Open rsms opened 4 months ago
Pledging tty and rpath makes it work as well:
$ pledge -p "stdio" /bin/date
Bad system call
$ pledge -p "stdio rpath" /bin/date
Bad system call
$ pledge -p "stdio tty" /bin/date
Bad system call
$ pledge -p "stdio rpath tty" /bin/date
Mon Apr 29 23:36:15 UTC 2024
/bin/date is busybox — perhaps busybox reads the file system and calls e.g. SYS_ioctl TIOCGWINSZ on every invocation..?
Edit: Ah, yes indeed it reads /etc/localtime and queries TIOCGWINSZ:
$ strace /bin/date
execve("/bin/date", ["/bin/date"], 0xffffe81ab850 /* 18 vars */) = 0
set_tid_address(0x3b4a50) = 29898
getuid() = 0
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
mmap(NULL, 114, PROT_READ, MAP_SHARED, 3, 0) = 0xffff89e4b000
close(3) = 0
ioctl(1, TIOCGWINSZ, {ws_row=55, ws_col=100, ws_xpixel=0, ws_ypixel=0}) = 0
writev(1, [{iov_base="Mon Apr 29 23:37:55 UTC 2024", iov_len=28}, {iov_base="\n", iov_len=1}], 2Mon Apr 29 23:37:55 UTC 2024
) = 29
exit_group(0) = ?
+++ exited with 0 +++
Busybox programs queries TIOCGWINSZ on startup, meaning benign commands like
seq
needs to pledge "tty". Failing to do so causes pledge to "silently" fail, printing "Bad system call" (no error messages reported.)Original issue:
On a barebones musl (Linux 6.5.8)
The culprit seems to be
__pledge_mode & PLEDGE_STDERR_LOGGING
https://github.com/jart/pledge/blob/8693ebe15a30bd4235165ad72a469da29ca067cf/cmd/pledge.c#L841
since if I pass
-q
to pledge, exec works as expected:Additionally, passing
-k
to pledge (sets __pledge_mode = PLEDGE_PENALTY_KILL_PROCESS) also results in "Bad system call", even with-q
:If I disable "implicit exec" by commenting out these lines...
https://github.com/jart/pledge/blob/8693ebe15a30bd4235165ad72a469da29ca067cf/cmd/pledge.c#L838-L843
... execv fails with the expected "Operation not permitted" error message:
~The least messy fix I've come up with is to always include a SECCOMP_RET_ERRNO filter:~ Edit: I realize now that this patch breaks stuff (as it returns early)
(Note: /bin/date in this example is a static executable, so sandbox.so is not involved)
Linux 6.5.8 is built with: