEST(pledge, open_rpath) {
 TEST(pledge, open_wpath) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_SYS(0, 0, touch("foo", 0644));
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
@@ -426,7 +424,6 @@ TEST(pledge, open_cpath) {
 TEST(pledge, sigaction_isFineButForbidsSigsys) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio", 0));
@@ -442,7 +439,6 @@ TEST(pledge, sigaction_isFineButForbidsSigsys) {
 TEST(pledge, execpromises_ok) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
@@ -457,7 +453,6 @@ TEST(pledge, execpromises_ok) {
 TEST(pledge, execpromises_notok) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
@@ -472,7 +467,6 @@ TEST(pledge, execpromises_notok) {
 TEST(pledge, execpromises_reducesAtExecOnLinux) {
   if (IsOpenbsd()) return;  // b/c testing linux bpf
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio inet tty exec", "stdio tty"));
@@ -487,7 +481,6 @@ TEST(pledge, execpromises_reducesAtExecOnLinux) {
 TEST(pledge_openbsd, execpromisesIsNull_letsItDoAnything) {
   if (!IsOpenbsd()) return;
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio exec", 0));
@@ -502,7 +495,6 @@ TEST(pledge_openbsd, execpromisesIsNull_letsItDoAnything) {
 TEST(pledge_openbsd, execpromisesIsSuperset_letsItDoAnything) {
   if (!IsOpenbsd()) return;
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio rpath tty inet"));
@@ -522,7 +514,6 @@ TEST(pledge_linux, execpromisesIsSuperset_notPossible) {
 TEST(pledge_openbsd, execpromises_notok) {
   if (!IsOpenbsd()) return;
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
@@ -537,7 +528,6 @@ TEST(pledge_openbsd, execpromises_notok) {
 TEST(pledge_openbsd, bigSyscalls) {
   if (IsOpenbsd()) return;  // testing lunix
   int ws, pid;
-  struct stat st;
   ASSERT_NE(-1, (pid = fork()));
   if (!pid) {
     ASSERT_SYS(0, 0, pledge("stdio", 0));
@@ -572,6 +562,25 @@ TEST(pledge, threadWithLocks_canCodeMorph) {
   EXPECT_EQ(0, WEXITSTATUS(ws));
 }
 
+TEST(pledge, execWithoutRpath) {
+  int ws, pid;
+  ASSERT_SYS(0, 0, touch("foo", 0644));
+  ASSERT_NE(-1, (pid = fork()));
+  if (!pid) {
+    ASSERT_SYS(0, 0, pledge("stdio prot_exec exec", "stdio prot_exec exec"));
+    ASSERT_SYS(EPERM, -1, open("foo", O_RDONLY));
+    _Exit(0);
+  }
+  EXPECT_NE(-1, wait(&ws));
+  if (IsOpenbsd()) {
+    EXPECT_TRUE(WIFSIGNALED(ws));
+    EXPECT_EQ(SIGABRT, WTERMSIG(ws));
+  } else {
+    EXPECT_TRUE(WIFEXITED(ws));
+    EXPECT_EQ(0, WEXITSTATUS(ws));
+  }
+}
+
 BENCH(pledge, bench) {
   int pid;
   if (!fork()) {

