mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Introduce and prefer AllowMmapWithoutExec
PiperOrigin-RevId: 593968486 Change-Id: I4f7d4d8a6f593d94c0a7e7672826074c4cefc230
This commit is contained in:
parent
1255f57108
commit
36e4b80f9a
|
@ -31,7 +31,7 @@ class ZopfliSapiSandbox : public ZopfliSandbox {
|
|||
.AllowDynamicStartup()
|
||||
.AllowWrite()
|
||||
.AllowExit()
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowSystemMalloc()
|
||||
.AllowSyscalls({
|
||||
__NR_recvmsg,
|
||||
|
|
|
@ -38,7 +38,7 @@ class CurlSapiSandbox : public curl::CurlSandbox {
|
|||
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
|
||||
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
|
||||
.AllowFutexOp(FUTEX_REQUEUE_PRIVATE)
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowOpen()
|
||||
.AllowSafeFcntl()
|
||||
.AllowWrite()
|
||||
|
|
|
@ -38,7 +38,7 @@ class LibPNGSapiSandbox : public LibPNGSandbox {
|
|||
.AllowOpen()
|
||||
.AllowExit()
|
||||
.AllowStat()
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowSystemMalloc()
|
||||
.AllowSyscalls({
|
||||
__NR_futex,
|
||||
|
|
|
@ -37,7 +37,7 @@ class UVSapiUVCatSandbox : public uv::UVSandbox {
|
|||
.AllowFork()
|
||||
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
|
||||
.AllowFutexOp(FUTEX_WAIT_PRIVATE)
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowOpen()
|
||||
.AllowEpoll()
|
||||
.AllowSyscall(__NR_eventfd2)
|
||||
|
|
|
@ -32,7 +32,7 @@ class UVTestOSSapiSandbox : public uv::UVSandbox {
|
|||
.AllowExit()
|
||||
.AllowFutexOp(FUTEX_WAKE_PRIVATE)
|
||||
.AllowGetIDs()
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowOpen()
|
||||
.AllowWrite()
|
||||
.AllowSyscalls({__NR_connect, __NR_socket})
|
||||
|
|
|
@ -49,7 +49,7 @@ namespace {
|
|||
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
|
||||
return sandbox2::PolicyBuilder()
|
||||
.AllowExit()
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowRead()
|
||||
.AllowWrite()
|
||||
.AllowSyscall(__NR_close)
|
||||
|
|
|
@ -41,7 +41,7 @@ constexpr char kSandboxeePath[] =
|
|||
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
|
||||
sandbox2::PolicyBuilder builder;
|
||||
builder.AllowExit()
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowRead()
|
||||
.AllowWrite()
|
||||
.AllowStat() // printf, puts
|
||||
|
|
|
@ -329,7 +329,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
|
|||
// example:
|
||||
// https://github.com/llvm/llvm-project/blob/596d534ac3524052df210be8d3c01a33b2260a42/compiler-rt/lib/asan/asan_allocator.cpp#L980
|
||||
// https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98
|
||||
AllowMmap();
|
||||
AllowMmapWithoutExec();
|
||||
AllowSyscall(__NR_munmap);
|
||||
AllowSyscall(__NR_sched_yield);
|
||||
|
||||
|
@ -415,6 +415,14 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
|
|||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
|
||||
return AddPolicyOnMmap({
|
||||
ARG_32(2),
|
||||
BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0),
|
||||
ALLOW,
|
||||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowMmap() {
|
||||
return AllowSyscalls(kMmapSyscalls);
|
||||
}
|
||||
|
|
|
@ -245,8 +245,13 @@ class PolicyBuilder final {
|
|||
|
||||
// Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall
|
||||
// on architectures where this syscalls exist.
|
||||
// Prefer using AllowMmapWithoutExec as allowing mapping executable pages
|
||||
// makes exploitation easier.
|
||||
PolicyBuilder& AllowMmap();
|
||||
|
||||
// Appends code to allow mmap calls that don't specify PROT_EXEC.
|
||||
PolicyBuilder& AllowMmapWithoutExec();
|
||||
|
||||
// Appends code to allow calling futex with the given operation.
|
||||
PolicyBuilder& AllowFutexOp(int op);
|
||||
|
||||
|
|
|
@ -145,7 +145,7 @@ absl::StatusOr<std::unique_ptr<Policy>> StackTracePeer::GetPolicy(
|
|||
.AllowSyscall(__NR_recvmsg)
|
||||
|
||||
// libunwind
|
||||
.AllowMmap()
|
||||
.AllowMmapWithoutExec()
|
||||
.AllowStat()
|
||||
.AllowSyscall(__NR_lseek)
|
||||
#ifdef __NR__llseek
|
||||
|
|
Loading…
Reference in New Issue
Block a user