Kernel: Add "prot_exec" pledge promise and require it for PROT_EXEC

This prevents sys$mmap() and sys$mprotect() from creating executable
memory mappings in pledged programs that don't have this promise.

Note that the dynamic loader runs before pledging happens, so it's
unaffected by this.

Base/usr/share/man/man2/pledge.md

@@ -53,6 +53,7 @@ If the process later attempts to use any system functionality it has previously
 * `sendfd`: Send file descriptors over a local socket
 * `recvfd`: Receive file descriptors over a local socket
 * `ptrace`: The [`ptrace(2)`](ptrace.md) syscall (\*)
+* `prot_exec`: [`mmap(2)`](mmap.md) and [`mprotect(2)`](mprotect.md) with `PROT_EXEC` (\*)
 
 Promises marked with an asterisk (\*) are SerenityOS specific extensions not supported by the original OpenBSD `pledge()`.
 

Kernel/Process.h

@@ -81,7 +81,8 @@ extern VirtualAddress g_return_to_ring3_from_signal_trampoline;
     __ENUMERATE_PLEDGE_PROMISE(accept)    \
     __ENUMERATE_PLEDGE_PROMISE(settime)   \
     __ENUMERATE_PLEDGE_PROMISE(sigaction) \
-    __ENUMERATE_PLEDGE_PROMISE(setkeymap)
+    __ENUMERATE_PLEDGE_PROMISE(setkeymap) \
+    __ENUMERATE_PLEDGE_PROMISE(prot_exec)
 
 enum class Pledge : u32 {
 #define __ENUMERATE_PLEDGE_PROMISE(x) x,

Kernel/Syscalls/mmap.cpp

@@ -163,6 +163,10 @@ void* Process::sys$mmap(Userspace<const Syscall::SC_mmap_params*> user_params)
     int fd = params.fd;
     int offset = params.offset;
 
+    if (prot & PROT_EXEC) {
+        REQUIRE_PROMISE(prot_exec);
+    }
+
     if (alignment & ~PAGE_MASK)
         return (void*)-EINVAL;
 
@@ -274,6 +278,10 @@ int Process::sys$mprotect(void* addr, size_t size, int prot)
 {
     REQUIRE_PROMISE(stdio);
 
+    if (prot & PROT_EXEC) {
+        REQUIRE_PROMISE(prot_exec);
+    }
+
     if (!size)
         return -EINVAL;