Reduce requirements for restartable sequences

PiperOrigin-RevId: 361780465
Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
This commit is contained in:
Martijn Vels 2021-03-09 04:33:01 -08:00 committed by Copybara-Service
parent b30d56e871
commit 753eacd314
2 changed files with 7 additions and 19 deletions

View File

@ -127,13 +127,10 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
PolicyBuilder& PolicyBuilder::AllowTcMalloc() { PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
AllowTime(); AllowTime();
AllowRestartableSequences();
AllowSyscalls( AllowSyscalls(
{__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier}); {__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
AllowFutexOp(FUTEX_WAKE);
AllowLimitedMadvise(); AllowLimitedMadvise();
#ifdef __NR_rseq
AllowSyscall(__NR_rseq);
#endif
AddPolicyOnSyscall(__NR_mprotect, { AddPolicyOnSyscall(__NR_mprotect, {
ARG_32(2), ARG_32(2),
@ -436,7 +433,6 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
}; };
}); });
AddFile("/proc/self/cpuset");
#ifdef __NR_rseq #ifdef __NR_rseq
AllowSyscall(__NR_rseq); AllowSyscall(__NR_rseq);
#endif #endif
@ -446,8 +442,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
ARG_32(0), ARG_32(0),
JEQ32(SIG_SETMASK, ALLOW), JEQ32(SIG_SETMASK, ALLOW),
}); });
return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity, return AllowSyscalls({__NR_membarrier, __NR_getcpu});
__NR_sched_setaffinity});
} }
PolicyBuilder& PolicyBuilder::AllowGetPIDs() { PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
@ -810,15 +805,12 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
auto fixed_outside = std::move(fixed_outside_or).value(); auto fixed_outside = std::move(fixed_outside_or).value();
if (absl::StartsWith(fixed_outside, "/proc/self")) { if (absl::StartsWith(fixed_outside, "/proc/self")) {
// exception: /proc/self/cpuset
if (outside != "/proc/self/cpuset") {
SetError(absl::InvalidArgumentError( SetError(absl::InvalidArgumentError(
absl::StrCat("Cannot add /proc/self mounts, you need to mount the " absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
"whole /proc instead. You tried to mount ", "whole /proc instead. You tried to mount ",
outside))); outside)));
return *this; return *this;
} }
}
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro); if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
!status.ok()) { !status.ok()) {

View File

@ -118,12 +118,8 @@ class PolicyBuilder final {
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS) // - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
// - getcpu, // - getcpu,
// - membarrier // - membarrier
// - sched_getaffinity
// - sched_setaffinity
// - futex(WAIT) and futex(WAKE) // - futex(WAIT) and futex(WAKE)
// - sigmask(SET_MASK) // - sigmask(SET_MASK)
// Allows these files (which will enable namespaces):
// - "/proc/self/cpuset"
PolicyBuilder& AllowRestartableSequences(); PolicyBuilder& AllowRestartableSequences();
// Appends code to allow the scudo version of malloc, free and // Appends code to allow the scudo version of malloc, free and