Add PolicyBuilder::OverridableBlockSyscallWithErrno

PiperOrigin-RevId: 432201719 Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb
2024-03-22 13:11:30 +08:00 · 2022-03-03 08:36:36 -08:00 · 2022-03-03 08:36:36 -08:00 · 1cf2d840dd
commit 1cf2d840dd
parent 725a5c11a8
2 changed files with 18 additions and 3 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -106,6 +106,13 @@ PolicyBuilder& PolicyBuilder::BlockSyscallWithErrno(uint32_t num, int error) {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::OverridableBlockSyscallWithErrno(uint32_t num,
+                                                               int error) {
+  overridable_policy_.insert(overridable_policy_.end(),
+                             {SYSCALL(num, ERRNO(error))});
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowExit() {
  return AllowSyscalls({__NR_exit, __NR_exit_group});
 }
@ -236,7 +243,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
    AllowGetPIDs();
    // Sanitizers may try color output. For example:
    // https://github.com/llvm/llvm-project/blob/87dd3d350c4ce0115b2cdf91d85ddd05ae2661aa/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp#L157
-    BlockSyscallWithErrno(__NR_ioctl, EPERM);
+    OverridableBlockSyscallWithErrno(__NR_ioctl, EPERM);
  }
  if constexpr (sapi::sanitizers::IsASan()) {
    AllowSyscall(__NR_sigaltstack);
@ -654,10 +661,10 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() {
 #endif

  if constexpr (sapi::host_cpu::IsArm64()) {
-    BlockSyscallWithErrno(__NR_readlinkat, ENOENT);
+    OverridableBlockSyscallWithErrno(__NR_readlinkat, ENOENT);
  }
 #ifdef __NR_readlink
-  BlockSyscallWithErrno(__NR_readlink, ENOENT);
+  OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT);
 #endif

  AddPolicyOnSyscall(__NR_mprotect, {
@ -872,6 +879,9 @@ absl::StatusOr<std::unique_ptr<Policy>> PolicyBuilder::TryBuild() {
  output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_;
  output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_;
  output->user_policy_ = std::move(user_policy_);
+  output->user_policy_.insert(output->user_policy_.end(),
+                              overridable_policy_.begin(),
+                              overridable_policy_.end());
  output->user_policy_handles_bpf_ = user_policy_handles_bpf_;

  auto pb_description = absl::make_unique<PolicyBuilderDescription>();
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -582,6 +582,10 @@ class PolicyBuilder final {
  // Allows a limited version of madvise
  PolicyBuilder& AllowLimitedMadvise();

+  // Appends code to block a specific syscall and setting errno at the end of
+  // the policy - decision taken by user policy take precedence.
+  PolicyBuilder& OverridableBlockSyscallWithErrno(uint32_t num, int error);
+
  PolicyBuilder& SetMounts(Mounts mounts) {
    mounts_ = std::move(mounts);
    return *this;
@ -609,6 +613,7 @@ class PolicyBuilder final {

  // Seccomp fields
  std::vector<sock_filter> user_policy_;
+  std::vector<sock_filter> overridable_policy_;
  bool user_policy_handles_bpf_ = false;
  absl::flat_hash_set<uint32_t> handled_syscalls_;