Add policy helper to allow restartable sequences

PiperOrigin-RevId: 360266444
Change-Id: I0a3d2d071972bf7d6e7114a428c6954ed4bcef5c
This commit is contained in:
Martijn Vels 2021-03-01 13:39:13 -08:00 committed by Copybara-Service
parent 9979faf752
commit b30d56e871
2 changed files with 47 additions and 5 deletions

View File

@ -425,6 +425,31 @@ PolicyBuilder& PolicyBuilder::AllowGetIDs() {
});
}
PolicyBuilder& PolicyBuilder::AllowRestartableSequences() {
AddPolicyOnMmap([](bpf_labels& labels) -> std::vector<sock_filter> {
return {
ARG_32(2), // prot
JEQ32(PROT_READ | PROT_WRITE, ALLOW),
ARG_32(3), // flags
JEQ32(MAP_PRIVATE | MAP_ANONYMOUS, ALLOW),
};
});
AddFile("/proc/self/cpuset");
#ifdef __NR_rseq
AllowSyscall(__NR_rseq);
#endif
AllowFutexOp(FUTEX_WAIT);
AllowFutexOp(FUTEX_WAKE);
AddPolicyOnSyscall(__NR_rt_sigprocmask, {
ARG_32(0),
JEQ32(SIG_SETMASK, ALLOW),
});
return AllowSyscalls({__NR_membarrier, __NR_getcpu, __NR_sched_getaffinity,
__NR_sched_setaffinity});
}
PolicyBuilder& PolicyBuilder::AllowGetPIDs() {
return AllowSyscalls({
__NR_getpid,
@ -785,11 +810,14 @@ PolicyBuilder& PolicyBuilder::AddFileAt(absl::string_view outside,
auto fixed_outside = std::move(fixed_outside_or).value();
if (absl::StartsWith(fixed_outside, "/proc/self")) {
SetError(absl::InvalidArgumentError(
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
"whole /proc instead. You tried to mount ",
outside)));
return *this;
// exception: /proc/self/cpuset
if (outside != "/proc/self/cpuset") {
SetError(absl::InvalidArgumentError(
absl::StrCat("Cannot add /proc/self mounts, you need to mount the "
"whole /proc instead. You tried to mount ",
outside)));
return *this;
}
}
if (auto status = mounts_.AddFileAt(fixed_outside, inside, is_ro);

View File

@ -112,6 +112,20 @@ class PolicyBuilder final {
// - exit_group
PolicyBuilder& AllowExit();
// Appends code to allow restartable sequences.
// Allows these syscalls:
// - rseq
// - mmap(null, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS)
// - getcpu,
// - membarrier
// - sched_getaffinity
// - sched_setaffinity
// - futex(WAIT) and futex(WAKE)
// - sigmask(SET_MASK)
// Allows these files (which will enable namespaces):
// - "/proc/self/cpuset"
PolicyBuilder& AllowRestartableSequences();
// Appends code to allow the scudo version of malloc, free and
// friends. This should be used in conjunction with namespaces. If scudo
// options are passed to the sandboxee through an environment variable, access