libos: Add a pledge wrapper

2023-08-14 10:45:00 +02:00 · 2023-08-14 10:45:00 +02:00 · 9954fc1658
commit 9954fc1658
parent a98df9e743
3 changed files with 71 additions and 0 deletions
--- a/libos/CMakeLists.txt
+++ b/libos/CMakeLists.txt
@ -13,6 +13,7 @@ set(SOURCES
    src/Path.cpp
    src/Mode.cpp
    src/Prompt.cpp
    src/Security.cpp
 )
 add_library(os ${SOURCES})
--- a/libos/include/os/Security.h
+++ b/libos/include/os/Security.h
@ -0,0 +1,48 @@
 /**
 * @file Security.h
 * @author apio (cloudapio.eu)
 * @brief Functions to restrict process operations.
 *
 * @copyright Copyright (c) 2023, the Luna authors.
 *
 */
 #pragma once
 #include <luna/Result.h>
 namespace os
 {
    namespace Security
    {
        /**
         * @brief Restrict system operations.
         *
         * The pledge() call, borrowed from OpenBSD, is a simple function to sandbox a process effectively.
         *
         * Syscalls are divided into a number of categories ("promises"), the following are the ones implemented on
         * Luna: stdio rpath wpath cpath fattr chown unix tty proc exec prot_exec id mount signal host error
         *
         * The way pledge() works is: the process "tells" the kernel which subset of functions it will use, and if it
         * suddenly uses something it has not promised (probably because the process was hacked, using ROP or something
         * else) the kernel kills the process immediately with an uncatchable SIGABRT. Alternatively, if the process has
         * pledged the "error" promise, the call will fail with ENOSYS.
         *
         * Pledges are not inherited across exec, although one may specify another set of promises to apply on the next
         * execve() call. Thus, pledge() is not a way to restrict untrusted programs (unless the "exec" pledge is
         * removed), but more of a way to protect trusted local programs from vulnerabilities.
         *
         * One may call pledge() several times, but only to remove promises, not to add them.
         *
         * A typical call to pledge would look like this:
         *
         *   TRY(os::Security::pledge("stdio rpath wpath unix proc", nullptr));
         *
         * @param promises The promises to apply immediately, separated by spaces. If empty, the process may only call
         * _exit(2). If NULL, the promises are not changed.
         * @param execpromises The promises to apply on the next call to execve(2), separated by spaces. If empty, the
         * process may only call _exit(2). If NULL, the execpromises are not changed.
         * @return Result<void> Whether the operation succeded.
         */
        Result<void> pledge(const char* promises, const char* execpromises);
    }
 }
--- a/libos/src/Security.cpp
+++ b/libos/src/Security.cpp
@ -0,0 +1,22 @@
 /**
 * @file Security.cpp
 * @author apio (cloudapio.eu)
 * @brief Functions to restrict process operations.
 *
 * @copyright Copyright (c) 2023, the Luna authors.
 *
 */
 #include <errno.h>
 #include <os/Security.h>
 #include <unistd.h>
 namespace os::Security
 {
    Result<void> pledge(const char* promises, const char* execpromises)
    {
        int rc = ::pledge(promises, execpromises);
        if (rc < 0) return err(errno);
        return {};
    }
 }