From 970257d87b0da50257148881a48150ef7b311ebf Mon Sep 17 00:00:00 2001 From: Sandboxed API Team Date: Fri, 7 Jun 2019 07:52:51 -0700 Subject: [PATCH] Allow two madvise calls for asan & tsan builds. https://github.com/llvm-mirror/compiler-rt/blob/bbfa21f177382697849e8bcde679d2e146856911/lib/sanitizer_common/sanitizer_posix_libcdep.cc#L71 PiperOrigin-RevId: 252048323 Change-Id: I457e708f0b024fd9db4ad39265cb904777ca52b5 --- sandboxed_api/sandbox.cc | 6 ++++++ sandboxed_api/sandbox2/policybuilder.cc | 11 +++++++++++ sandboxed_api/sandbox2/policybuilder.h | 7 +++++++ 3 files changed, 24 insertions(+) diff --git a/sandboxed_api/sandbox.cc b/sandboxed_api/sandbox.cc index 05f6ad8..93933c8 100644 --- a/sandboxed_api/sandbox.cc +++ b/sandboxed_api/sandbox.cc @@ -92,6 +92,12 @@ void InitDefaultPolicyBuilder(sandbox2::PolicyBuilder* builder) { }) .AddFile("/etc/localtime") .AddTmpfs("/tmp", 1ULL << 30 /* 1GiB tmpfs (max size) */); +#if defined(ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) || \ + defined(THREAD_SANITIZER) + LOG(WARNING) << "Allowing additional calls to support the LLVM " + << "(ASAN/MSAN/TSAN) sanitizer"; + builder->AllowLlvmSanitizers(); +#endif } void Sandbox::Terminate(bool attempt_graceful_exit) { diff --git a/sandboxed_api/sandbox2/policybuilder.cc b/sandboxed_api/sandbox2/policybuilder.cc index e585c06..56bc6e1 100644 --- a/sandboxed_api/sandbox2/policybuilder.cc +++ b/sandboxed_api/sandbox2/policybuilder.cc @@ -173,6 +173,17 @@ PolicyBuilder& PolicyBuilder::AllowSystemMalloc() { return *this; } +PolicyBuilder& PolicyBuilder::AllowLlvmSanitizers() { +#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) + AddPolicyOnSyscall(__NR_madvise, { + ARG_32(2), + JEQ32(MADV_DONTDUMP, ALLOW), + JEQ32(MADV_NOHUGEPAGE, ALLOW), + }); +#endif + return *this; +} + PolicyBuilder& PolicyBuilder::AllowLimitedMadvise() { return AddPolicyOnSyscall(__NR_madvise, { ARG_32(2), diff --git a/sandboxed_api/sandbox2/policybuilder.h b/sandboxed_api/sandbox2/policybuilder.h index 93686b2..628f8ea 100644 --- a/sandboxed_api/sandbox2/policybuilder.h +++ b/sandboxed_api/sandbox2/policybuilder.h @@ -139,6 +139,13 @@ class PolicyBuilder final { // friends. PolicyBuilder& AllowTcMalloc(); + // Allows system calls typically used by the LLVM sanitizers (address + // sanitizer, memory sanitizer, and thread sanitizer). This method is + // intended as a best effort for adding system calls that are common to many + // binaries. It may not be fully inclusive of all potential system calls for + // all binaries. + PolicyBuilder& AllowLlvmSanitizers(); + // Appends code to allow mmap. Specifically this allows the mmap2 syscall on // architectures where this syscalls exist and the mmap syscall on all other // architectures.