Introduce and prefer AllowMmapWithoutExec

PiperOrigin-RevId: 593968486
Change-Id: I4f7d4d8a6f593d94c0a7e7672826074c4cefc230
This commit is contained in:
Wiktor Garbacz 2023-12-27 02:50:16 -08:00 committed by Copybara-Service
parent 1255f57108
commit 36e4b80f9a
10 changed files with 22 additions and 9 deletions

View File

@ -31,7 +31,7 @@ class ZopfliSapiSandbox : public ZopfliSandbox {
.AllowDynamicStartup()
.AllowWrite()
.AllowExit()
.AllowMmap()
.AllowMmapWithoutExec()
.AllowSystemMalloc()
.AllowSyscalls({
__NR_recvmsg,

View File

@ -38,7 +38,7 @@ class CurlSapiSandbox : public curl::CurlSandbox {
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowFutexOp(FUTEX_REQUEUE_PRIVATE)
.AllowMmap()
.AllowMmapWithoutExec()
.AllowOpen()
.AllowSafeFcntl()
.AllowWrite()

View File

@ -38,7 +38,7 @@ class LibPNGSapiSandbox : public LibPNGSandbox {
.AllowOpen()
.AllowExit()
.AllowStat()
.AllowMmap()
.AllowMmapWithoutExec()
.AllowSystemMalloc()
.AllowSyscalls({
__NR_futex,

View File

@ -37,7 +37,7 @@ class UVSapiUVCatSandbox : public uv::UVSandbox {
.AllowFork()
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
.AllowMmap()
.AllowMmapWithoutExec()
.AllowOpen()
.AllowEpoll()
.AllowSyscall(__NR_eventfd2)

View File

@ -32,7 +32,7 @@ class UVTestOSSapiSandbox : public uv::UVSandbox {
.AllowExit()
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowGetIDs()
.AllowMmap()
.AllowMmapWithoutExec()
.AllowOpen()
.AllowWrite()
.AllowSyscalls({__NR_connect, __NR_socket})

View File

@ -49,7 +49,7 @@ namespace {
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
return sandbox2::PolicyBuilder()
.AllowExit()
.AllowMmap()
.AllowMmapWithoutExec()
.AllowRead()
.AllowWrite()
.AllowSyscall(__NR_close)

View File

@ -41,7 +41,7 @@ constexpr char kSandboxeePath[] =
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
sandbox2::PolicyBuilder builder;
builder.AllowExit()
.AllowMmap()
.AllowMmapWithoutExec()
.AllowRead()
.AllowWrite()
.AllowStat() // printf, puts

View File

@ -329,7 +329,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
// example:
// https://github.com/llvm/llvm-project/blob/596d534ac3524052df210be8d3c01a33b2260a42/compiler-rt/lib/asan/asan_allocator.cpp#L980
// https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98
AllowMmap();
AllowMmapWithoutExec();
AllowSyscall(__NR_munmap);
AllowSyscall(__NR_sched_yield);
@ -415,6 +415,14 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
});
}
PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
return AddPolicyOnMmap({
ARG_32(2),
BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0),
ALLOW,
});
}
PolicyBuilder& PolicyBuilder::AllowMmap() {
return AllowSyscalls(kMmapSyscalls);
}

View File

@ -245,8 +245,13 @@ class PolicyBuilder final {
// Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall
// on architectures where this syscalls exist.
// Prefer using AllowMmapWithoutExec as allowing mapping executable pages
// makes exploitation easier.
PolicyBuilder& AllowMmap();
// Appends code to allow mmap calls that don't specify PROT_EXEC.
PolicyBuilder& AllowMmapWithoutExec();
// Appends code to allow calling futex with the given operation.
PolicyBuilder& AllowFutexOp(int op);

View File

@ -145,7 +145,7 @@ absl::StatusOr<std::unique_ptr<Policy>> StackTracePeer::GetPolicy(
.AllowSyscall(__NR_recvmsg)
// libunwind
.AllowMmap()
.AllowMmapWithoutExec()
.AllowStat()
.AllowSyscall(__NR_lseek)
#ifdef __NR__llseek