PLEDGE: Move to metadata, add getdents, initial error support (#4232)

- Moved to metadata flags, got rid of stat too
- Added getdents64 to tracing and it is also wrapped in the enforcer
- Moved rel2abspath to list_util
- Updated the tracing and enforcing to be logically consistent, for
  example, open is now metadata

Author: arctangerines

devel/pledge/README.md

@@ -44,29 +44,32 @@ Tracer [cat.sample.c]: Contract generated   -> cat.sample.c.contract
 The most important file here is the contract file, if we `cat` it we get:
 
 ```
-action        path          count
-R             </usr/bin/cat> 1
-S             </usr/lib/debug> 1
-R             </etc/ld.so.cache> 2
-+             </usr/lib/aarch64-linux-gnu/libc.so.6> 4
-R             </usr/lib/locale/locale-archive> 2
-R             </etc/locale.alias> 3
-R             </usr/lib/locale/C.utf8/LC_IDENTIFICATION> 2
-R             </usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache> 2
-R             </usr/lib/locale/C.utf8/LC_MEASUREMENT> 2
-R             </usr/lib/locale/C.utf8/LC_TELEPHONE> 2
-R             </usr/lib/locale/C.utf8/LC_ADDRESS> 2
-R             </usr/lib/locale/C.utf8/LC_NAME> 2
-R             </usr/lib/locale/C.utf8/LC_PAPER> 2
-R             </usr/lib/locale/C.utf8/LC_MESSAGES> 1
-R             </usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES> 2
-R             </usr/lib/locale/C.utf8/LC_MONETARY> 2
-R             </usr/lib/locale/C.utf8/LC_COLLATE> 2
-R             </usr/lib/locale/C.utf8/LC_TIME> 2
-R             </usr/lib/locale/C.utf8/LC_NUMERIC> 2
-R             </usr/lib/locale/C.utf8/LC_CTYPE> 2
-R             </home/user/dummy/sample.c> 3
-W             </dev/pts/0> 1
+Access       <Path>         Count
+R            </usr/bin/cat> 1
+M            </usr/lib/debug/libc.so.6> 1
+M            </usr/lib/debug/> 1
+MR           </etc/ld.so.cache> 2
+MRW          </usr/lib/aarch64-linux-gnu/libc.so.6> 4
+MR           </usr/lib/locale/locale-archive> 2
+MR           </etc/locale.alias> 3
+ME           </usr/lib/locale/C.UTF-8/LC_IDENTIFICATION> 1
+MR           </usr/lib/locale/C.utf8/LC_IDENTIFICATION> 2
+MR           </usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache> 2
+MR           </usr/lib/locale/C.utf8/LC_MEASUREMENT> 2
+MR           </usr/lib/locale/C.utf8/LC_TELEPHONE> 2
+MR           </usr/lib/locale/C.utf8/LC_ADDRESS> 2
+MR           </usr/lib/locale/C.utf8/LC_NAME> 2
+MR           </usr/lib/locale/C.utf8/LC_PAPER> 2
+M            </usr/lib/locale/C.utf8/LC_MESSAGES> 1
+MR           </usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES> 2
+MR           </usr/lib/locale/C.utf8/LC_MONETARY> 2
+MR           </usr/lib/locale/C.utf8/LC_COLLATE> 2
+MR           </usr/lib/locale/C.utf8/LC_TIME> 2
+MR           </usr/lib/locale/C.utf8/LC_NUMERIC> 2
+MR           </usr/lib/locale/C.utf8/LC_CTYPE> 2
+MR           </home/user/dummy/sample.c> 3
+W            </dev/pts/0> 1
+
 ```
 
 ### Enforcer

devel/pledge/TODO

@@ -2,3 +2,5 @@
 * We need to trace failed calls (we should start with ENOENT)
 * Dependency graph of our own?
 * mprotect
+* pipes and unfinished
+* enforce()'ing needs a check up

devel/pledge/src/Makefile

@@ -8,11 +8,11 @@ TARGETS = $(LIBRARIES) $(PROGRAMS)
 
 EXTERNAL_DEPENDENCIES = $(CCTOOLS_HOME)/dttools/src/libdttools.a
 
-SOURCES = pledge.c list_util.c util.c enforcer.c
-COMMON_SRCS = list_util.c util.c
+SOURCES = pledge.c list_util.c enforcer.c
+COMMON_SRCS = list_util.c
 
