mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Add policy on both mmap & mmap2
PiperOrigin-RevId: 341007959 Change-Id: I3c2e74cc973d2603cf7b3a858fa8aabd05c41137
This commit is contained in:
parent
f8a2729c32
commit
5fb18d3c9d
|
@ -46,6 +46,15 @@
|
||||||
namespace sandbox2 {
|
namespace sandbox2 {
|
||||||
namespace {
|
namespace {
|
||||||
|
|
||||||
|
constexpr PolicyBuilder::SyscallInitializer kMmapSyscalls = {
|
||||||
|
#ifdef __NR_mmap2
|
||||||
|
__NR_mmap2,
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap
|
||||||
|
__NR_mmap,
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowSyscall(unsigned int num) {
|
PolicyBuilder& PolicyBuilder::AllowSyscall(unsigned int num) {
|
||||||
|
@ -204,13 +213,7 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowMmap() {
|
PolicyBuilder& PolicyBuilder::AllowMmap() {
|
||||||
// Consistently with policy.cc, when mmap2 exists then mmap is denied (not
|
return AllowSyscalls(kMmapSyscalls);
|
||||||
// allowed).
|
|
||||||
#ifdef __NR_mmap2
|
|
||||||
return AllowSyscall(__NR_mmap2);
|
|
||||||
#else
|
|
||||||
return AllowSyscall(__NR_mmap);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowOpen() {
|
PolicyBuilder& PolicyBuilder::AllowOpen() {
|
||||||
|
@ -648,28 +651,16 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnSyscalls(SyscallInitializer nums,
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfInitializer policy) {
|
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfInitializer policy) {
|
||||||
#ifdef __NR_mmap2
|
return AddPolicyOnSyscalls(kMmapSyscalls, policy);
|
||||||
return AddPolicyOnSyscall(__NR_mmap2, policy);
|
|
||||||
#else
|
|
||||||
return AddPolicyOnSyscall(__NR_mmap, policy);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(
|
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(
|
||||||
const std::vector<sock_filter>& policy) {
|
const std::vector<sock_filter>& policy) {
|
||||||
#ifdef __NR_mmap2
|
return AddPolicyOnSyscalls(kMmapSyscalls, policy);
|
||||||
return AddPolicyOnSyscall(__NR_mmap2, policy);
|
|
||||||
#else
|
|
||||||
return AddPolicyOnSyscall(__NR_mmap, policy);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
|
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
|
||||||
#ifdef __NR_mmap2
|
return AddPolicyOnSyscalls(kMmapSyscalls, f);
|
||||||
return AddPolicyOnSyscall(__NR_mmap2, f);
|
|
||||||
#else
|
|
||||||
return AddPolicyOnSyscall(__NR_mmap, f);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
|
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {
|
||||||
|
|
|
@ -141,13 +141,8 @@ class PolicyBuilder final {
|
||||||
// all binaries.
|
// all binaries.
|
||||||
PolicyBuilder& AllowLlvmSanitizers();
|
PolicyBuilder& AllowLlvmSanitizers();
|
||||||
|
|
||||||
// Appends code to allow mmap. Specifically this allows the mmap2 syscall on
|
// Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall
|
||||||
// architectures where this syscalls exist and the mmap syscall on all other
|
// on architectures where this syscalls exist.
|
||||||
// architectures.
|
|
||||||
//
|
|
||||||
// Note: while this function allows the calls, the default policy is run first
|
|
||||||
// and it has checks for dangerous flags which can create a violation. See
|
|
||||||
// sandbox2/policy.cc for more details.
|
|
||||||
PolicyBuilder& AllowMmap();
|
PolicyBuilder& AllowMmap();
|
||||||
|
|
||||||
// Appends code to allow calling futex with the given operation.
|
// Appends code to allow calling futex with the given operation.
|
||||||
|
@ -385,13 +380,15 @@ class PolicyBuilder final {
|
||||||
// This policy may use labels.
|
// This policy may use labels.
|
||||||
PolicyBuilder& AddPolicyOnSyscalls(SyscallInitializer nums, BpfFunc f);
|
PolicyBuilder& AddPolicyOnSyscalls(SyscallInitializer nums, BpfFunc f);
|
||||||
|
|
||||||
// Equivalent to AddPolicyOnSyscall(mmap_syscall_no, policy), where
|
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, policy), where
|
||||||
// mmap_syscall_no is either __NR_mmap or __NR_mmap2.
|
// mmap_syscalls is a subset of {__NR_mmap, __NR_mmap2}, which exists on the
|
||||||
|
// target architecture.
|
||||||
PolicyBuilder& AddPolicyOnMmap(BpfInitializer policy);
|
PolicyBuilder& AddPolicyOnMmap(BpfInitializer policy);
|
||||||
PolicyBuilder& AddPolicyOnMmap(const std::vector<sock_filter>& policy);
|
PolicyBuilder& AddPolicyOnMmap(const std::vector<sock_filter>& policy);
|
||||||
|
|
||||||
// Equivalent to AddPolicyOnSyscall(mmap_syscall_no, f), where
|
// Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is
|
||||||
// mmap_syscall_no is either __NR_mmap or __NR_mmap2.
|
// a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
|
||||||
|
// architecture.
|
||||||
PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
|
PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
|
||||||
|
|
||||||
// Builds the policy returning a unique_ptr to it. This should only be called
|
// Builds the policy returning a unique_ptr to it. This should only be called
|
||||||
|
|
Loading…
Reference in New Issue
Block a user