test/tool/build/pledge_test.sh

@@ -0,0 +1,175 @@
+#!/bin/sh
+m=tinylinux
+t=/tmp/pledge-test
+
+if [ $# = 0 ]; then
+  if ! [ $(id -u) = 0 ]; then
+    make -j16 MODE= \
+         o//examples/ls.com \
+         o//examples/curl.com \
+         o//examples/life.com \
+         o//examples/hello.com \
+         o//examples/printargs.com \
+         o//tool/build/pledge.com || exit
+    make -j16 MODE=$m \
+         o/$m/examples/ls.com \
+         o/$m/examples/curl.com \
+         o/$m/examples/life.com \
+         o/$m/examples/hello.com \
+         o/$m/examples/printargs.com \
+         o/$m/tool/build/pledge.com || exit
+    test/tool/build/pledge_test.sh ape_binfmt_test_suite || exit
+    test/tool/build/pledge_test.sh ape_loader_test_suite || exit
+    test/tool/build/pledge_test.sh ape_assimilated_test_suite || exit
+    test/tool/build/pledge_test.sh ape_native_test_suite || exit
+    sudo test/tool/build/pledge_test.sh setuid_setup || exit
+    test/tool/build/pledge_test.sh setuid_test_suite || exit
+  else
+    echo need to run as an unprivileged user with sudo access >&2
+    exit 1
+  fi
+fi
+
+check() {
+  if [ $? = 0 ]; then
+    printf '\e[32mok\e[0m\n'
+  else
+    echo failed >&2
+    exit 1
+  fi
+}
+
+startit() {
+  printf 'testing %-30s ' "$*" >&2
+}
+
+checkem() {
+  if [ $? = 0 ]; then
+    printf '\e[1;32mOK\e[0m\n'
+  else
+    printf '\e[1;31mFAILED\e[0m\n'
+    exit 1
+  fi
+}
+
+if [ "$1" = setuid_setup ]; then
+
+  rm -rf $t || exit
+  mkdir -p $t || exit
+  chmod 01777 $t || exit
+  cp o/$m/tool/build/pledge.com $t || exit
+  chmod 06755 $t/pledge.com || exit
+
+elif [ "$1" = ape_binfmt_test_suite ]; then
+
+  ape/apeinstall.sh >/dev/null 2>&1
+
+  startit ape binfmt life.com
+  o//tool/build/pledge.com -p 'stdio rpath prot_exec' o//examples/life.com
+  [ $? = 42 ]
+  checkem
+
+  startit ape binfmt hello.com
+  [ "$(o//tool/build/pledge.com -p 'stdio rpath prot_exec' o//examples/hello.com)" = "hello world" ]
+  checkem
+
+  startit ape binfmt curl.com
+  [ "$(o//tool/build/pledge.com -p 'stdio inet dns rpath prot_exec' o//examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  checkem
+
+elif [ "$1" = ape_loader_test_suite ]; then
+
+  ape/apeuninstall.sh >/dev/null 2>&1
+
+  startit ape loader life.com
+  o//tool/build/pledge.com -p 'stdio rpath prot_exec' o//examples/life.com
+  [ $? = 42 ]
+  checkem
+
+  startit ape loader hello.com
+  [ "$(o//tool/build/pledge.com -p 'stdio rpath prot_exec' o//examples/hello.com)" = "hello world" ]
+  checkem
+
+  startit ape loader curl.com
+  [ "$(o//tool/build/pledge.com -p 'stdio inet dns rpath prot_exec' o//examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  checkem
+
+  ape/apeinstall.sh >/dev/null 2>&1
+
+elif [ "$1" = ape_assimilated_test_suite ]; then
+
+  mkdir -p $t/assimilated
+
+  startit ape assimilated life.com
+  cp o//examples/life.com $t/assimilated
+  o//tool/build/assimilate.com $t/assimilated/life.com
+  o/$m/tool/build/pledge.com -p 'stdio' $t/assimilated/life.com
+  [ $? = 42 ]
+  checkem
+
+  startit ape assimilated hello.com
+  cp o//examples/hello.com $t/assimilated
+  o//tool/build/assimilate.com $t/assimilated/hello.com
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio' $t/assimilated/hello.com)" = "hello world" ]
+  checkem
+
+  startit ape assimilated curl.com
+  cp o//examples/curl.com $t/assimilated
+  o//tool/build/assimilate.com $t/assimilated/curl.com
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio inet dns' $t/assimilated/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  checkem
+
+elif [ "$1" = ape_native_test_suite ]; then
+
+  startit ape native life.com
+  o/$m/tool/build/pledge.com -p 'stdio' o/$m/examples/life.com
+  [ $? = 42 ]
+  checkem
+
+  startit ape native hello.com
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio' o/$m/examples/hello.com)" = "hello world" ]
+  checkem
+
+  startit ape native curl.com
+  [ "$(o/$m/tool/build/pledge.com -p 'stdio inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  checkem
+
+elif [ "$1" = setuid_test_suite ]; then
+
+  startit setuid life.com
+  $t/pledge.com -p 'stdio' o/$m/examples/life.com
+  [ $? = 42 ]
+  checkem
+
+  startit setuid hello.com
+  [ "$($t/pledge.com -p 'stdio' o/$m/examples/hello.com)" = "hello world" ]
+  checkem
+
+  startit setuid curl.com
+  [ "$($t/pledge.com -p 'stdio inet dns' o/$m/examples/curl.com https://justine.lol/hello.txt)" = "hello world" ]
+  checkem
+
+  startit setuid getuid
+  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep getuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
+  checkem
+
+  startit setuid geteuid
+  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep geteuid | grep -o [[:digit:]]*)" = "$(id -u)" ]
+  checkem
+
+  startit setuid no capabilities
+  [ "$($t/pledge.com -pstdio o/$m/examples/printargs.com 2>&1 | grep CAP_ | wc -l)" = 0 ]
+  checkem
+
+  startit setuid maximum nice
+  $t/pledge.com -np 'stdio proc' o/$m/examples/printargs.com 2>&1 | grep SCHED_IDLE >/dev/null
+  checkem
+
+  startit setuid chroot
+  mkdir $t/jail &&
+  touch $t/jail/hi &&
+  cp o/$m/examples/ls.com $t/jail &&
+  $t/pledge.com -v / -c $t/jail -p 'stdio rpath' /ls.com / | grep 'DT_REG     /hi' >/dev/null
+  checkem
+
+fi

tool/build/pledge.c

@@ -17,6 +17,7 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/bits/bits.h"
+#include "libc/bits/safemacros.internal.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/landlock.h"
 #include "libc/calls/struct/rlimit.h"
@@ -56,6 +57,11 @@
 #include "libc/x/x.h"
 #include "third_party/getopt/getopt.h"
 
+// MANUALLY TESTED BY RUNNING
+//
+//     test/tool/build/pledge_test.sh
+//
+
 STATIC_YOINK("strerror_wr");
 
 #define USAGE \
@@ -94,7 +100,7 @@ usage: pledge.com [-hnN] PROG ARGS...\n\
      - vminfo: allows /proc/stat, /proc/self/maps, etc.\n\
      - tmppath: allows /tmp, $TMPPATH, lstat, unlink\n\
 \n\
-pledge.com v1.1\n\
+pledge.com v1.2\n\
 copyright 2022 justine alexandra roberts tunney\n\
 https://twitter.com/justinetunney\n\
 https://linkedin.com/in/jtunney\n\
@@ -352,19 +358,20 @@ void Unveil(const char *path, const char *perm) {
   }
 }
 
-void UnveilIfExists(const char *path, const char *perm) {
+int UnveilIfExists(const char *path, const char *perm) {
   int err;
   if (path) {
     err = errno;
-    if (unveil(path, perm) == -1) {
-      if (errno == ENOENT) {
-        errno = err;
-      } else {
-        kprintf("error: unveil(%#s, %#s) failed: %m\n", path, perm);
-        _Exit(20);
-      }
+    if (unveil(path, perm) != -1) {
+      return 0;
+    } else if (errno == ENOENT) {
+      errno = err;
+    } else {
+      kprintf("error: unveil(%#s, %#s) failed: %m\n", path, perm);
+      _Exit(20);
     }
   }
+  return -1;
 }
 
 void MakeProcessNice(void) {
@@ -386,6 +393,7 @@ void MakeProcessNice(void) {
 }
 
 void ApplyFilesystemPolicy(unsigned long ipromises) {
+  const char *p;
 
   if (!SupportsLandlock()) {
     if (unveils.n) {
@@ -460,7 +468,12 @@ void ApplyFilesystemPolicy(unsigned long ipromises) {
   }
 
   if (~ipromises & (1ul << PROMISE_PROT_EXEC)) {
-    UnveilIfExists("/usr/bin/ape", "rx");
+    if (UnveilIfExists("/usr/bin/ape", "rx") == -1) {
+      UnveilIfExists(xjoinpaths(firstnonnull(getenv("TMPDIR"),
+                                             firstnonnull(getenv("HOME"), ".")),
+                                ".ape"),
+                     "rx");
+    }
   }
 
   if (~ipromises & (1ul << PROMISE_VMINFO)) {
@@ -552,15 +565,6 @@ int main(int argc, char *argv[]) {
   owneruid = geteuid();
   hasfunbits = usergid != ownergid || useruid != owneruid;
 
-  if (g_dontdrop) {
-    if (hasfunbits) {
-      kprintf("error: -D flag forbidden on setuid binaries\n");
-      _Exit(6);
-    }
-  } else {
-    DropCapabilities();
-  }
-
   if (hasfunbits) {
     setuid(owneruid);
     setgid(ownergid);
@@ -575,7 +579,7 @@ int main(int argc, char *argv[]) {
   }
 
   // check if user has permission to chroot directory
-  if (hasfunbits) {
+  if (hasfunbits && g_chroot) {
     oldfsuid = setfsuid(useruid);
     oldfsgid = setfsgid(usergid);
     if (access(g_chroot, R_OK) == -1) {
@@ -612,6 +616,15 @@ int main(int argc, char *argv[]) {
     setfsgid(oldfsgid);
   }
 
+  if (g_dontdrop) {
+    if (hasfunbits) {
+      kprintf("error: -D flag forbidden on setuid binaries\n");
+      _Exit(6);
+    }
+  } else {
+    DropCapabilities();
+  }
+
   // set group id
   if (usergid != ownergid) {
     // setgid binaries must use the gid of the user that ran it

tool/net/help.txt

@@ -3930,12 +3930,13 @@ UNIX MODULE
 
     exec
 
-      Allows execve, access, faccessat, openat(O_RDONLY).
+      Allows execve.
 
-      If the executable in question needs a loader, then you may need
-      "prot_exec" too. With APE, security will be stronger if you
+      If the executable in question needs a loader, then you will need
+      "rpath prot_exec" too. With APE, security is strongest when you
       assimilate your binaries beforehand, using the --assimilate flag,
-      or the o//tool/build/assimilate.com program.
+      or the o//tool/build/assimilate.com program. On OpenBSD this is
+      mandatory.
 
     prot_exec