Reduce requirements for restartable sequences

PiperOrigin-RevId: 361780465 Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
2024-03-22 13:11:30 +08:00 · 2021-03-09 04:33:01 -08:00 · 2021-03-09 04:33:01 -08:00 · 753eacd314
commit 753eacd314
parent b30d56e871
2 changed files with 7 additions and 19 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -127,13 +127,10 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {

 PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
  AllowTime();
+  AllowRestartableSequences();
  AllowSyscalls(
      {__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
-  AllowFutexOp(FUTEX_WAKE);
  AllowLimitedMadvise();
-#ifdef __NR_rseq
-  AllowSyscall(__NR_rseq);
-#endif

  AddPolicyOnSyscall(__NR_mprotect, {
                                        ARG_32(2),
@ -436,7 +433,6 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
    };
  });

-  AddFile("/proc/self/cpuset");
 #ifdef __NR_rseq
  AllowSyscall(__NR_rseq);
 #endif
@ -446,8 +442,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
                                              ARG_32(0),
                                              JEQ32(SIG_SETMASK, ALLOW),
                                          });
-  return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
-                        __NR_sched_setaffinity});
+  return AllowSyscalls({__NR_membarrier, __NR_getcpu});
 }

 PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
@ -810,14 +805,11 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
  auto fixed_outside = std::move(fixed_outside_or).value();

  if (absl::StartsWith(fixed_outside, "/proc/self")) {
-    // exception: /proc/self/cpuset
-    if (outside != "/proc/self/cpuset") {
-      SetError(absl::InvalidArgumentError(
-          absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
-                       "whole /proc instead. You tried to mount ",
-                       outside)));
-      return *this;
-    }
+    SetError(absl::InvalidArgumentError(
+        absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
+                     "whole /proc instead. You tried to mount ",
+                     outside)));
+    return *this;
  }

  if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -118,12 +118,8 @@ class PolicyBuilder final {
  // - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
  // - getcpu,
  // - membarrier
-  // - sched_getaffinity
-  // - sched_setaffinity
  // - futex(WAIT) and futex(WAKE)
  // - sigmask(SET_MASK)
-  // Allows these files (which will enable namespaces):
-  // - "/proc/self/cpuset"
  PolicyBuilder& AllowRestartableSequences();

  // Appends code to allow the scudo version of malloc, free and