mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Add helper function for MADV_WIPEONFORK.
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning. PiperOrigin-RevId: 309173849 Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
This commit is contained in:
parent
fea5e8c485
commit
79049b09c0
|
@ -85,6 +85,7 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
|
||||||
AllowFutexOp(FUTEX_WAKE);
|
AllowFutexOp(FUTEX_WAKE);
|
||||||
AllowLimitedMadvise();
|
AllowLimitedMadvise();
|
||||||
AllowGetRandom();
|
AllowGetRandom();
|
||||||
|
AllowWipeOnFork();
|
||||||
|
|
||||||
return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
||||||
return {
|
return {
|
||||||
|
@ -426,6 +427,20 @@ PolicyBuilder& PolicyBuilder::AllowGetRandom() {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PolicyBuilder& PolicyBuilder::AllowWipeOnFork() {
|
||||||
|
// System headers may not be recent enough to include MADV_WIPEONFORK.
|
||||||
|
static constexpr uint32_t kMadv_WipeOnFork = 18;
|
||||||
|
// The -1 value is used by code to probe that the kernel returns -EINVAL for
|
||||||
|
// unknown values because some environments, like qemu, ignore madvise
|
||||||
|
// completely, but code needs to know whether WIPEONFORK took effect.
|
||||||
|
return AddPolicyOnSyscall(__NR_madvise,
|
||||||
|
{
|
||||||
|
ARG_32(2),
|
||||||
|
JEQ32(kMadv_WipeOnFork, ALLOW),
|
||||||
|
JEQ32(static_cast<uint32_t>(-1), ALLOW),
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
|
PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
|
||||||
AllowWrite();
|
AllowWrite();
|
||||||
AllowSystemMalloc();
|
AllowSystemMalloc();
|
||||||
|
|
|
@ -289,8 +289,14 @@ class PolicyBuilder final {
|
||||||
// Appends code to allow reading random bytes.
|
// Appends code to allow reading random bytes.
|
||||||
// Allows these sycalls:
|
// Allows these sycalls:
|
||||||
// - getrandom (with no flags or GRND_NONBLOCK)
|
// - getrandom (with no flags or GRND_NONBLOCK)
|
||||||
|
//
|
||||||
PolicyBuilder& AllowGetRandom();
|
PolicyBuilder& AllowGetRandom();
|
||||||
|
|
||||||
|
// Appends code to allow configuring wipe-on-fork memory
|
||||||
|
// Allows these syscalls:
|
||||||
|
// - madvise (with advice equal to -1 or MADV_WIPEONFORK).
|
||||||
|
PolicyBuilder& AllowWipeOnFork();
|
||||||
|
|
||||||
// Enables syscalls required to use the logging support enabled via
|
// Enables syscalls required to use the logging support enabled via
|
||||||
// Client::SendLogsToSupervisor()
|
// Client::SendLogsToSupervisor()
|
||||||
// Allows the following:
|
// Allows the following:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user