Adding AllowOpen to AllowLlvmSanitizers to avoid having to add AllowOpen in addition when it's only needed for running under the sanitizers.

In cases where SAPI users overwrite the default policy instead of extending it, the sandbox will fail with an `openat` violation. This is automatically inherited in the default policy.

The advantage with this implementation is that we don't expose the open* syscalls when not running under the sanitizers.

PiperOrigin-RevId: 550845188
Change-Id: I151d467848983b00b71ec8447d662394fa7176db
This commit is contained in:
Oliver Kunz 2023-07-25 04:37:13 -07:00 committed by Copybara-Service
parent 9d1d4b7fd3
commit 04ed89906b

View File

@ -327,6 +327,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
// Sanitizers read from /proc. For example: // Sanitizers read from /proc. For example:
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155 // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L1155
AddDirectoryIfNamespaced("/proc"); AddDirectoryIfNamespaced("/proc");
AllowOpen();
// Sanitizers need pid for reports. For example: // Sanitizers need pid for reports. For example:
// https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740 // https://github.com/llvm/llvm-project/blob/634da7a1c61ee8c173e90a841eb1f4ea03caa20b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cpp#L740
AllowGetPIDs(); AllowGetPIDs();