 OBJECTS = list_util.o util.o pledge.o enforcer.o
-OBJECTS_PLEDGE = list_util.o util.o pledge.o
+OBJECTS_PLEDGE = list_util.o pledge.o
 
 # If we want to color output while enforcing
 # DEFS = -DCOLOR_ENFORCING

devel/pledge/src/enforcer.c

@@ -11,7 +11,6 @@
 #include <unistd.h>
 
 #include "list_util.h"
-#include "util.h"
 
 #ifdef COLOR_ENFORCING
 #define PINK "\033[38;5;198m"
@@ -44,39 +43,36 @@ void flag2letter(struct path_access *r, char *buff, size_t buff_len)
 		return;
 	}
 	memset(buff, 0, buff_len);
-	if (r->stat)
-		strncat(buff, "S", buff_len);
+	if (r->metadata)
+		strncat(buff, "M", buff_len);
 	if (r->create)
 		strncat(buff, "C", buff_len);
 	if (r->delete)
 		strncat(buff, "D", buff_len);
-	if (r->read && r->write)
-		strncat(buff, "+", buff_len);
-	else if (r->read)
+	if (r->read)
 		strncat(buff, "R", buff_len);
-	else if (r->write)
+	if (r->write)
 		strncat(buff, "W", buff_len);
 	if (r->list)
 		strncat(buff, "L", buff_len);
+	if (r->error)
+		strncat(buff, "E", buff_len);
 }
 
 // TODO: The bit flags need to be changed to a typedef so we can
 // change the bit count whenever
 uint8_t letter2bitflag(char x)
 {
 	switch (x) {
-	case 'S':
-		return STAT_ACCESS;
+	case 'M':
+		return METADATA_ACCESS;
 		break;
 	case 'R':
 		return READ_ACCESS;
 		break;
 	case 'W':
 		return WRITE_ACCESS;
 		break;
-	case '+':
-		return READ_ACCESS | WRITE_ACCESS;
-		break;
 	case 'C':
 		return CREATE_ACCESS;
 		break;
@@ -86,6 +82,9 @@ uint8_t letter2bitflag(char x)
 	case 'L':
 		return LIST_ACCESS;
 		break;
+	case 'E':
+		return ERROR_ACCESS;
+		break;
 	default:
 		return UNKOWN_ACCESS;
 		break;
@@ -365,11 +364,22 @@ bool enforce(const char *pathname,
 				a_perm);
 		PRINT_RESET_TERM_C();
 		return true;
-	} else if (a->stat && (keys & STAT_ACCESS)) {
+	} else if (a->metadata && (keys & METADATA_ACCESS)) {
 		flag2letter(a, a_perm, a_perm_len);
 		PRINT_GREEN();
 		fprintf(stderr,
-				"[ALLOWED STAT]: "
+				"[ALLOWED METADATA OPERATION]: "
+				"Path [%s] with permission [%s] is not in violation of the "
+				"contract.\n",
+				a->pathname,
+				a_perm);
+		PRINT_RESET_TERM_C();
+		return true;
+	} else if (a->list && (keys & LIST_ACCESS)) {
+		flag2letter(a, a_perm, a_perm_len);
+		PRINT_GREEN();
+		fprintf(stderr,
+				"[ALLOWED GETDENTS]: "
 				"Path [%s] with permission [%s] is not in violation of the "
 				"contract.\n",
 				a->pathname,
@@ -428,16 +438,9 @@ int open(const char *pathname,
 
 		path_perm |= CREATE_ACCESS;
 	}
+	path_perm |= METADATA_ACCESS;
 
