From 2ff96ba0e7ab43e21cf6d7a8fab78d77d1b69680 Mon Sep 17 00:00:00 2001 From: Wiktor Garbacz Date: Wed, 14 Apr 2021 07:38:47 -0700 Subject: [PATCH] Add missing TSAN syscalls PiperOrigin-RevId: 368427218 Change-Id: I73cd330028b805d8a86712936fb0c5103ce9914a --- sandboxed_api/sandbox2/policybuilder.cc | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index 8d21a4a..676da05 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -207,6 +207,17 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() { // https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98 AllowMmap(); } + if constexpr (sapi::sanitizers::IsTSan()) { + AllowMmap(); + AllowSyscall(__NR_munmap); + AddPolicyOnSyscall(__NR_mprotect, + { + ARG_32(2), + BPF_STMT(BPF_AND | BPF_ALU | BPF_K, + ~uint32_t{PROT_READ | PROT_WRITE}), + JEQ(0, ALLOW), + }); + } return *this; } @@ -538,17 +549,17 @@ PolicyBuilder& PolicyBuilder::AllowFutexOp(int op) { PolicyBuilder& PolicyBuilder::AllowStaticStartup() { AllowGetRlimit(); AllowSyscalls({ - // These syscalls take a pointer, so no restriction. - __NR_uname, __NR_brk, __NR_set_tid_address, + // These syscalls take a pointer, so no restriction. + __NR_uname, __NR_brk, __NR_set_tid_address, #if defined(__ARM_NR_set_tls) - // libc sets the TLS during startup - __ARM_NR_set_tls, + // libc sets the TLS during startup + __ARM_NR_set_tls, #endif - // This syscall takes a pointer and a length. - // We could restrict length, but it might change, so not worth it. - __NR_set_robust_list, + // This syscall takes a pointer and a length. + // We could restrict length, but it might change, so not worth it. + __NR_set_robust_list, }); AllowFutexOp(FUTEX_WAIT_BITSET);