libos: Add a pledge wrapper

2023-08-14 10:45:00 +02:00 · 2023-08-14 10:45:00 +02:00 · 9954fc1658
commit 9954fc1658
parent a98df9e743
3 changed files with 71 additions and 0 deletions
--- a/libos/CMakeLists.txt
+++ b/libos/CMakeLists.txt
@ -13,6 +13,7 @@ set(SOURCES
    src/Path.cpp
    src/Mode.cpp
    src/Prompt.cpp
+    src/Security.cpp
 )

 add_library(os ${SOURCES})
--- a/libos/include/os/Security.h
+++ b/libos/include/os/Security.h
@ -0,0 +1,48 @@
+/**
+ * @file Security.h
+ * @author apio (cloudapio.eu)
+ * @brief Functions to restrict process operations.
+ *
+ * @copyright Copyright (c) 2023, the Luna authors.
+ *
+ */
+
+#pragma once
+#include <luna/Result.h>
+
+namespace os
+{
+    namespace Security
+    {
+        /**
+         * @brief Restrict system operations.
+         *
+         * The pledge() call, borrowed from OpenBSD, is a simple function to sandbox a process effectively.
+         *
+         * Syscalls are divided into a number of categories ("promises"), the following are the ones implemented on
+         * Luna: stdio rpath wpath cpath fattr chown unix tty proc exec prot_exec id mount signal host error
+         *
+         * The way pledge() works is: the process "tells" the kernel which subset of functions it will use, and if it
+         * suddenly uses something it has not promised (probably because the process was hacked, using ROP or something
+         * else) the kernel kills the process immediately with an uncatchable SIGABRT. Alternatively, if the process has
+         * pledged the "error" promise, the call will fail with ENOSYS.
+         *
+         * Pledges are not inherited across exec, although one may specify another set of promises to apply on the next
+         * execve() call. Thus, pledge() is not a way to restrict untrusted programs (unless the "exec" pledge is
+         * removed), but more of a way to protect trusted local programs from vulnerabilities.
+         *
+         * One may call pledge() several times, but only to remove promises, not to add them.
+         *
+         * A typical call to pledge would look like this:
+         *
+         *   TRY(os::Security::pledge("stdio rpath wpath unix proc", nullptr));
+         *
+         * @param promises The promises to apply immediately, separated by spaces. If empty, the process may only call
+         * _exit(2). If NULL, the promises are not changed.
+         * @param execpromises The promises to apply on the next call to execve(2), separated by spaces. If empty, the
+         * process may only call _exit(2). If NULL, the execpromises are not changed.
+         * @return Result<void> Whether the operation succeded.
+         */
+        Result<void> pledge(const char* promises, const char* execpromises);
+    }
+}
--- a/libos/src/Security.cpp
+++ b/libos/src/Security.cpp
@ -0,0 +1,22 @@
+/**
+ * @file Security.cpp
+ * @author apio (cloudapio.eu)
+ * @brief Functions to restrict process operations.
+ *
+ * @copyright Copyright (c) 2023, the Luna authors.
+ *
+ */
+
+#include <errno.h>
+#include <os/Security.h>
+#include <unistd.h>
+
+namespace os::Security
+{
+    Result<void> pledge(const char* promises, const char* execpromises)
+    {
+        int rc = ::pledge(promises, execpromises);
+        if (rc < 0) return err(errno);
+        return {};
+    }
+}