mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Reduce requirements for restartable sequences
PiperOrigin-RevId: 361780465 Change-Id: I299bc55c94d60575e16f0ea6b5f82b8b793af1cb
This commit is contained in:
parent
b30d56e871
commit
753eacd314
|
@ -127,13 +127,10 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
|
|||
|
||||
PolicyBuilder& PolicyBuilder::AllowTcMalloc() {
|
||||
AllowTime();
|
||||
AllowRestartableSequences();
|
||||
AllowSyscalls(
|
||||
{__NR_munmap, __NR_nanosleep, __NR_brk, __NR_mincore, __NR_membarrier});
|
||||
AllowFutexOp(FUTEX_WAKE);
|
||||
AllowLimitedMadvise();
|
||||
#ifdef __NR_rseq
|
||||
AllowSyscall(__NR_rseq);
|
||||
#endif
|
||||
|
||||
AddPolicyOnSyscall(__NR_mprotect, {
|
||||
ARG_32(2),
|
||||
|
@ -436,7 +433,6 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
|
|||
};
|
||||
});
|
||||
|
||||
AddFile("/proc/self/cpuset");
|
||||
#ifdef __NR_rseq
|
||||
AllowSyscall(__NR_rseq);
|
||||
#endif
|
||||
|
@ -446,8 +442,7 @@ PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
|
|||
ARG_32(0),
|
||||
JEQ32(SIG_SETMASK, ALLOW),
|
||||
});
|
||||
return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
|
||||
__NR_sched_setaffinity});
|
||||
return AllowSyscalls({__NR_membarrier, __NR_getcpu});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
|
||||
|
@ -810,15 +805,12 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
|
|||
auto fixed_outside = std::move(fixed_outside_or).value();
|
||||
|
||||
if (absl::StartsWith(fixed_outside, "/proc/self")) {
|
||||
// exception: /proc/self/cpuset
|
||||
if (outside != "/proc/self/cpuset") {
|
||||
SetError(absl::InvalidArgumentError(
|
||||
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
|
||||
"whole /proc instead. You tried to mount ",
|
||||
outside)));
|
||||
return *this;
|
||||
}
|
||||
}
|
||||
|
||||
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);
|
||||
!status.ok()) {
|
||||
|
|
|
@ -118,12 +118,8 @@ class PolicyBuilder final {
|
|||
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
|
||||
// - getcpu,
|
||||
// - membarrier
|
||||
// - sched_getaffinity
|
||||
// - sched_setaffinity
|
||||
// - futex(WAIT) and futex(WAKE)
|
||||
// - sigmask(SET_MASK)
|
||||
// Allows these files (which will enable namespaces):
|
||||
// - "/proc/self/cpuset"
|
||||
PolicyBuilder& AllowRestartableSequences();
|
||||
|
||||
// Appends code to allow the scudo version of malloc, free and
|
||||
|
|
Loading…
Reference in New Issue
Block a user