mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-05-27 15:52:28 +00:00
Improve pledge() and unveil() further
- Fix getpriority()
- Add AT_MINSIGSTKSZ
- Fix bugs in BPF code
- Show more stuff in printargs.com
- Write manual test for pledge.com
- pledge() now generates tinier BPF code
- Have pledge("exec") only enable execve()
- Fix pledge.com chroot setuid functionality
- Improve pledge.com unveiling of ape loader
This commit is contained in:
Justine Tunney
parent
31ac58a57b
commit
f968e2a726
17 changed files with 722 additions and 412 deletions
|
|
@ -23,7 +23,7 @@
|
|||
#include "libc/x/x.h"
|
||||
|
||||
__attribute__((__constructor__)) static void init(void) {
|
||||
pledge("stdio rpath tty", 0);
|
||||
pledge("stdio rpath tty proc", 0);
|
||||
errno = 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@
|
|||
#include "libc/dce.h"
|
||||
#include "libc/errno.h"
|
||||
#include "libc/intrin/kprintf.h"
|
||||
#include "libc/limits.h"
|
||||
#include "libc/runtime/runtime.h"
|
||||
#include "libc/sysv/consts/sched.h"
|
||||
#include "libc/testlib/testlib.h"
|
||||
|
|
@ -53,6 +54,10 @@ bool CanTuneRealtimeSchedulers(void) {
|
|||
}
|
||||
}
|
||||
|
||||
TEST(sched_getscheduler, einval) {
|
||||
ASSERT_SYS(IsLinux() ? EINVAL : ESRCH, -1, sched_getscheduler(INT_MIN));
|
||||
}
|
||||
|
||||
TEST(sched_setscheduler, test) {
|
||||
struct sched_param p = {sched_get_priority_min(SCHED_OTHER)};
|
||||
EXPECT_SYS(0, DEFAULT_POLICY, sched_setscheduler(0, SCHED_OTHER, &p));
|
||||
|
|
|
|||
|
|
@ -372,7 +372,6 @@ TEST(pledge, chmod_ignoresDangerBits) {
|
|||
TEST(pledge, open_rpath) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_SYS(0, 0, touch("foo", 0644));
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
|
|
@ -389,7 +388,6 @@ TEST(pledge, open_rpath) {
|
|||
TEST(pledge, open_wpath) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_SYS(0, 0, touch("foo", 0644));
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
|
|
@ -426,7 +424,6 @@ TEST(pledge, open_cpath) {
|
|||
TEST(pledge, sigaction_isFineButForbidsSigsys) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
|
|
@ -442,7 +439,6 @@ TEST(pledge, sigaction_isFineButForbidsSigsys) {
|
|||
TEST(pledge, execpromises_ok) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
|
||||
|
|
@ -457,7 +453,6 @@ TEST(pledge, execpromises_ok) {
|
|||
TEST(pledge, execpromises_notok) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
|
||||
|
|
@ -472,7 +467,6 @@ TEST(pledge, execpromises_notok) {
|
|||
TEST(pledge, execpromises_reducesAtExecOnLinux) {
|
||||
if (IsOpenbsd()) return; // b/c testing linux bpf
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio inet tty exec", "stdio tty"));
|
||||
|
|
@ -487,7 +481,6 @@ TEST(pledge, execpromises_reducesAtExecOnLinux) {
|
|||
TEST(pledge_openbsd, execpromisesIsNull_letsItDoAnything) {
|
||||
if (!IsOpenbsd()) return;
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio exec", 0));
|
||||
|
|
@ -502,7 +495,6 @@ TEST(pledge_openbsd, execpromisesIsNull_letsItDoAnything) {
|
|||
TEST(pledge_openbsd, execpromisesIsSuperset_letsItDoAnything) {
|
||||
if (!IsOpenbsd()) return;
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio rpath exec", "stdio rpath tty inet"));
|
||||
|
|
@ -522,7 +514,6 @@ TEST(pledge_linux, execpromisesIsSuperset_notPossible) {
|
|||
TEST(pledge_openbsd, execpromises_notok) {
|
||||
if (!IsOpenbsd()) return;
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio exec", "stdio"));
|
||||
|
|
@ -537,7 +528,6 @@ TEST(pledge_openbsd, execpromises_notok) {
|
|||
TEST(pledge_openbsd, bigSyscalls) {
|
||||
if (IsOpenbsd()) return; // testing lunix
|
||||
int ws, pid;
|
||||
struct stat st;
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio", 0));
|
||||
|
|
@ -572,6 +562,25 @@ TEST(pledge, threadWithLocks_canCodeMorph) {
|
|||
EXPECT_EQ(0, WEXITSTATUS(ws));
|
||||
}
|
||||
|
||||
TEST(pledge, execWithoutRpath) {
|
||||
int ws, pid;
|
||||
ASSERT_SYS(0, 0, touch("foo", 0644));
|
||||
ASSERT_NE(-1, (pid = fork()));
|
||||
if (!pid) {
|
||||
ASSERT_SYS(0, 0, pledge("stdio prot_exec exec", "stdio prot_exec exec"));
|
||||
ASSERT_SYS(EPERM, -1, open("foo", O_RDONLY));
|
||||
_Exit(0);
|
||||
}
|
||||
EXPECT_NE(-1, wait(&ws));
|
||||
if (IsOpenbsd()) {
|
||||
EXPECT_TRUE(WIFSIGNALED(ws));
|
||||
EXPECT_EQ(SIGABRT, WTERMSIG(ws));
|
||||
} else {
|
||||
EXPECT_TRUE(WIFEXITED(ws));
|
||||
EXPECT_EQ(0, WEXITSTATUS(ws));
|
||||
}
|
||||
}
|
||||
|
||||
BENCH(pledge, bench) {
|
||||
int pid;
|
||||
if (!fork()) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue