diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index d6f9a58..fd1cb92 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -85,6 +85,7 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() { AllowFutexOp(FUTEX_WAKE); AllowLimitedMadvise(); AllowGetRandom(); + AllowWipeOnFork(); return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector { return { @@ -426,6 +427,20 @@ PolicyBuilder& PolicyBuilder::AllowGetRandom() { }); } +PolicyBuilder& PolicyBuilder::AllowWipeOnFork() { + // System headers may not be recent enough to include MADV_WIPEONFORK. + static constexpr uint32_t kMadv_WipeOnFork = 18; + // The -1 value is used by code to probe that the kernel returns -EINVAL for + // unknown values because some environments, like qemu, ignore madvise + // completely, but code needs to know whether WIPEONFORK took effect. + return AddPolicyOnSyscall(__NR_madvise, + { + ARG_32(2), + JEQ32(kMadv_WipeOnFork, ALLOW), + JEQ32(static_cast(-1), ALLOW), + }); +} + PolicyBuilder& PolicyBuilder::AllowLogForwarding() { AllowWrite(); AllowSystemMalloc(); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 4dcc095..f05023c 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -289,8 +289,14 @@ class PolicyBuilder final { // Appends code to allow reading random bytes. // Allows these sycalls: // - getrandom (with no flags or GRND_NONBLOCK) + // PolicyBuilder& AllowGetRandom(); + // Appends code to allow configuring wipe-on-fork memory + // Allows these syscalls: + // - madvise (with advice equal to -1 or MADV_WIPEONFORK). + PolicyBuilder& AllowWipeOnFork(); + // Enables syscalls required to use the logging support enabled via // Client::SendLogsToSupervisor() // Allows the following: