StarMirror
/
sandboxed-api
mirror of https://github.com/google/sandboxed-api
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Introduce and prefer `AllowMmapWithoutExec` 

PiperOrigin-RevId: 593968486
Change-Id: I4f7d4d8a6f593d94c0a7e7672826074c4cefc230
pull/171/head
Wiktor Garbacz 2023-12-27 02:50:16 -08:00 committed by Copybara-Service
parent 1255f57108
commit 36e4b80f9a
10 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/zopfli/sandboxed.h
View File

@ -31,7 +31,7 @@ class ZopfliSapiSandbox : public ZopfliSandbox {
.AllowDynamicStartup() .AllowDynamicStartup()
.AllowWrite() .AllowWrite()
.AllowExit() .AllowExit()
.AllowMmap() .AllowMmapWithoutExec()
.AllowSystemMalloc() .AllowSystemMalloc()
.AllowSyscalls({ .AllowSyscalls({
__NR_recvmsg, __NR_recvmsg,

2
oss-internship-2020/curl/sandbox.h
View File

@ -38,7 +38,7 @@ class CurlSapiSandbox : public curl::CurlSandbox {
.AllowFutexOp(FUTEX_WAIT_PRIVATE) .AllowFutexOp(FUTEX_WAIT_PRIVATE)
.AllowFutexOp(FUTEX_WAKE_PRIVATE) .AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowFutexOp(FUTEX_REQUEUE_PRIVATE) .AllowFutexOp(FUTEX_REQUEUE_PRIVATE)
.AllowMmap() .AllowMmapWithoutExec()
.AllowOpen() .AllowOpen()
.AllowSafeFcntl() .AllowSafeFcntl()
.AllowWrite() .AllowWrite()

2
oss-internship-2020/libpng/sandboxed.h
View File

@ -38,7 +38,7 @@ class LibPNGSapiSandbox : public LibPNGSandbox {
.AllowOpen() .AllowOpen()
.AllowExit() .AllowExit()
.AllowStat() .AllowStat()
.AllowMmap() .AllowMmapWithoutExec()
.AllowSystemMalloc() .AllowSystemMalloc()
.AllowSyscalls({ .AllowSyscalls({
__NR_futex, __NR_futex,

2
oss-internship-2020/libuv/examples/uvcat.cc
View File

@ -37,7 +37,7 @@ class UVSapiUVCatSandbox : public uv::UVSandbox {
.AllowFork() .AllowFork()
.AllowFutexOp(FUTEX_WAKE_PRIVATE) .AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowFutexOp(FUTEX_WAIT_PRIVATE) .AllowFutexOp(FUTEX_WAIT_PRIVATE)
.AllowMmap() .AllowMmapWithoutExec()
.AllowOpen() .AllowOpen()
.AllowEpoll() .AllowEpoll()
.AllowSyscall(__NR_eventfd2) .AllowSyscall(__NR_eventfd2)

2
oss-internship-2020/libuv/tests/test_os.cc
View File

@ -32,7 +32,7 @@ class UVTestOSSapiSandbox : public uv::UVSandbox {
.AllowExit() .AllowExit()
.AllowFutexOp(FUTEX_WAKE_PRIVATE) .AllowFutexOp(FUTEX_WAKE_PRIVATE)
.AllowGetIDs() .AllowGetIDs()
.AllowMmap() .AllowMmapWithoutExec()
.AllowOpen() .AllowOpen()
.AllowWrite() .AllowWrite()
.AllowSyscalls({__NR_connect, __NR_socket}) .AllowSyscalls({__NR_connect, __NR_socket})

2
sandboxed_api/sandbox2/examples/network/network_sandbox.cc
View File

@ -49,7 +49,7 @@ namespace {
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) { std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
return sandbox2::PolicyBuilder() return sandbox2::PolicyBuilder()
.AllowExit() .AllowExit()
.AllowMmap() .AllowMmapWithoutExec()
.AllowRead() .AllowRead()
.AllowWrite() .AllowWrite()
.AllowSyscall(__NR_close) .AllowSyscall(__NR_close)

2
sandboxed_api/sandbox2/examples/network_proxy/networkproxy_sandbox.cc
View File

@ -41,7 +41,7 @@ constexpr char kSandboxeePath[] =
std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) { std::unique_ptr<sandbox2::Policy> GetPolicy(absl::string_view sandboxee_path) {
sandbox2::PolicyBuilder builder; sandbox2::PolicyBuilder builder;
builder.AllowExit() builder.AllowExit()
.AllowMmap() .AllowMmapWithoutExec()
.AllowRead() .AllowRead()
.AllowWrite() .AllowWrite()
.AllowStat() // printf, puts .AllowStat() // printf, puts

10
sandboxed_api/sandbox2/policybuilder.cc
View File

@ -329,7 +329,7 @@ PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
// example: // example:
// https://github.com/llvm/llvm-project/blob/596d534ac3524052df210be8d3c01a33b2260a42/compiler-rt/lib/asan/asan_allocator.cpp#L980 // https://github.com/llvm/llvm-project/blob/596d534ac3524052df210be8d3c01a33b2260a42/compiler-rt/lib/asan/asan_allocator.cpp#L980
// https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98 // https://github.com/llvm/llvm-project/blob/62ec4ac90738a5f2d209ed28c822223e58aaaeb7/compiler-rt/lib/sanitizer_common/sanitizer_allocator_secondary.h#L98
AllowMmap(); AllowMmapWithoutExec();
AllowSyscall(__NR_munmap); AllowSyscall(__NR_munmap);
AllowSyscall(__NR_sched_yield); AllowSyscall(__NR_sched_yield);
@ -415,6 +415,14 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
}); });
} }
PolicyBuilder& PolicyBuilder::AllowMmapWithoutExec() {
return AddPolicyOnMmap({
ARG_32(2),
BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, PROT_EXEC, 1, 0),
ALLOW,
});
}
PolicyBuilder& PolicyBuilder::AllowMmap() { PolicyBuilder& PolicyBuilder::AllowMmap() {
return AllowSyscalls(kMmapSyscalls); return AllowSyscalls(kMmapSyscalls);
} }

5
sandboxed_api/sandbox2/policybuilder.h
View File

@ -245,8 +245,13 @@ class PolicyBuilder final {
// Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall // Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall
// on architectures where this syscalls exist. // on architectures where this syscalls exist.
// Prefer using AllowMmapWithoutExec as allowing mapping executable pages
// makes exploitation easier.
PolicyBuilder& AllowMmap(); PolicyBuilder& AllowMmap();
// Appends code to allow mmap calls that don't specify PROT_EXEC.
PolicyBuilder& AllowMmapWithoutExec();
// Appends code to allow calling futex with the given operation. // Appends code to allow calling futex with the given operation.
PolicyBuilder& AllowFutexOp(int op); PolicyBuilder& AllowFutexOp(int op);

2
sandboxed_api/sandbox2/stack_trace.cc
View File

@ -145,7 +145,7 @@ absl::StatusOr<std::unique_ptr<Policy>> StackTracePeer::GetPolicy(
.AllowSyscall(__NR_recvmsg) .AllowSyscall(__NR_recvmsg)
// libunwind // libunwind
.AllowMmap() .AllowMmapWithoutExec()
.AllowStat() .AllowStat()
.AllowSyscall(__NR_lseek) .AllowSyscall(__NR_lseek)
#ifdef __NR__llseek #ifdef __NR__llseek