Add policy on both mmap & mmap2

PiperOrigin-RevId: 341007959
Change-Id: I3c2e74cc973d2603cf7b3a858fa8aabd05c41137
This commit is contained in:
Wiktor Garbacz 2020-11-06 01:29:52 -08:00 committed by Copybara-Service
parent f8a2729c32
commit 5fb18d3c9d
2 changed files with 21 additions and 33 deletions

View File

@ -46,6 +46,15 @@
namespace sandbox2 { namespace sandbox2 {
namespace { namespace {
constexpr PolicyBuilder::SyscallInitializer kMmapSyscalls = {
#ifdef __NR_mmap2
__NR_mmap2,
#endif
#ifdef __NR_mmap
__NR_mmap,
#endif
};
} // namespace } // namespace
PolicyBuilder& PolicyBuilder::AllowSyscall(unsigned int num) { PolicyBuilder& PolicyBuilder::AllowSyscall(unsigned int num) {
@ -204,13 +213,7 @@ PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
} }
PolicyBuilder& PolicyBuilder::AllowMmap() { PolicyBuilder& PolicyBuilder::AllowMmap() {
// Consistently with policy.cc, when mmap2 exists then mmap is denied (not return AllowSyscalls(kMmapSyscalls);
// allowed).
#ifdef __NR_mmap2
return AllowSyscall(__NR_mmap2);
#else
return AllowSyscall(__NR_mmap);
#endif
} }
PolicyBuilder& PolicyBuilder::AllowOpen() { PolicyBuilder& PolicyBuilder::AllowOpen() {
@ -648,28 +651,16 @@ PolicyBuilder& PolicyBuilder::AddPolicyOnSyscalls(SyscallInitializer nums,
} }
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfInitializer policy) { PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfInitializer policy) {
#ifdef __NR_mmap2 return AddPolicyOnSyscalls(kMmapSyscalls, policy);
return AddPolicyOnSyscall(__NR_mmap2, policy);
#else
return AddPolicyOnSyscall(__NR_mmap, policy);
#endif
} }
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap( PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(
const std::vector<sock_filter>& policy) { const std::vector<sock_filter>& policy) {
#ifdef __NR_mmap2 return AddPolicyOnSyscalls(kMmapSyscalls, policy);
return AddPolicyOnSyscall(__NR_mmap2, policy);
#else
return AddPolicyOnSyscall(__NR_mmap, policy);
#endif
} }
PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) { PolicyBuilder& PolicyBuilder::AddPolicyOnMmap(BpfFunc f) {
#ifdef __NR_mmap2 return AddPolicyOnSyscalls(kMmapSyscalls, f);
return AddPolicyOnSyscall(__NR_mmap2, f);
#else
return AddPolicyOnSyscall(__NR_mmap, f);
#endif
} }
PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() { PolicyBuilder& PolicyBuilder::DangerDefaultAllowAll() {

View File

@ -141,13 +141,8 @@ class PolicyBuilder final {
// all binaries. // all binaries.
PolicyBuilder& AllowLlvmSanitizers(); PolicyBuilder& AllowLlvmSanitizers();
// Appends code to allow mmap. Specifically this allows the mmap2 syscall on // Appends code to allow mmap. Specifically this allows mmap and mmap2 syscall
// architectures where this syscalls exist and the mmap syscall on all other // on architectures where this syscalls exist.
// architectures.
//
// Note: while this function allows the calls, the default policy is run first
// and it has checks for dangerous flags which can create a violation. See
// sandbox2/policy.cc for more details.
PolicyBuilder& AllowMmap(); PolicyBuilder& AllowMmap();
// Appends code to allow calling futex with the given operation. // Appends code to allow calling futex with the given operation.
@ -385,13 +380,15 @@ class PolicyBuilder final {
// This policy may use labels. // This policy may use labels.
PolicyBuilder& AddPolicyOnSyscalls(SyscallInitializer nums, BpfFunc f); PolicyBuilder& AddPolicyOnSyscalls(SyscallInitializer nums, BpfFunc f);
// Equivalent to AddPolicyOnSyscall(mmap_syscall_no, policy), where // Equivalent to AddPolicyOnSyscalls(mmap_syscalls, policy), where
// mmap_syscall_no is either __NR_mmap or __NR_mmap2. // mmap_syscalls is a subset of {__NR_mmap, __NR_mmap2}, which exists on the
// target architecture.
PolicyBuilder& AddPolicyOnMmap(BpfInitializer policy); PolicyBuilder& AddPolicyOnMmap(BpfInitializer policy);
PolicyBuilder& AddPolicyOnMmap(const std::vector<sock_filter>& policy); PolicyBuilder& AddPolicyOnMmap(const std::vector<sock_filter>& policy);
// Equivalent to AddPolicyOnSyscall(mmap_syscall_no, f), where // Equivalent to AddPolicyOnSyscalls(mmap_syscalls, f), where mmap_syscalls is
// mmap_syscall_no is either __NR_mmap or __NR_mmap2. // a subset of {__NR_mmap, __NR_mmap2}, which exists on the target
// architecture.
PolicyBuilder& AddPolicyOnMmap(BpfFunc f); PolicyBuilder& AddPolicyOnMmap(BpfFunc f);
// Builds the policy returning a unique_ptr to it. This should only be called // Builds the policy returning a unique_ptr to it. This should only be called