mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Reduce requirements for restartable sequences
PiperOrigin-RevId: 361780465 Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
This commit is contained in:
parent
b30d56e871
commit
753eacd314
|
@ -127,13 +127,10 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
|
PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
|
||||||
AllowTime();
|
AllowTime();
|
||||||
|
AllowRestartableSequences();
|
||||||
AllowSyscalls(
|
AllowSyscalls(
|
||||||
{__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
|
{__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
|
||||||
AllowFutexOp(FUTEX_WAKE);
|
|
||||||
AllowLimitedMadvise();
|
AllowLimitedMadvise();
|
||||||
#ifdef __NR_rseq
|
|
||||||
AllowSyscall(__NR_rseq);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
AddPolicyOnSyscall(__NR_mprotect, {
|
AddPolicyOnSyscall(__NR_mprotect, {
|
||||||
ARG_32(2),
|
ARG_32(2),
|
||||||
|
@ -436,7 +433,6 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
AddFile("/proc/self/cpuset");
|
|
||||||
#ifdef __NR_rseq
|
#ifdef __NR_rseq
|
||||||
AllowSyscall(__NR_rseq);
|
AllowSyscall(__NR_rseq);
|
||||||
#endif
|
#endif
|
||||||
|
@ -446,8 +442,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
|
||||||
ARG_32(0),
|
ARG_32(0),
|
||||||
JEQ32(SIG_SETMASK, ALLOW),
|
JEQ32(SIG_SETMASK, ALLOW),
|
||||||
});
|
});
|
||||||
return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
|
return AllowSyscalls({__NR_membarrier, __NR_getcpu});
|
||||||
__NR_sched_setaffinity});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
|
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
|
||||||
|
@ -810,15 +805,12 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
||||||
auto fixed_outside = std::move(fixed_outside_or).value();
|
auto fixed_outside = std::move(fixed_outside_or).value();
|
||||||
|
|
||||||
if (absl::StartsWith(fixed_outside, "/proc/self")) {
|
if (absl::StartsWith(fixed_outside, "/proc/self")) {
|
||||||
// exception: /proc/self/cpuset
|
|
||||||
if (outside != "/proc/self/cpuset") {
|
|
||||||
SetError(absl::InvalidArgumentError(
|
SetError(absl::InvalidArgumentError(
|
||||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||||
"whole /proc instead. You tried to mount ",
|
"whole /proc instead. You tried to mount ",
|
||||||
outside)));
|
outside)));
|
||||||
return *this;
|
return *this;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
|
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
|
||||||
!status.ok()) {
|
!status.ok()) {
|
||||||
|
|
|
@ -118,12 +118,8 @@ class PolicyBuilder final {
|
||||||
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
|
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
|
||||||
// - getcpu,
|
// - getcpu,
|
||||||
// - membarrier
|
// - membarrier
|
||||||
// - sched_getaffinity
|
|
||||||
// - sched_setaffinity
|
|
||||||
// - futex(WAIT) and futex(WAKE)
|
// - futex(WAIT) and futex(WAKE)
|
||||||
// - sigmask(SET_MASK)
|
// - sigmask(SET_MASK)
|
||||||
// Allows these files (which will enable namespaces):
|
|
||||||
// - "/proc/self/cpuset"
|
|
||||||
PolicyBuilder& AllowRestartableSequences();
|
PolicyBuilder& AllowRestartableSequences();
|
||||||
|
|
||||||
// Appends code to allow the scudo version of malloc, free and
|
// Appends code to allow the scudo version of malloc, free and
|
||||||
|
|
Loading…
Reference in New Issue
Block a user