77f9272aaf
This feature was introduced in version 4.17 of the Linux kernel, and while it's not specified by POSIX, I think it will be a nice addition to our system. MAP_FIXED_NOREPLACE provides a less error-prone alternative to MAP_FIXED: while regular fixed mappings would cause any intersecting ranges to be unmapped, MAP_FIXED_NOREPLACE returns EEXIST instead. This ensures that we don't corrupt our process's address space if something is already at the requested address. Note that the more portable way to do this is to use regular MAP_ANONYMOUS, and check afterwards whether the returned address matches what we wanted. This, however, has a large performance impact on programs like Wine which try to reserve large portions of the address space at once, as the non-matching addresses have to be unmapped separately.
3.3 KiB
Name
pledge - reduce process capabilities
Synopsis
#include <unistd.h>
int pledge(const char* promises, const char* execpromises);
Description
pledge() makes a promise to the kernel that from this moment on, the calling process will only use a subset of system functionality.
Functionality is divided into a curated set of promises (described below), which can be combined to cover the program's needs. Both arguments are space-separated lists of promises.
Note that pledge() can be called repeatedly to remove previously-pledged promises, but it can never regain capabilities once lost.
promises are applied to the current process, and will also be inherited by children created by fork(2).
execpromises are applied if/when a new process image is created with exec(2).
If promises or execpromises is null, the corresponding value is unchanged.
If the process later attempts to use any system functionality it has previously promised not to use, the process is instantly terminated. Note that a process that has not ever called pledge() is considered to not have made any promises, and is allowed use any system functionality (subject to regular permission checks).
pledge() is intended to be used in programs that want to sandbox themselves, either to limit the impact of a possible vulnerability exploitation, or before intentionally executing untrusted code.
Promises
stdio: Basic I/O, memory allocation, information about self, various non-destructive syscallsthread: The POSIX threading API (*)id: Ability to change UID/GIDtty: TTY related functionalityproc: Process and scheduling related functionalityexec: Theexec(2) syscallunix: UNIX local domain socketsinet: IPv4 domain socketsaccept: May useaccept(2) to accept incoming socket connections on already listening sockets (*)rpath: "Read" filesystem accesswpath: "Write" filesystem accesscpath: "Create" filesystem accessdpath: Creating new device fileschown: Changing file owner/groupfattr: Changing file attributes/permissionsvideo: May useioctl(2) andmmap(2) on framebuffer video devicessettime: Changing the system time and datesetkeymap: Changing the system keyboard layout (*)sigaction: Change signal handlers and dispositions (*)sendfd: Send file descriptors over a local socketrecvfd: Receive file descriptors over a local socketptrace: Theptrace(2) syscall (*)prot_exec:mmap(2) andmprotect(2) withPROT_EXECmap_fixed:mmap(2) withMAP_FIXEDorMAP_FIXED_NOREPLACE(*)
Promises marked with an asterisk (*) are SerenityOS specific extensions not supported by the original OpenBSD pledge().
Errors
EFAULT:promisesand/orexecpromisesare not null and not in readable memory.EINVAL: One or more invalid promises were specified.EPERM: An attempt to increase capabilities was rejected.
History
The pledge() system call was first introduced by OpenBSD. The implementation in SerenityOS differs in many ways and is by no means final.