From 1cf2d840ddb61c10b4be7049b8c946e3d072220b Mon Sep 17 00:00:00 2001 From: Wiktor Garbacz Date: Thu, 3 Mar 2022 08:36:36 -0800 Subject: [PATCH] Add PolicyBuilder::OverridableBlockSyscallWithErrno PiperOrigin-RevId: 432201719 Change-Id: I5cac1a03a7ec95598bae87ff13d38e4bedf62beb --- sandboxed_api/sandbox2/policybuilder.cc | 16 +++++++++++++--- sandboxed_api/sandbox2/policybuilder.h | 5 +++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 962f3dc..14fadc2 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -106,6 +106,13 @@ PolicyBuilder& PolicyBuilder::BlockSyscallWithErrno(uint32_t num, int error) { return *this; } +PolicyBuilder& PolicyBuilder::OverridableBlockSyscallWithErrno(uint32_t num, + int error) { + overridable_policy_.insert(overridable_policy_.end(), + {SYSCALL(num, ERRNO(error))}); + return *this; +} + PolicyBuilder& PolicyBuilder::AllowExit() { return AllowSyscalls({__NR_exit, __NR_exit_group}); } @@ -236,7 +243,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() { AllowGetPIDs(); // Sanitizers may try color output. For example: // https://github.com/llvm/llvm-project/blob/87dd3d350c4ce0115b2cdf91d85ddd05ae2661aa/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp#L157 - BlockSyscallWithErrno(__NR_ioctl, EPERM); + OverridableBlockSyscallWithErrno(__NR_ioctl, EPERM); } if constexpr (sapi::sanitizers::IsASan()) { AllowSyscall(__NR_sigaltstack); @@ -654,10 +661,10 @@ PolicyBuilder& PolicyBuilder::AllowStaticStartup() { #endif if constexpr (sapi::host_cpu::IsArm64()) { - BlockSyscallWithErrno(__NR_readlinkat, ENOENT); + OverridableBlockSyscallWithErrno(__NR_readlinkat, ENOENT); } #ifdef __NR_readlink - BlockSyscallWithErrno(__NR_readlink, ENOENT); + OverridableBlockSyscallWithErrno(__NR_readlink, ENOENT); #endif AddPolicyOnSyscall(__NR_mprotect, { @@ -872,6 +879,9 @@ absl::StatusOr> PolicyBuilder::TryBuild() { output->collect_stacktrace_on_kill_ = collect_stacktrace_on_kill_; output->collect_stacktrace_on_exit_ = collect_stacktrace_on_exit_; output->user_policy_ = std::move(user_policy_); + output->user_policy_.insert(output->user_policy_.end(), + overridable_policy_.begin(), + overridable_policy_.end()); output->user_policy_handles_bpf_ = user_policy_handles_bpf_; auto pb_description = absl::make_unique(); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index a0d287d..345bada 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -582,6 +582,10 @@ class PolicyBuilder final { // Allows a limited version of madvise PolicyBuilder& AllowLimitedMadvise(); + // Appends code to block a specific syscall and setting errno at the end of + // the policy - decision taken by user policy take precedence. + PolicyBuilder& OverridableBlockSyscallWithErrno(uint32_t num, int error); + PolicyBuilder& SetMounts(Mounts mounts) { mounts_ = std::move(mounts); return *this; @@ -609,6 +613,7 @@ class PolicyBuilder final { // Seccomp fields std::vector user_policy_; + std::vector overridable_policy_; bool user_policy_handles_bpf_ = false; absl::flat_hash_set handled_syscalls_;