Add helper function for MADV_WIPEONFORK.

BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning. PiperOrigin-RevId: 309173849 Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
2024-03-22 13:11:30 +08:00 · 2020-04-30 00:08:31 -07:00 · 2020-04-30 00:08:31 -07:00 · 79049b09c0
commit 79049b09c0
parent fea5e8c485
2 changed files with 21 additions and 0 deletions
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -85,6 +85,7 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
  AllowFutexOp(FUTEX_WAKE);
  AllowLimitedMadvise();
  AllowGetRandom();
+  AllowWipeOnFork();

  return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
    return {
@ -426,6 +427,20 @@ PolicyBuilder& PolicyBuilder::AllowGetRandom() {
                                            });
 }

+PolicyBuilder& PolicyBuilder::AllowWipeOnFork() {
+  // System headers may not be recent enough to include MADV_WIPEONFORK.
+  static constexpr uint32_t kMadv_WipeOnFork = 18;
+  // The -1 value is used by code to probe that the kernel returns -EINVAL for
+  // unknown values because some environments, like qemu, ignore madvise
+  // completely, but code needs to know whether WIPEONFORK took effect.
+  return AddPolicyOnSyscall(__NR_madvise,
+                            {
+                                ARG_32(2),
+                                JEQ32(kMadv_WipeOnFork, ALLOW),
+                                JEQ32(static_cast<uint32_t>(-1), ALLOW),
+                            });
+}
+
 PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
  AllowWrite();
  AllowSystemMalloc();
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -289,8 +289,14 @@ class PolicyBuilder final {
  // Appends code to allow reading random bytes.
  // Allows these sycalls:
  // - getrandom (with no flags or GRND_NONBLOCK)
+  //
  PolicyBuilder& AllowGetRandom();

+  // Appends code to allow configuring wipe-on-fork memory
+  // Allows these syscalls:
+  // - madvise (with advice equal to -1 or MADV_WIPEONFORK).
+  PolicyBuilder& AllowWipeOnFork();
+
  // Enables syscalls required to use the logging support enabled via
  // Client::SendLogsToSupervisor()
  // Allows the following: