From 79049b09c0b3ebc80f9ebbcd960e0fa84905d396 Mon Sep 17 00:00:00 2001 From: Sandboxed API Team Date: Thu, 30 Apr 2020 00:08:31 -0700 Subject: [PATCH] Add helper function for MADV_WIPEONFORK. BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning. PiperOrigin-RevId: 309173849 Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234 --- sandboxed_api/sandbox2/policybuilder.cc | 15 +++++++++++++++ sandboxed_api/sandbox2/policybuilder.h | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index d6f9a58..fd1cb92 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -85,6 +85,7 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() { AllowFutexOp(FUTEX_WAKE); AllowLimitedMadvise(); AllowGetRandom(); + AllowWipeOnFork(); return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector { return { @@ -426,6 +427,20 @@ PolicyBuilder& PolicyBuilder::AllowGetRandom() { }); } +PolicyBuilder& PolicyBuilder::AllowWipeOnFork() { + // System headers may not be recent enough to include MADV_WIPEONFORK. + static constexpr uint32_t kMadv_WipeOnFork = 18; + // The -1 value is used by code to probe that the kernel returns -EINVAL for + // unknown values because some environments, like qemu, ignore madvise + // completely, but code needs to know whether WIPEONFORK took effect. + return AddPolicyOnSyscall(__NR_madvise, + { + ARG_32(2), + JEQ32(kMadv_WipeOnFork, ALLOW), + JEQ32(static_cast(-1), ALLOW), + }); +} + PolicyBuilder& PolicyBuilder::AllowLogForwarding() { AllowWrite(); AllowSystemMalloc(); diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 4dcc095..f05023c 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -289,8 +289,14 @@ class PolicyBuilder final { // Appends code to allow reading random bytes. // Allows these sycalls: // - getrandom (with no flags or GRND_NONBLOCK) + // PolicyBuilder& AllowGetRandom(); + // Appends code to allow configuring wipe-on-fork memory + // Allows these syscalls: + // - madvise (with advice equal to -1 or MADV_WIPEONFORK). + PolicyBuilder& AllowWipeOnFork(); + // Enables syscalls required to use the logging support enabled via // Client::SendLogsToSupervisor() // Allows the following: