mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Add helper function for MADV_WIPEONFORK.
BoringSSL (which is the crypto library used by most Google products) is starting to use madvise(_, _, MADV_WIPEONFORK) to protect random-number state from being duplicated by fork(). This causes extra madvise calls that sandboxes need to permit in order to continue functioning. PiperOrigin-RevId: 309173849 Change-Id: I007dacc1ff1fd0ccc138caaa08735cfe5bc78234
This commit is contained in:
parent
fea5e8c485
commit
79049b09c0
|
@ -85,6 +85,7 @@ PolicyBuilder& PolicyBuilder::AllowScudoMalloc() {
|
|||
AllowFutexOp(FUTEX_WAKE);
|
||||
AllowLimitedMadvise();
|
||||
AllowGetRandom();
|
||||
AllowWipeOnFork();
|
||||
|
||||
return AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
|
||||
return {
|
||||
|
@ -426,6 +427,20 @@ PolicyBuilder& PolicyBuilder::AllowGetRandom() {
|
|||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowWipeOnFork() {
|
||||
// System headers may not be recent enough to include MADV_WIPEONFORK.
|
||||
static constexpr uint32_t kMadv_WipeOnFork = 18;
|
||||
// The -1 value is used by code to probe that the kernel returns -EINVAL for
|
||||
// unknown values because some environments, like qemu, ignore madvise
|
||||
// completely, but code needs to know whether WIPEONFORK took effect.
|
||||
return AddPolicyOnSyscall(__NR_madvise,
|
||||
{
|
||||
ARG_32(2),
|
||||
JEQ32(kMadv_WipeOnFork, ALLOW),
|
||||
JEQ32(static_cast<uint32_t>(-1), ALLOW),
|
||||
});
|
||||
}
|
||||
|
||||
PolicyBuilder& PolicyBuilder::AllowLogForwarding() {
|
||||
AllowWrite();
|
||||
AllowSystemMalloc();
|
||||
|
|
|
@ -289,8 +289,14 @@ class PolicyBuilder final {
|
|||
// Appends code to allow reading random bytes.
|
||||
// Allows these sycalls:
|
||||
// - getrandom (with no flags or GRND_NONBLOCK)
|
||||
//
|
||||
PolicyBuilder& AllowGetRandom();
|
||||
|
||||
// Appends code to allow configuring wipe-on-fork memory
|
||||
// Allows these syscalls:
|
||||
// - madvise (with advice equal to -1 or MADV_WIPEONFORK).
|
||||
PolicyBuilder& AllowWipeOnFork();
|
||||
|
||||
// Enables syscalls required to use the logging support enabled via
|
||||
// Client::SendLogsToSupervisor()
|
||||
// Allows the following:
|
||||
|
|
Loading…
Reference in New Issue
Block a user