 	// SECTION: Enforce
-	if ((flags & O_RDONLY) == O_RDONLY) // O_RDONLY flag is 0 under the hood
-	{
-		path_perm |= READ_ACCESS;
-	} else if (flags & O_WRONLY) {
-		path_perm |= WRITE_ACCESS;
-	} else if (flags & O_RDWR) {
-		path_perm |= READ_ACCESS | WRITE_ACCESS;
-	}
 	if (enforce(full_path, path_perm) != true) {
 		return -1;
 	}
@@ -517,33 +520,8 @@ fopen(const char *restrict pathname,
 	// SECTION: Enforcing
 	uint8_t perm_val = 0x0;
 	char mode_len = strlen(mode);
-	// We need to get the values out of the flags
-	if (strcmp(mode, "r") == 0) {
-		perm_val |= READ_ACCESS;
-	} else if (strcmp(mode, "w") == 0) {
-		perm_val |= WRITE_ACCESS;
-	} else if (strcmp(mode, "a") == 0) {
-		perm_val |= WRITE_ACCESS;
-	} else if (mode_len > 1) {
-		if (mode[1] == '+') {
-			perm_val |= READ_ACCESS | WRITE_ACCESS;
-			// b and + are not the only things we can to an fopen mode flag call
-			// theres also e, but for now we only want to treat + like its special
-			// b and e, we dont really concern ourselves
-		} else {
-			// not a fan of this
-			switch (mode[0]) {
-			case 'r':
-				perm_val |= READ_ACCESS;
-				break;
-			case 'w':
-				perm_val |= WRITE_ACCESS;
-				break;
-			}
-		}
-	} else {
-		fprintf(stderr, "FOPEN: Unkown permission [%s]\n", mode);
-	}
+
+	perm_val |= METADATA_ACCESS;
 
 	char full_path[MAXPATHLEN];
 	if (rel2abspath(full_path, pathname, MAXPATHLEN) == NULL) {
@@ -581,7 +559,7 @@ int stat(const char *restrict pathname,
 		// Couldn't convert so we fallback to pathname
 		strncpy(full_path, pathname, MAXPATHLEN);
 	}
-	enforce(full_path, STAT_ACCESS);
+	enforce(full_path, METADATA_ACCESS);
 
 	int (*real_stat)(const char *restrict pathname, struct stat *restrict statbuf);
 	real_stat = dlsym(RTLD_NEXT, "stat");
@@ -622,7 +600,7 @@ int fstatat(int dirfd,
 	// TODO: This could be made to only have 1 call to enforce instead of 2 in separate
 	// branches
 	if (dirfd == AT_FDCWD) {
-		enforce(full_path, STAT_ACCESS);
+		enforce(full_path, METADATA_ACCESS);
 	} else {
 		// Solve the dirfd and then glue it together with the absolute path
 		char fd_link[MAXPATHLEN];
@@ -638,7 +616,7 @@ int fstatat(int dirfd,
 		} else {
 			strcat(solved_path, pathname);
 		}
-		enforce(solved_path, STAT_ACCESS);
+		enforce(solved_path, METADATA_ACCESS);
 	}
 
 	int (*real_fstatat)(int dirfd, const char *restrict pathname, struct stat *restrict statbuf, int flags);
@@ -669,3 +647,24 @@ int remove(const char *pathname)
 	real_remove = dlsym(RTLD_NEXT, "remove");
 	return real_remove(pathname);
 }
+
+ssize_t getdents64(int fd, void *dirp, size_t count)
+{
+	char fd_link[BUFSIZ];
+	snprintf(fd_link, BUFSIZ, "/proc/self/fd/%d", fd);
+	char solved_path[BUFSIZ];
+	size_t solved_path_len = readlink(fd_link, solved_path, BUFSIZ);
+	solved_path[solved_path_len] = '\0';
+
+	PRINT_YELLOW();
+	fprintf(stderr, "[GETDENTS64]: Caught path: [%s]\n", solved_path);
+	PRINT_RESET_TERM_C();
+
+	if (enforce(solved_path, LIST_ACCESS) != true) {
+		return -1;
+	}
+
+	ssize_t (*real_getdents64)(int fd, void *dirp, size_t count);
+	real_getdents64 = dlsym(RTLD_NEXT, "getdents64");
+	return real_getdents64(fd, dirp, count);
+}

devel/pledge/src/list_util.c

@@ -1,5 +1,58 @@
 #include "list_util.h"
 
