Allow two madvise calls for asan & tsan builds.

bbfa21f177/lib/sanitizer_common/sanitizer_posix_libcdep.cc (L71) PiperOrigin-RevId: 252048323 Change-Id: I457e708f0b024fd9db4ad39265cb904777ca52b5
2019-06-07 07:52:51 -07:00 · 2019-06-07 07:52:51 -07:00 · 970257d87b
parent dfbfb5cc43
commit 970257d87b
3 changed files with 24 additions and 0 deletions
--- a/sandboxed_api/sandbox.cc
+++ b/sandboxed_api/sandbox.cc
@ -92,6 +92,12 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) {
      })
      .AddFile("/etc/localtime")
      .AddTmpfs("/tmp", 1ULL << 30 /* 1GiB tmpfs (max size) */);
+#if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \
+    defined(THREAD_SANITIZER)
+  LOG(WARNING) << "Allowing additional calls to support the LLVM "
+               << "(ASAN/MSAN/TSAN) sanitizer";
+  builder->AllowLlvmSanitizers();
+#endif
 }

 void Sandbox::Terminate(bool attempt_graceful_exit) {
--- a/sandboxed_api/sandbox2/policybuilder.cc
+++ b/sandboxed_api/sandbox2/policybuilder.cc
@ -173,6 +173,17 @@ PolicyBuilder& PolicyBuilder::AllowSystemMalloc() {
  return *this;
 }

+PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() {
+#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER)
+  AddPolicyOnSyscall(__NR_madvise, {
+                                       ARG_32(2),
+                                       JEQ32(MADV_DONTDUMP, ALLOW),
+                                       JEQ32(MADV_NOHUGEPAGE, ALLOW),
+                                   });
+#endif
+  return *this;
+}
+
 PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() {
  return AddPolicyOnSyscall(__NR_madvise, {
                                              ARG_32(2),
--- a/sandboxed_api/sandbox2/policybuilder.h
+++ b/sandboxed_api/sandbox2/policybuilder.h
@ -139,6 +139,13 @@ class PolicyBuilder final {
  // friends.
  PolicyBuilder& AllowTcMalloc();

+  // Allows system calls typically used by the LLVM sanitizers (address
+  // sanitizer, memory sanitizer, and thread sanitizer). This method is
+  // intended as a best effort for adding system calls that are common to many
+  // binaries. It may not be fully inclusive of all potential system calls for
+  // all binaries.
+  PolicyBuilder& AllowLlvmSanitizers();
+
  // Appends code to allow mmap. Specifically this allows the mmap2 syscall on
  // architectures where this syscalls exist and the mmap syscall on all other
  // architectures.