Partial support for sandbox2::Notify in UnotifyMonitor

PiperOrigin-RevId: 515562555 Change-Id: Ie73c34bc7e35942b307c458cfef80510e0b734c3
2024-03-22 13:11:30 +08:00 · 2023-03-10 00:58:59 -08:00 · 2023-03-10 00:58:59 -08:00 · 10d44614fd
commit 10d44614fd
parent 6a79282895
2 changed files with 7 additions and 4 deletions
--- a/sandboxed_api/sandbox2/monitor_unotify.cc
+++ b/sandboxed_api/sandbox2/monitor_unotify.cc
@ -108,11 +108,12 @@ void UnotifyMonitor::HandleUnotify() {
                  {req_->data.args[0], req_->data.args[1], req_->data.args[2],
                   req_->data.args[3], req_->data.args[4], req_->data.args[5]},
                  req_->pid, 0, req_->data.instruction_pointer);
-  LogSyscallViolation(syscall);
-  MaybeGetStackTrace(req_->pid, Result::VIOLATION);
  ViolationType violation_type = syscall.arch() == Syscall::GetHostArch()
                                     ? kSyscallViolation
                                     : kArchitectureSwitchViolation;
+  LogSyscallViolation(syscall);
+  notify_->EventSyscallViolation(syscall, violation_type);
+  MaybeGetStackTrace(req_->pid, Result::VIOLATION);
  SetExitStatusCode(Result::VIOLATION, syscall.nr());
  notify_->EventSyscallViolation(syscall, violation_type);
  result_.SetSyscall(std::make_unique<Syscall>(syscall));
--- a/sandboxed_api/sandbox2/sandbox2.cc
+++ b/sandboxed_api/sandbox2/sandbox2.cc
@ -113,8 +113,10 @@ void Sandbox2::Launch() {

 absl::Status Sandbox2::EnableUnotifyMonitor() {
  if (notify_) {
-    return absl::FailedPreconditionError(
-        "sandbox2::Notify is not compatible with unotify monitor");
+    LOG(WARNING) << "Running UnotifyMonitor with sandbox2::Notify is not fully "
+                    "supported. Runtime syscall decisions via "
+                    "EventSyscallTrap/EventSyscallTrace, notifications about "
+                    "signals via EventSignal will not work";
  }
  if (policy_->GetNamespace() == nullptr) {
    return absl::FailedPreconditionError(