+/// Turn a relative path into an absolute path, based on CWD
+/// @param abs_p is the buffer where we will store the absolute path
+/// @param rel_p is the user given string
+/// @param size is the size/len of abs_p
+/// Return If the path does not need to be turned into an absolute path then we just
+/// copy to the abs_p buffer and return that
+/// TODO: Perhaps we do strlcpy/strlcat?
+char *
+rel2abspath(char *abs_p,
+		char *rel_p,
+		size_t size)
+{
+	if (rel_p == NULL) {
+		fprintf(stderr, "Attempted to turn an empty string into an absolute path.\n");
+		abs_p = NULL;
+		return NULL;
+	}
+	// Strnlen??
+	size_t rel_p_len = strlen(rel_p);
+	// current directory paths need to get expanded
+	// TODO: Integrate with dttools/path functions,
+	// no reason we can't have both
+	if (rel_p_len == 1) {
+		if (rel_p[0] == '.') {
+			realpath(rel_p, abs_p);
+			return abs_p;
+		}
+	}
+	if (rel_p_len >= 1) {
+		if (rel_p[0] != '/') {
+			// Check if its relative of the form ./
+			if (rel_p[0] == '.' && rel_p[1] == '/') {
+				rel_p = rel_p + 2;
+			}
+			// get cwd
+			if (getcwd(abs_p, size) == NULL) {
+				fprintf(stderr, "Attempt to obtain cwd failed.\n");
+				return rel_p;
+			}
+			size_t abs_p_len = strlen(abs_p);
+			if (abs_p[abs_p_len - 1] != '/') {
+				strncat(abs_p, "/", MAXPATHLEN);
+			}
+			strncat(abs_p, rel_p, MAXPATHLEN);
+			return abs_p;
+		}
+		strncpy(abs_p, rel_p, MAXPATHLEN);
+		return abs_p;
+	}
+	strncpy(abs_p, rel_p, MAXPATHLEN);
+	return abs_p;
+}
+
 /// Add a path_access node to our cctools list
 /// Perhaps this should return the temprary path_access var
 void new_path_access_node(struct list *c,
@@ -9,10 +62,11 @@ void new_path_access_node(struct list *c,
 	struct path_access *t = malloc(sizeof(struct path_access));
 	t->read = (access_fl & READ_ACCESS) ? true : false;
 	t->write = (access_fl & WRITE_ACCESS) ? true : false;
-	t->stat = (access_fl & STAT_ACCESS) ? true : false;
+	t->metadata = (access_fl & METADATA_ACCESS) ? true : false;
 	t->create = (access_fl & CREATE_ACCESS) ? true : false;
 	t->delete = (access_fl & DELETE_ACCESS) ? true : false;
 	t->list = (access_fl & LIST_ACCESS) ? true : false;
+	t->error = (access_fl & ERROR_ACCESS) ? true : false;
 	t->count = 1;
 
 	/// This string gotta be manually removed
@@ -78,8 +132,8 @@ update_path_perms(struct path_access *a,
 	if (access_fl & WRITE_ACCESS) {
 		a->write = true;
 	}
-	if (access_fl & STAT_ACCESS) {
-		a->stat = true;
+	if (access_fl & METADATA_ACCESS) {
+		a->metadata = true;
 	}
 	if (access_fl & CREATE_ACCESS) {
 		a->create = true;
@@ -90,6 +144,9 @@ update_path_perms(struct path_access *a,
 	if (access_fl & LIST_ACCESS) {
 		a->list = true;
 	}
+	if (access_fl & ERROR_ACCESS) {
+		a->list = true;
+	}
 	a->count += 1;
 	// USELESS?: Maybe remove this lol
 	return a;
@@ -130,25 +187,22 @@ void generate_contract_from_list(FILE *f, struct list *r)
 	fprintf(o, "%-12s %-14s %s\n", col1_title, col2_title, col3_title);
 	while ((a = list_next_item(r))) {
 		// THINK: This might need to become a function
-		if (a->stat)
-			strcat(perms, "S");
+		if (a->metadata)
+			strcat(perms, "M");
 		if (a->create)
 			strcat(perms, "C");
 		if (a->delete)
 			strcat(perms, "D");
-
-		/// TODO: We should rewrite the enforcer wrapper functions to
-		/// use 2 separate letters for RW permission and not +
-		if (a->read && a->write)
-			strcat(perms, "+");
-		else if (a->read)
+		if (a->read)
 			strcat(perms, "R");
-		else if (a->write)
+		if (a->write)
 			strcat(perms, "W");
-
 		if (a->list)
 			strcat(perms, "L");
 
+		if (a->error)
+			strcat(perms, "E");
+
 		fprintf(o, "%-12s <%s> %d\n", perms, a->pathname, a->count);
 
 		memset(perms, 0, sizeof(perms)); // reset