mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers.
In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy. The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers. PiperOrigin-RevId: 550845188 Change-Id: I151d467848983b00b71ec8447d662394fa7176db
This commit is contained in:
parent
9d1d4b7fd3
commit
04ed89906b
|
@ -327,6 +327,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
|
||||||
// Sanitizers read from /proc. For example:
|
// Sanitizers read from /proc. For example:
|
||||||
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
|
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
|
||||||
AddDirectoryIfNamespaced("/proc");
|
AddDirectoryIfNamespaced("/proc");
|
||||||
|
AllowOpen();
|
||||||
// Sanitizers need pid for reports. For example:
|
// Sanitizers need pid for reports. For example:
|
||||||
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
|
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
|
||||||
AllowGetPIDs();
|
AllowGetPIDs();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user